AC6605下挂无线用户portal认证掉线后短时间再上线需要重新认证问题处理

发布时间:  2016-08-05 浏览次数:  553 下载次数:  0
问题描述

问题描述:x局点办公区域,WLAN业务上线后,用户采用portal认证,由于漫游,信号等原因掉线后,短时间再上线需要重新认证。

处理过程

1、确认设备配置,是否有开启MAC认证优先功能,---各个Wlan-Ess接口下都有配置 web-authentication first-mac。

      #
       interface Wlan-Ess1
       port hybrid pvid vlan 101
       port hybrid untagged vlan 101 to 106
       web-authentication first-mac
       permit-domain name default
       force-domain name default
       port-isolate enable
  #

2、手机测试开启 trace 功能进行跟踪。

[XNZQ-2FwAC6605-01]dis access-user   ip-address  10.10.21.8

 

Basic:

  User ID                         : 5803

  User name                       : tpj#swsc.com.cn

  Domain-name                     : default                        

  User MAC                        : d461-2e34-8897

  User IP address                 : 10.10.21.8

  User vpn-instance               : -

  User access Interface           : Wlan-Dbss1:1

  QinQVlan/UserVlan               : 0/101

  User access time                : 2016/07/08 11:44:43

  User accounting session ID      : XNZQ-2F00001000000101e480b7005803

  User access type                : WEB  

  AP ID                           : 1

  AP name                         : ap_2_2

  Radio ID                        : 0

  AP MAC                          : 5439-dfcc-fd40

  SSID                            : SWSC-WIFI

  Online time                     : 148(s)

  Web-server IP address           : 10.10.7.113

 

AAA:

  User authentication type        : WEB    authentication

  Current authentication method   : RADIUS

  Current authorization method    : -

  Current accounting method       : RADIUS

 

[XNZQ-2FwAC6605-01]

[XNZQ-2FwAC6605-01]

[XNZQ-2FwAC6605-01]trac   

[XNZQ-2FwAC6605-01]trace ob    

[XNZQ-2FwAC6605-01]trace object  m       

[XNZQ-2FwAC6605-01]trace object  mac-address  d461-2e34-8897

[XNZQ-2FwAC6605-01]

 

       手工关闭手机无线连接,模拟用户下线:

[BTRACE][2016/07/08 11:47:52][WLAN_AC][d461-2e34-8897]:[WSTA] Parse STA delete authentication request message.

[BTRACE][2016/07/08 11:47:52][WLAN_AC][d461-2e34-8897]:[WSTA] Process STA disassociate authentication request message.

[BTRACE][2016/07/08 11:47:57][WLAN_AC][d461-2e34-8897]:[WSTA] User was offline.

[BTRACE][2016/07/08 11:47:57][CM][d461-2e34-8897]:State from UP(substate:BUTT) to DELETING(substate:BUTT). (cib=5803, event=CONN_DOWN)

[BTRACE][2016/07/08 11:47:57][CM][d461-2e34-8897]:CM send accounting request message to AAA module (userid:5803).

[BTRACE][2016/07/08 11:47:57][AAA][d461-2e34-8897]:

 AAA receive AAA_SRV_MSG_ACCT_REQ message from UCM module.

[BTRACE][2016/07/08 11:47:57][AAA][d461-2e34-8897]:

    DestIndex:5803 SrcIndex:5803 Slot:0

    AcctType:Stop AcctMethod:RADIUS AcctSessionID:XNZQ-2F00001000000101e480b7005803

    ucIfTwoLevelAcct:255 RTAcctInterval:65535 AuthedPlace:3

    RdsGroup:0 TacTempletID:16 CopyRdsGroup:65535

    UpBytes:[0,0] DnBytes:[0,0]

    UpPkts:[0,0] DnPkts:[0,0]

    AcctStartTime:1467949483 UTCAcctStartTime:4294967295 UTCAcctStopTime:4294967295

    AcctStartSeconds:4294967295 AcctStopSeconds:4294967295 SessionLength:194

    UserName:tpj#swsc.com.cn MAC:d461-2e34-8897 Domain:0

    AccessType:web  AuthenCode:WEB

    IP:10.10.21.8 Priority:[255,255]

    Slot:0 SubSlot:0 Port:1 Interface:616

    Option82:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

[BTRACE][2016/07/08 11:47:57][AAA][d461-2e34-8897]:

 AAA send AAA_RD_MSG_ACCTSTOPREQ message to RADIUS module.

[BTRACE][2016/07/08 11:47:57][AAA][d461-2e34-8897]:

    CID:817  TemplateNo:0

    SrcMsg:AAA_RD_MSG_ACCTSTOPREQ

    PriyServer:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF Vrf:4294967295

    SendServer:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF Vrf:4294967295

    CID:5803 AcctType:2 UserName:tpj#swsc.com.cn

    AcctSessionID:XNZQ-2F00001000000101e480b7005803

    Interface:616 SessionLength:194 TerminateCause:10 Authentic:1

    UpBytes:[0,0] DnBytes:[0,0]

    UpPkts:0 DnPkts:0 FramedIP:168432904

    NASPortType:19 Phy:0/0/1 Vlan:101

    Priority:255/255 Timestamp:1467949677 FramedProtocol:0

    Domain:default IPHostAddr:10.10.21.8 d4:61:2e:34:88:97

    UpCIR:0 UpPIR:0 DnCIR:0 DnPIR:0

    Option82:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F

[BTRACE][2016/07/08 11:47:57][RADIUS][d461-2e34-8897]:Receive stop accounting request message from AAA module.

