Me60做Bras,同一子接口下 web认证通过,pppoe认证不通过。

发布时间:  2016-02-05 浏览次数:  629 下载次数:  2
问题描述

dhcp地址池在远端,Me60Bras,同一子接口下单独使用web认证通过,单独使用pppoe认证通过;

但是同时进行web认证和pppoe认证时,web认证终端可以正常获取IP地址,认证通过,但pppoe认证不通过,获取不到IP地址。

告警信息

处理过程

1、硬件问题

通过命令display device检查ME60设备硬件运行情况,板卡都注册正常。

<JXCD-ME60X3>display device

MultiserviceEngine 60-X3's Device status:

Slot #    Type       Online    Register      Status      Primary   

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1         BSU        Present   Registered    Normal      NA        

4         MPU        Present   NA            Normal      Master    

5         MPU        Present   Registered    Normal      Slave     

6         CLK        Present   Registered    Normal      Master    

7         CLK        Present   Registered    Normal      Slave     

8         PWR        Present   Registered    Normal      NA        

9         PWR        Present   Registered    Normal      NA        

10        FAN        Present   Registered    Normal      NA   

 

涉及到的其它物理设备运行正常。

2、检查全局配置信息

(1)   在全局下面检查配置,交换机、ME60配置均正常。

设备连接信息描述:



 

一台usg9560防火墙上联ISP,下联一台S12712

一台S12712旁挂一台me60和一台dhcp server服务器,下联接入楼层交换机。

楼层交换机接入无线路由器及PC终端。

 

 

(2)   ME60配置检查,检查后正常。

<JXCD-ME60X3>dis version

Huawei Versatile Routing Platform Software

VRP (R) software, Version 5.160 (ME60 V600R008C10SPC300)

Copyright (C) 2000-2014 Huawei Technologies Co., Ltd.

HUAWEI MultiserviceEngine 60-X3 uptime is 80 days, 1 hour, 28 minutes

Patch version : V600R008SPC009

MultiserviceEngine 60-X3 version information:

 

其它略.

<JXCD-ME60X3>dis cur

#

sysname JXCD-ME60X3

#

 user-group 1

 user-group isp

##

 value-added-service enable

 value-added-service quota-out offline

#                                   

qos-profile internet

 car cir 100000 cbs 18700000 green pass red discard inbound

 car cir 100000 cbs 18700000 green pass red discard outbound

qos-profile neiwang

 car cir 100000 cbs 18700000 green pass red discard inbound

 car cir 100000 cbs 18700000 green pass red discard outbound

#

radius-server group hwradius

 radius-server authentication 172.x.x.80 1812 weight 80

 radius-server accounting 172.x.x.80 1813 weight 80

 radius-server shared-key-cipher %$%$^FxLTvz)sM-^PC8sDo$26S|h%$%$

 undo radius-server user-name domain-included

#

radius-server group macjxcd

 radius-server authentication 172.x.x.80 1812 weight 80

 radius-server accounting 172.x.x.80 1813 weight 80

 radius-server shared-key-cipher %$%$1V\=-Kr'qGz_:d)Y|8'"niVi%$%$

 radius-server attribute translate

 undo radius-server user-name domain-included

 radius-attribute include HW-Auth-Type

 radius-attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-request account

#

radius-server authorization 172.x.x.80 shared-key huawei server-group hwradius

#

#

acl number 6000

 rule 10 permit ip source user-group 1 destination ip-address 127.0.0.1 0

 rule 15 permit ip source ip-address 127.0.0.1 0 destination user-group 1

 rule 20 permit ip source user-group 1 destination ip-address 172. x.x.80 0

 rule 25 permit ip source ip-address 172.x.x.80 0 destination user-group 1

 其它略

#

acl number 6001

 rule 10 permit tcp source user-group 1 destination-port eq www

 rule 15 permit tcp source user-group 1 destination-port eq 8080

 rule 20 permit ip source user-group 1

#

acl number 6010

 rule 10 permit ip source user-group isp destination ip-address 210. x.x.0 0.0.15.255

 rule 15 permit ip source ip-address 210. x.x.0 0.0.15.255 destination user-group isp

