华为S5720交换机下挂的其中1台AVAYA 话机上线失败

发布时间:  2016-05-07 浏览次数:  117 下载次数:  1
问题描述

华为S5720(V200R008C00SPC500)交换机下挂很多IP电话,其中1台AVAYA 话机上线失败,其他IP电话正常使用

告警信息

处理过程

1、经过客户反馈有一台AVAYA IP电话不能使用,现场查看发现该IP电话无法认证成功;但是客户其他的IP电话都可以正常使用,为保证客户现场正常工作把该话机对应接口的dot1x认证取消后IP电话正常。

2、客户下班后,开启改端口GE0/0/7的MAC认证 功能。该AVAYA 话机(model:9620L MAC:HHH-HHH-HHH)的认证失败重现。

3、查看该端口G/0/7的配置如下:

#
interface GigabitEthernet0/0/7
port link-type hybrid
voice-vlan 104 enable
port hybrid pvid vlan 96
port hybrid untagged vlan 96 104
loopback-detect enable
stp edged-port enable
dot1x mac-bypass mac-auth-first
dot1x mac-bypass
#

4、采用替换法更换好的IP电话至该端口,故障恢复,初步排除是华为交换机的问题

5、确定该数据配置无问题后。开启trace功能后,trace该话机的MAC。查看该设备上线的具体信息显示AUTH_FAIL

#
trace object mac-address HHH-HHH-HHH
trace enable
#

显示信息如下:

