用户网段未在radius服务器注册导致ME60用户认证不成功

发布时间:  2016-04-11 浏览次数:  816 下载次数:  0
问题描述

1、组网拓扑图如上图,ME60采用双击热备组网,用户虚拟机认证采用radius认证,用户虚拟机获取IP地址后客户端进行radius认证

2、ME60版本未V600R005C00SPCb00

3、主要认证配置如下

domain pre-user-610
  authentication-scheme pre-user
  accounting-scheme pre-user
  ip-pool v-user-610
  vpn-instance y-vm
  user-group 1023

domain au-user-610
  authentication-scheme au-user
  accounting-scheme au-user              
  ip-pool v-user-610
  vpn-instance y-vm
  user-group 1022

interface Eth-Trunk1.610
description v-user-610
user-vlan 610
remote-backup-profile rbp1
bas
#
  access-type layer2-subscriber default-domain pre-authentication pre-user-610 authentication au-user-610
  roam-domain au-user-610
  authentication-method web              
  ip-trigger
  arp-trigger
  vpn-instance y-vm
#
#

处理过程

1、登陆ME60-A带自身loopback接口测试到达radius服务器连通性

<wuhggamghwj0>ping -a 10.79.245.3  10.82.85.36
  PING 10.82.85.36: 56  data bytes, press CTRL_C to break
    Reply from 10.82.85.36: bytes=56 Sequence=1 ttl=245 time=40 ms
    Reply from 10.82.85.36: bytes=56 Sequence=2 ttl=245 time=40 ms
    Reply from 10.82.85.36: bytes=56 Sequence=3 ttl=245 time=40 ms
    Reply from 10.82.85.36: bytes=56 Sequence=4 ttl=245 time=41 ms
    Reply from 10.82.85.36: bytes=56 Sequence=5 ttl=245 time=39 ms

  --- 10.82.85.36 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 39/40/41 ms

2、检查用户虚拟机无法认证原因,确认是否有原因记录

<wuhggamghwj0>display aaa online-fail-record mac-address 286E-D510-1029

3、让用户检查虚拟机状态,确认是否获取正确IP地址、同时让用户在虚拟机上重新进行认证,用户反馈IP地址获取成功并且正确,客户端重新认证仍然失败

4、登陆M60-主,采集用户认证打印信息

<wuhggamghwj0>display aaa online-fail-record mac-address 286E-D510-1029

<wuhggamghwj0>
Apr  8 2016 15:24:49.210.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610]
[trace info:Arp detect timer called, ArpIndex:373]

Apr  8 2016 15:24:49.210.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610]
[trace info:[DetectTimer] User detect time no exceed]
<wuhggamghwj0>
Apr  8 2016 15:25:01.40.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610]
[trace info:Receive Arp request packet:Dstip 10.188.144.1,Dstmac 0000-5e00-0101,Sip 10.188.145.40,Smac 286e-d510-1029]

Apr  8 2016 15:25:01.40.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:Send Arp proxy reply packet to user, ArpIndex:373]

Apr  8 2016 15:25:01.40.3 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610]
[trace info:[UsrOutput]success to send user arp packet.]

从trace信息显示中可以发现,ME60设备上没有任何与Radius服务器报文交互信息,怀疑radius服务器问题或者ME60问题,让用户自行检查radius服务器

5、用户检查服务器发现用户虚拟机网段没有添加到radius服务器数据库,后台手动将网段添加后,继续进行问题定位

6、检查用户虚拟机所在的认证域

<wuhggamghwj0>display  access-user domain  pre-user-610
  ------------------------------------------------------------------------------
  UserID  Username                Interface      IP address       MAC
          Vlan          IPv6 address             Access type
  ------------------------------------------------------------------------------
  19436   wuhggamghwj0-042010...  Eth-Trunk1.610  10.188.145.40    286e-d510-1029
          610/-         -                        IPOE          
  ------------------------------------------------------------------------------
  Normal users                       : 0
  RUI Local users                    : 1
  RUI Remote users                   : 0
  Total users                        : 1

发现用户虚拟机还是处在认证前域,没有进入认证后域,让用户再次点击认证客户端,同时使用trace命令记录打印信息,显示如下

[wuhggamghwj0]trace access-user  object 1 mac-address 286e-d510-1029
<wuhggamghwj0>t m
Info: Current terminal monitor is on.
<wuhggamghwj0> t d
Info: Current terminal debugging is on.