其它略

#

acl number 6011

 rule 10 permit ip source user-group isp

 rule 15 permit ip destination user-group isp

#

traffic classifier web_deny operator or

 if-match acl 6001

traffic classifier web_permit operator or

 if-match acl 6000

traffic classifier tc2 operator or

 if-match acl 6011

traffic classifier tc1 operator or

 if-match acl 6010

#

traffic behavior web_deny

 http-redirect

traffic behavior web_permit

traffic behavior tb1

 tariff-level 1

 car

 traffic-statistic

traffic behavior tb2

 tariff-level 2

 car

 traffic-statistic

#

traffic policy traffic_policy_daa1

 share-mode

 classifier tc1 behavior tb1

 classifier tc2 behavior tb2

traffic policy web

 share-mode                              

 classifier web_permit behavior web_permit

 classifier web_deny behavior web_deny

#

dhcp-server group group1

 dhcp-server 210. x.x.8

#

dhcp-server group wlandhcpserver

 dhcp-server 172. x.x.57

#

ip pool ceshi168 bas remote

 gateway 172. x.x.254 255.255.248.0

 dhcp-server group group1

#

ip pool wlandhcp bas remote

 gateway 10. x.x.254 255.255.255.0

 dhcp-server group wlandhcpserver

#

dot1x-template 1

#

aaa

 mac-user ppp-preferred

 nas-serial JXCD-ME60X3

 default-user-name include mac-address -

 local-user hwadmin password irreversible-cipher $1a$$XtsO/XQZE$o{UGDY,=}&MDK6P#@4B.S/&$~-f7!V|s_-((M92!$

 local-user hwadmin service-type terminal telnet ssh

 local-user hwadmin level 15

 local-user hwadmin state block fail-times 3 interval 5

 authentication-scheme default0

 authentication-scheme default1

 authentication-scheme default

  authentication-mode local radius

 authentication-scheme noneauth1

  authentication-mode none

 authentication-scheme jxcd

 authentication-scheme macyouxian

  authening authen-fail online authen-domain none-youxian

 authentication-scheme macwlan

  authening authen-fail online authen-domain none-wlan

 #

 authorization-scheme default

 #

 accounting-scheme default0

 accounting-scheme default1

 accounting-scheme noneacct1

  accounting-mode none

 accounting-scheme jxcd

  accounting interim interval 1

 accounting-scheme macjxcd               

  accounting interim interval 3

 #

 domain default0

domain none-youxian

  authentication-scheme default0

  accounting-scheme default0

  ip-pool ceshi168

  user-group 1

  web-server 172. x.x.80

  web-server url http://172. x.x.80/a79.htm

  web-server url-parameter

  web-server user-first-url-key default-name

  http-hostcar enable

 domain youxian

  authentication-scheme jxcd

  accounting-scheme jxcd

  ip-pool ceshi168

  value-added-service account-type radius hwradius

  value-added-service policy vp-daa

  radius-server group hwradius

  user-group isp

  web-server url-parameter               

 domain none-wlan

  authentication-scheme default0

  accounting-scheme default0

  ip-pool wlandhcp

  user-group 1

  web-server 172. x.x.80

  web-server url http://172. x.x.80/a79.htm

  web-server url-parameter

  web-server user-first-url-key default-name

  http-hostcar enable

 domain wlan

  authentication-scheme jxcd

  accounting-scheme jxcd

  radius-server group hwradius

  web-server url-parameter

 domain mac-youxian

  authentication-scheme macyouxian

  accounting-scheme macjxcd

  ip-pool ceshi168

  mac-authentication enable

  radius-server group macjxcd

 domain youxianhouyu

  authentication-scheme jxcd

  accounting-scheme jxcd                 

  radius-server group hwradius

  web-server url-parameter

 domain mac-wlan

  authentication-scheme macwlan

  accounting-scheme macjxcd

  ip-pool wlandhcp

  mac-authentication enable

  radius-server group macjxcd

 #

#

value-added-service policy vp-daa daa

 accounting-scheme jxcd

 user-group isp

 traffic-separate enable

 tariff-level 1 qos-profile neiwang

 tariff-level 1 flow-queue-shaping inbound 100000 outbound 100000

 tariff-level-cfg 1 accounting off

 tariff-level 2 qos-profile internet

 tariff-level 2 flow-queue-shaping inbound 100000 outbound 100000

#

multicastbandwidth

#

interface Virtual-Template1

 ppp authentication-mode auto

#

interface GigabitEthernet1/0/0

 description To S12712 G4/0/1

 undo shutdown

#

interface GigabitEthernet1/0/0.1

 pppoe-server bind Virtual-Template 1

 user-vlan 100 200 qinq 1268

 bas

 #

  access-type layer2-subscriber default-domain pre-authentication none-youxian authentication youxian