[BTRACE][EAPoL][HHH-HHH-HHH]:Receive a EAPoL start packet from user.
[BTRACE][EAPoL][HHH-HHH-HHH]:Start a new authentication.
[BTRACE][EAPoL][HHH-HHH-HHH]:Send a EAPoL request identity packet to user.
[BTRACE][EAPoL][HHH-HHH-HHH]:Receive a EAPoL response identity packet from user.
[BTRACE][EAPoL][HHH-HHH-HHH]:EAPoL Send authentication message to server.
[BTRACE][CM][HHH-HHH-HHH]:CM receive SRV_MSG_AUTH_REQ from EAPOL module (msg code: 184 userid:266).
[BTRACE][CM][HHH-HHH-HHH]:CM send authentication request mssage to AAA module (userid:266).
[BTRACE][CM][HHH-HHH-HHH]:State from IDLE(substate:BUTT) to AUTH(substate:BUTT). (cib=266, event=AUTH_REQ)
[BTRACE][AAA][HHH-HHH-HHH]:
  AAA receive AAA_SRV_MSG_AUTHEN_REQ message from UCM module.
[BTRACE][AAA][HHH-HHH-HHH]:
  User:HHH-HHH-HHH MAC:HHH-HHH-HHH
   Slot:0 SubSlot:0 Port:7 VLAN:96
   IP:255.255.255.255 AccessType:eap AuthenType:EAPRELAY
   AdminLevel:0 EapSize:17 AuthenCode:1X
   ulInterface:12 ChallengeLen:0 ChapID:0
   LineType:0 LineIndex:0 PortType:15
   AcctSessionId:PA_SZ_L0000700000009651eeee000266
[BTRACE][AAA][HHH-HHH-HHH]:User authentication domain name is dot1x_domain
[BTRACE][AAA][HHH-HHH-HHH]:The authentication place is RADIUS.
[BTRACE][AAA][HHH-HHH-HHH]:
  AAA send AAA_RD_MSG_AUTHENREQ message to RADIUS module.
[BTRACE][AAA][HHH-HHH-HHH]:
  CID:161  TemplateNo:0
  PriyServer::: Vrf:0
  SendServer::: Vrf:0
  AccessType:eap AuthenMethod:EAPRELAY
  UserName:3CB15B4B3058 CallingStationId:HHH-HHH-HHH
  Slot:0 SubSlot:0 Port:7 Vlan:96 Interface:12
  CID:266 AcctSessionId:PA_SZ_L0000700000009651eeee000266
  PortType:15 ServiceType:2 FramedProtocol:1 FramedIP:255.255.255.255
  EapLength:17 StartupTimeStamp:1462396080 LoginIP:255.255.255.255
  IPHostAddr:255.255.255.255 HHH-HHH-HHH
  ProductID:S5720 szVersion:Huawei S5720
  SecurityStr:
[BTRACE][RADIUS][HHH-HHH-HHH]:Receive authentication request message from AAA module.
[BTRACE][RADIUS][HHH-HHH-HHH]:
Send a authentication request packet to radius server( server ip = 1.1.1.1).
[BTRACE][RADIUS][HHH-HHH-HHH]:
  Server Template: 0
  Server IP   : 1.1.1.1
  Protocol: Standard
  Code    : 1
  Len     : 320
  ID      : 98
  [User-Name] [14] [HHH-HHH-HHH]
  [NAS-Port] [6 ] [28768]
  [Service-Type] [6 ] [2]
  [Framed-Protocol] [6 ] [1]
  [Calling-Station-Id ] [16] [33 63 62 31 2D 35 62 34 62 2D 33 30 35 38 ]
  [NAS-Identifier] [28] [PA_SZ_LangFeng_2F_S5720_02]
  [NAS-Port-Type] [6 ] [15]
  [NAS-Port-Id] [35] [slot=0;subslot=0;port=7;vlanid=96]
  [EAP-Message ] [19] [02 58 00 11 01 33 43 42 31 35 42 34 42 33 30 35 38 ]
  [Message-Authenticator] [18] [a4 d8 af 45 2f 87 31 89 36 3e aa 4a 5f 70 98 9d ]
  [Called-Station-Id] [19] [88:CF:98:4F:47:E0]
  [NAS-IP-Address] [6 ] [2.2.2.2]
[BTRACE][RADIUS][HHH-HHH-HHH]:
  [Framed-Mtu] [6 ] [1500]
  [Acct-Session-Id] [35] [PA_SZ_L0000700000009651eeee000266]
  [HW-NAS-Startup-Time-Stamp] [6 ] [1462396080]
  [HW-IP-Host-Address] [35] [255.255.255.255 HHH-HHH-HHH]
  [HW-Connect-ID] [6 ] [266]
  [HW-Version] [14] [Huawei S5720]
  [HW-Product-ID] [7 ] [S5720]
  [HW-Access-Type] [6 ] [1]
  [BTRACE][RADIUS][HHH-HHH-HHH]:
Received a authentication reject packet from radius server(server ip = 1.1.1.1).
[BTRACE][RADIUS][HHH-HHH-HHH]:
Server Template: 0
Server IP   : 1.1.1.1
Server Port : 1645
Protocol: Standard
Code    : 3
Len     : 20
ID      : 98
[BTRACE][RADIUS][HHH-HHH-HHH]:Send authentication reject message to AAA.
[BTRACE][AAA][HHH-HHH-HHH]:
AAA receive AAA_RD_MSG_AUTHENREJECT message from RADIUS module.
[BTRACE][AAA][HHH-HHH-HHH]:
CID:161  TemplateNo:0
SrcMsg:AAA_RD_MSG_AUTHENREQ
PriyServer::: Vrf:0
SendServer::: Vrf:0
SessionTimeout:0 IdleTimeout:0
AcctInterimInterval:0 RemanentVolume:0
InputPeakRate:0 InputAverageRate:0
OutputPeakRate:0 OutputAverageRate:0
InputBasicRate:0 OutputBasicRate:0
InputPBS:0 OutputPBS:0
Priority:[0,0] DNS:[0,0]
ServiceType:0 LoginService:0 AdminLevel:0 FramedProtocol:0
LoginIpHost:0 NextHop:0
EapLength:0 ReplyMessage:
TunnelType:0 MediumType:0 PrivateGroupID:
[BTRACE][AAA][HHH-HHH-HHH]:Radius authentication is rejected.
[BTRACE][AAA][HHH-HHH-HHH]:
  AAA send AAA_SRV_MSG_AUTHEN_ACK message to UCM module.
[BTRACE][AAA][HHH-HHH-HHH]:
Result:1 DomainIndex:3 ServiceScheme:65535
AuthedPalace:3 VLAN:4294967295 IsCallBackVerify:0 IsCallbackUser:0
IfSessionTimeout:0 IfRemanentVolume:0 IfIdleCut:0
SessionTimeout:4294967295 RemanentVolume:4294967295 IdleTimeout:4294967295
EAPSessionTimeout:4294967295 EAPPasswordRetry:4294967295
RTAcctInterval:4294967295 Priority:[255,255]
AdminLevel:255 NextHop:4294967295
EapSize:4 ReplyMessage:Authentication fail
    TunnelType:0 MediumType:0 PrivateGroupID:
[BTRACE][CM][HHH-HHH-HHH]:CM receive AAA_AUTH_ACK from AAA module (msg code: 35 userid:266).
[BTRACE][CM][HHH-HHH-HHH]:User authentication fail (userid:266).
[BTRACE][CM][HHH-HHH-HHH]:State from AUTH(substate:BUTT) to IDLE(substate:BUTT). (cib=266, event=AUTH_FAIL)
[BTRACE][CM][HHH-HHH-HHH]:State from IDLE(substate:BUTT) to DELETING(substate:BUTT). (cib=266, event=CONN_DOWN)
[BTRACE][CM][HHH-HHH-HHH]:User connection down (userid:266).
[BTRACE][EAPoL][HHH-HHH-HHH]:Receive authentication ack message from server.(result:AUTH_FAIL)

6、现场抓包G0/0/7端口显示结果和trace一致,显示话机开机后自动发起802.1X认证,而不是直接发送MAC进行认证

根因

IP电话的802.1X功能被打开后,EAP数据包直接有IP电话打包经交换机直接发送至客户认证服务器,导致认证失败。实际认证过程是有交换机根据MAC地址表收集的MAC信息,由交换机打包EAP数据包发送至认证服务器进行认证。

解决方案

1、联系该AVAYA话机的厂家技术人员后得知可能是该话机人为开启了802.1X认证,把话机恢复出厂设置后,故障消除

建议与总结
1、首先该故障是单点故障。其他话机不影响使用
2、IP话机802.1X功能开启后,如果MAC认证失败。重启后话机会直接显示802.1x的认证界面。如果是该现象立刻把IP电话恢复出厂设置 

END