Apr  8 2016 15:42:19.830.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610]
[trace info:Arp detect timer called, ArpIndex:373]

Apr  8 2016 15:42:19.830.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610]
[trace info:[DetectTimer] User detect time no exceed]

Apr  8 2016 15:42:26.40.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][DHCPA][user info:
  MAC Address    : 286E-D510-1029
  Access Mode    : IPoE ]
[trace info:
DHCPA receive a packet from slot 4.]

Apr  8 2016 15:42:26.40.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][DHCPA][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  Access Mode    : IPoE ]
[trace info:
DHCPA receive a packet.
DHCPA receive a INFORM pkt
Ciaddr:0ABC9128]

Apr  8 2016 15:42:26.50.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][SRVCFG][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:
[BRAS DEBUG] BAS_Transmit Out : RUI Configed!]

Apr  8 2016 15:42:26.50.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][SRVCFG][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:BAS_Transmit Out: TS_Send OK!]

Apr  8 2016 15:42:26.800.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][SRVCFG][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:
[BRAS DEBUG] BAS_Transmit Out : RUI Configed!]

Apr  8 2016 15:42:26.800.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][SRVCFG][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:BAS_Transmit Out: TS_Send OK!]

Apr  8 2016 15:42:27.550.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][SRVCFG][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:
[BRAS DEBUG] BAS_Transmit Out : RUI Configed!]

Apr  8 2016 15:42:27.550.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][SRVCFG][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:BAS_Transmit Out: TS_Send OK!]

Apr  8 2016 15:42:29.40.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][DHCPA][user info:
  MAC Address    : 286E-D510-1029
  Access Mode    : IPoE ]
[trace info:
DHCPA receive a packet from slot 4.]

Apr  8 2016 15:42:29.40.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][DHCPA][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  Access Mode    : IPoE ]
[trace info:
DHCPA receive a packet.
DHCPA receive a INFORM pkt
Ciaddr:0ABC9128]

Apr  8 2016 15:42:49.850.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610]
[trace info:Arp detect timer called, ArpIndex:373]

Apr  8 2016 15:42:49.850.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610]
[trace info:[DetectTimer] User detect time no exceed]

Apr  8 2016 15:43:19.880.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610]
[trace info:Arp detect timer called, ArpIndex:373]

Apr  8 2016 15:43:19.880.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610]
[trace info:[DetectTimer] User detect time no exceed]

Apr  8 2016 15:43:35.550.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][WEB][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  USERNAME       : w00290652@huawei.201
  Access Mode    : IPoE ]
[trace info:Received packet from socket (length = 32 Vrf = 0):
Version         : 2
Type            : challenge request
Method          : chap
SerialNo        : 516
RequestID       : 0
UserIP          : 10.188.145.40
ErrorCode       : 0
AttributeNumber : 0
]

Apr  8 2016 15:43:35.550.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][WEB][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  USERNAME       : w00290652@huawei.201
  Access Mode    : IPoE ]
[trace info:
[Web-Evt] Receive challenge request packet from portal server successfully (ip: 0x abc9128, sn:516)]

Apr  8 2016 15:43:35.550.3 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][WEB][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  USERNAME       : w00290652@huawei.201
  Access Mode    : IPoE ]
[trace info:
[Web-Evt] Send challenge ack packet to portal server successfully]

Apr  8 2016 15:43:35.550.4 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][WEB][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  USERNAME       : w00290652@huawei.201
  Access Mode    : IPoE ]
[trace info:Sent packet to socket (length = 50 Vrf = 0):
Version         : 2
Type            : challenge ack
Method          : chap
SerialNo        : 516
RequestID       : 9
UserIP          : 10.188.145.40
ErrorCode       : 0
AttributeNumber : 1
]

Apr  8 2016 15:43:35.590.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][WEB][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  USERNAME       : w00290652@huawei.201
  Access Mode    : IPoE ]
[trace info:Received packet from socket (length = 105 Vrf = 0):
Version         : 2
Type            : authentication request
Method          : chap
SerialNo        : 596
RequestID       : 9
UserIP          : 10.188.145.40
ErrorCode       : 0
AttributeNumber : 4
]

