S12700 启用portal认证,用户不认证的情况下也可以上网

发布时间:  2015-10-26 浏览次数:  282 下载次数:  0
问题描述

现网运行版本:

<S12700>disp  version

Chassis 1 (Master Switch)

Huawei Versatile Routing Platform Software

VRP (R) software, Version 5.160 (S12700 V200R006C00SPC500)

Copyright (C) 2000-2014 HUAWEI TECH CO., LTD

HUAWEI S12712 Terabit Routing Switch uptime is 1 week, 6 days, 14 hours, 4 minut

es

<S12700>disp  patch

Patch Package Name   :flash:/s12700-v200r006sph006.pat

Patch Package Version:V200R006SPH006

The state of the patch state file is: Running

The current state is: Running

 

Agile Controller 版本: 

V100R001C00SPC200

 

1-1 现网运行拓扑图(局部)

核心S12712堆叠,下联汇聚S7706S12712启用portal认证;

故障现象:

用户终端portal不认证情况下,也可以访问互联网.

告警信息

处理过程

1、 S12712交换机上测试认证服务器连通性,测试结果正常:

<S12700>test-aaa test01 test@123 radius-template test_edu

<S12700>

Info: Account test succeed.

<S12700>

2.查看接口下配置,接口已经启用portal认证,

[S12700-GigabitEthernet1/7/1/20]dis th

#

interface GigabitEthernet1/7/1/20

 combo-port copper

 port link-type access

 port default vlan 119

#

return

[S12700-GigabitEthernet1/7/1/20]

[S12700]dis cu int vlan 119

#

interface Vlanif119

 description test_huawei_portal

 ip address 10.40.9.254 255.255.255.0

 web-auth-server abc layer3

 authentication portal

#

return

[S12700]

3.检查WEB配置信息,也没有发现异常;

[S12700]disp web-auth-server con

  Listening port        : 2000

  Portal                : version 1, version 2

  Include reply message : enabled

 

-----------------------------------------------------------------

  Web-auth-server Name : abc

  IP-address           : 10.40.0.115

  Shared-key           : %@%@D:$hJi6duYQZDA!>48u17t86%@%@

  Source-IP            : 10.40.0.250

  Port / PortFlag      : 50200 / NO

  URL                  : http://10.40.0.115:8080/portal

  URL Template         :

  Redirection          : Enable

  Sync                 : Enable

  Sync Seconds         : 300

  Sync Max-times       : 3

  Detect               : Enable

  Detect Seconds       : 60

  Detect Max-times     : 3

  Detect Critical-num  : 0

  Detect Action        : log

  Bound Vlanif         : 119

  VPN Instance         :

  Bound Interface      :

  Bound L2 Interface   :

-----------------------------------------------------------------

  1 Web authentication server(s) in total

 

[S12700]

4.查看在线用户及认证信息;

[S12700]dis acce

 ------------------------------------------------------------------------------

 UserID Username                IP address       MAC            Status

 ------------------------------------------------------------------------------

 16051  test01                  10.40.9.2        206a-8a7a-c0e0 Pre-authen     

 ------------------------------------------------------------------------------

 Total: 1, printed: 1

 [S12700]dis acce user-id 16051

 

Basic:

  User ID                         : 16051

  User name                       : test01

  Domain-name                     : -                              

  User MAC                        : 206a-8a7a-c0e0

  User IP address                 : 10.40.9.2

  User vpn-instance               : -

  User access Interface           : GigabitEthernet1/7/1/20

  User vlan event                 : Pre-authen    

  QinQVlan/UserVlan               : 0/119

  User access time                : 2015/10/13 17:12:49

  Option82 information            : -

  User access type                : None

  Terminal Device Type            : Data Terminal 

 

AAA:

  User authentication type        : No authentication

  Current authentication method   : None

  Current authorization method    : Local

  Current accounting method       : None

 

[S12700]

此时发现用户认证类型为不认证,这个现象很奇怪;

5.进一步查看,发现S12712controller服务器联动异常;

[S12700]dis server-detect sta

  Web-auth-server     :    abc

  Total-servers       :    1

  Live-servers        :    1

  Critical-num        :    0

  Status              :    Abnormal

  Ip-address               Status

  10.40.0.115              UP

但是路由是通的,且终端用户可以正常访问http://10.40.0.115:8080/portal页面;

[S12700]ping 10.40.0.115

  PING 10.40.0.115: 56  data bytes, press CTRL_C to break

    Reply from 10.40.0.115: bytes=56 Sequence=1 ttl=64 time=2 ms

    Reply from 10.40.0.115: bytes=56 Sequence=2 ttl=64 time=1 ms

    Reply from 10.40.0.115: bytes=56 Sequence=3 ttl=64 time=1 ms

    Reply from 10.40.0.115: bytes=56 Sequence=4 ttl=64 time=1 ms

    Reply from 10.40.0.115: bytes=56 Sequence=5 ttl=64 time=1 ms

 

  --- 10.40.0.115 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 1/1/2 ms

 

6.查看Controller端,发现该服务器未启用“接入设备与服务器心跳”。

 

根因
S12712上配置服务器检测功能,当接收不到服务器端心跳后,就认为服务器故障,从而开启逃生功能。
解决方案
S12712上删除“server-detect action log”或者在服务器端启用心跳,后即可解决。
建议与总结
建议在controller与接入设备对接的场景下,由一个人或者相关人员在场的情况下共同完成配置,避免两边配置不同步造成对接不成功。

END