  authentication-method ppp web          

  arp-proxy

  ip-trigger

  arp-trigger

 #

#

interface GigabitEthernet1/0/0.10

 pppoe-server bind Virtual-Template 1

 user-vlan 201 300 qinq 1268

 bas

 #

  access-type layer2-subscriber default-domain pre-authentication mac-youxian authentication youxianhouyu

  authentication-method ppp web

 #

#

interface GigabitEthernet1/0/1

 description To S12712 G4/0/4 TO internet

 undo shutdown

 ip address 172.x.x.11 255.255.255.0

#

interface GigabitEthernet1/0/2

 description To S12712 G4/0/5 WLANUSER

 undo shutdown

#

interface GigabitEthernet1/0/2.1         

 user-vlan 1269

 bas

 #

  access-type layer2-subscriber default-domain pre-authentication mac-wlan authentication wlan

  authentication-method web

 #

其它接口略

#

ip route-static 0.0.0.0 0.0.0.0 172.x.x.1

#

#

 accounting-service-policy traffic_policy_daa1

#

 traffic-policy web inbound

 traffic-policy web outbound

#

 web-auth-server source interface GigabitEthernet1/0/1

 web-auth-server version v2              

 web-auth-server 172.x.x.80 port 2000 key simple webvlan nas-ip-address

#

<JXCD-ME60X3>

#

部分配置省略.

通过display interface brief命令查看端口状态,端口状态正常。

<JXCD-ME60X3>dis interface brief

Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors

GigabitEthernet1/0/0        up    down         0%     0%          0          0

GigabitEthernet1/0/0.1      up    up         0%     0%          0          0

GigabitEthernet1/0/0.10     up    up         0%     0%          0          0

GigabitEthernet1/0/1        up    up           0%     0%          0          0

GigabitEthernet1/0/2        up    down         0%     0%          0          0

GigabitEthernet1/0/2.1      up    up           0%     0%          0          0

<JXCD-ME60X3>

通过display ip routing-table 查看路由表正常:

<JXCD-ME60X3>display ip routing-table

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

        0.0.0.0/0   Static  60   0          RD   172.31.201.1   

 

通过ping命令,测试设备与dhcp服务器与aaa服务器及dns地址可达性正常。

<JXCD-ME60X3>ping 172. x.x.57

    Reply from 172.x.x.57: bytes=56 Sequence=1 ttl=126 time=1 ms

    其它略.

<JXCD-ME60X3>ping 172. x.x.80

    Reply from 172. x.x.80: bytes=56 Sequence=1 ttl=63 time=1 ms

   其它略.

<JXCD-ME60X3>ping 210. x.x.8

    Reply from 210. x.x.8: bytes=56 Sequence=1 ttl=63 time=1 ms

   其它略.

<JXCD-ME60X3>

通过上述命令查看,BRAS配置未发现问题。

 

3、接口单独进行pppoe认证配置,测试认证是否正常。

在接口单独进行pppoe认证通过,终端可正常获取ip地址,业务测试正常。

4、接口单独进行web认证配置

在接口单独进行web认证,终端可正常获取ip地址,认证成功,业务测试正常。

5、同一子接口下同时使用web认证和pppoe认证。

终端先获取ip地址,web认证能通过,pppoe认证不通过。

经抓包分析,pppoe认证获取不到ip地址。

根因

当具有相同MAC地址的DHCPPPP用户同时上线时,使用RUI远端地址池只能为其中一位用户分配IP地址

解决方案

按照客户要求的地址池不能设在本地,要设在远端的情况下,me60aaa 视图下,增加mac-user ppp-preferred 命令。

mac-user ppp-preferred命令用来配置相同MAC地址的DHCPPPP用户上线,PPP用户优先。

<HUAWEI>system-view

[HUAWEI] aaa

[HUAWEI-aaa] mac-user ppp-preferred

    此时web认证成功后,pppoe拨号也认证成功。

建议与总结


当具有相同MAC地址的DHCPPPP用户同时上线时,使用RUI远端地址池只能为其中一位用户分配IP地址。可以配置此命令行,使具有相同MAC地址的用户上线,PPP用户优先。

配置影响:PPP用户拨入时,如果已有相同MAC地址的DHCP用户在线,DHCP用户将被强制下线,从而释放地址使PPP用户能正常上线。

END