Apr  8 2016 15:43:35.590.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][WEB][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  USERNAME       : w00290652@huawei.201
  Access Mode    : IPoE ]
[trace info:
[Web-Evt] Receive authentication request packet from portal server successfully (ip: 0x abc9128, sn:596)]

Apr  8 2016 15:43:35.590.3 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][WEB][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  USERNAME       : w00290652@huawei.201
  Access Mode    : IPoE ]
[trace info:
[Web-Evt] Send authentication request message to cm successfully(userid:19436,requestid:9)]

Apr  8 2016 15:43:35.590.4 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][UCM][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  Access Mode    : IPoE ]
[trace info:Receive WEB_UCM_AUTH_REQ from WEB (userid:19436)]

Apr  8 2016 15:43:35.590.5 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][WEB][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  USERNAME       : w00290652@huawei.201
  Access Mode    : IPoE ]
[trace info:
[Web-Evt] Receive authentication ack message from cm successfully (userid:19436 requestid:9)]

Apr  8 2016 15:43:35.590.6 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][WEB][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  USERNAME       : w00290652@huawei.201
  Access Mode    : IPoE ]
[trace info:
[Web-Evt] Send authentication ack packet to portal server successfully]

Apr  8 2016 15:43:35.590.7 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][WEB][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  USERNAME       : w00290652@huawei.201
  Access Mode    : IPoE ]
[trace info:Sent packet to socket (length = 32 Vrf = 0):
Version         : 2
Type            : authentication ack
Method          : chap
SerialNo        : 596
RequestID       : 9
UserIP          : 10.188.145.40
ErrorCode       : 2
AttributeNumber : 0
]

Apr  8 2016 15:43:37.380.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][SRVCFG][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:
[BRAS DEBUG] BAS_Transmit Out : RUI Configed!]

Apr  8 2016 15:43:37.380.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][SRVCFG][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:BAS_Transmit Out: TS_Send OK!]

Apr  8 2016 15:43:38.110.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][SRVCFG][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:
[BRAS DEBUG] BAS_Transmit Out : RUI Configed!]

Apr  8 2016 15:43:38.110.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][SRVCFG][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:BAS_Transmit Out: TS_Send OK!]

Apr  8 2016 15:43:38.900.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][SRVCFG][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:
[BRAS DEBUG] BAS_Transmit Out : RUI Configed!]

Apr  8 2016 15:43:38.900.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][SRVCFG][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610]
[trace info:BAS_Transmit Out: TS_Send OK!]

Apr  8 2016 15:43:49.890.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610]
[trace info:Arp detect timer called, ArpIndex:373]

Apr  8 2016 15:43:49.890.2 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=4][ARPBAS][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610]
[trace info:[DetectTimer] User detect time no exceed]

Apr  8 2016 15:44:11.310.1 wuhggamghwj0 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][UNKNOWN][user info:
  MAC Address    : 286E-D510-1029
  IP Address     : 10.188.145.40
  Interface      : Eth-Trunk1.610
  PE VLAN ID     : 610
  USERNAME       : w00290652@huawei.201]
[trace info:Rui update aaa flow,SessionTimeout:-1,RemanentVolume:-1.
Remote:UpPkt:12,DownPkt:0,UpByte:1152,DownByte:0.]

用户反馈虚拟机认证成功同时ME60设备登陆检查发现用户虚拟机已经在认证后域,显示如下:

[wuhggamghwj0]display  access-user domain  pre-user-610
Info: No online user!

[wuhggamghwj0]display  access-user  domain au-user-610
  ------------------------------------------------------------------------------
  UserID  Username                Interface      IP address       MAC
          Vlan          IPv6 address             Access type
  ------------------------------------------------------------------------------
  19436   w00290652@huawei.201    Eth-Trunk1.610  10.188.145.40    286e-d510-1029
          610/-         -                        IPOE          
  ------------------------------------------------------------------------------
  Normal users                       : 0
  RUI Local users                    : 1
  RUI Remote users                   : 0
  Total users                        : 1

用户反馈虚拟机可以正常访问应用

根因

1、用户虚拟机所在网段未在radius服务器注册,导致用户虚拟机无法进行认证;

2、radius服务器数据库重新添加完成后,需要重新启动下用户认证客户端,触发再次认证,使用户快速认证成功。

解决方案
用户将用户虚拟机网段重新在radius服务器进行注册,添加用户认证网段,同时用户重新启用认证客户端,触发再次认证。

END