[BTRACE][2016/07/08 11:47:57][RADIUS][d461-2e34-8897]:

  Send a accounting request packet to radius server( server ip = 10.10.7.113).

[BTRACE][2016/07/08 11:47:57][RADIUS][d461-2e34-8897]:

  Server Template: 0

  Server IP   : 10.10.7.113

  Protocol: Standard

  Code    : 4

  Len     : 308

  ID      : 245

  [User-Name                          ] [17] [tpj#swsc.com.cn]

  [NAS-IP-Address                     ] [6 ] [10.10.7.253]

  [NAS-Port                           ] [6 ] [4197]

  [Framed-IP-Address                  ] [6 ] [10.10.21.8]

  [NAS-Identifier                     ] [19] [XNZQ-2FwAC6605-01]

  [Acct-Status-Type                   ] [6 ] [2]

  [Acct-Delay-Time                    ] [6 ] [0]

  [Acct-Input-Octets                  ] [6 ] [0]

  [Acct-Output-Octets                 ] [6 ] [0]

  [Acct-Session-Id                    ] [35] [XNZQ-2F00001000000101e480b7005803]

  [Acct-Authentic                     ] [6 ] [1]

  [Acct-Session-Time                  ] [6 ] [194]

  [Acct-Input-Packets                 ] [6 ] [0]

  [Acct-Output-Packets                ] [6 ] [0]

  [Acct-Terminate-Cause               ] [6 ] [10]

[BTRACE][2016/07/08 11:47:57][RADIUS][d461-2e34-8897]:

  [Acct-Input-Gigawords               ] [6 ] [0]

  [Acct-Output-Gigawords              ] [6 ] [0]

  [Event-Timestamp                    ] [6 ] [1467949677]

  [NAS-Port-Type                      ] [6 ] [19]

  [Calling-Station-Id                 ] [16] [64 34 36 31 2D 32 65 33 34 2D 38 38 39 37 ]

  [NAS-Port-Id                        ] [36] [slot=0;subslot=0;port=1;vlanid=101]

  [Called-Station-Id                  ] [11] [SWSC-WIFI]

  [HW-IP-Host-Address                 ] [30] [10.10.21.8 d4:61:2e:34:88:97]

  [HW-Connect-ID                      ] [6 ] [5803]

  [HW-AP-Information                  ] [16] [5439-dfcc-fd40]

[BTRACE][2016/07/08 11:47:57][CM][d461-2e34-8897]:CM receive SRV_MSG_CUT_CMD_ACK from WEB module (msg code: 192 userid:5803).

[BTRACE][2016/07/08 11:47:57][CM][d461-2e34-8897]:User connection down (userid:5803).

[XNZQ-2FwAC6605-01]

 

[XNZQ-2FwAC6605-01]dis access-user  mac-address   d461-2e34-8897

Info: No online user.

[XNZQ-2FwAC6605-01]


            重新打开手机无线连接


[BTRACE][2016/07/08 11:48:16][WLAN_AC][d461-2e34-8897]:[WSTA] Parse STA associate request message.

[BTRACE][2016/07/08 11:48:16][WLAN_AC][d461-2e34-8897]:[WSTA] Begin to process STA associate request message.

[BTRACE][2016/07/08 11:48:16][WLAN_AC][d461-2e34-8897]:[WSTA] Begin to process STA associate add request.

[BTRACE][2016/07/08 11:48:16][WLAN_AC][d461-2e34-8897]:[WSTA] End to process STA associate add request.

[BTRACE][2016/07/08 11:48:16][WLAN_AC][d461-2e34-8897]:[WSTA] End to process STA associate request message.

[BTRACE][2016/07/08 11:48:16][WLAN_AC][d461-2e34-8897]:[WSTA] Parse STA associate response message.

[BTRACE][2016/07/08 11:48:16][WLAN_AC][d461-2e34-8897]:[WSTA] Process add STA request message.

[BTRACE][2016/07/08 11:48:16][WLAN_AC][d461-2e34-8897]:[WSTA] Process add STA response message.

[BTRACE][2016/07/08 11:48:16][WLAN_AC][d461-2e34-8897]:[WSTA]Process STA authentication done request.

[BTRACE][2016/07/08 11:48:16][WLAN_AC][d461-2e34-8897]:[WSEC] WEP (Open or Share-Key) authentication is in AP. It will return OK in AC.

[BTRACE][2016/07/08 11:48:16][WLAN_AC][d461-2e34-8897]:[WSTA] Process associate authentication successfully.

[BTRACE][2016/07/08 11:48:17][DHCPPRO][d461-2e34-8897]:Receive DHCP packet (srcif:Vlanif101 orgif:GigabitEthernet0/0/1 length:351 mflg:UC/BC).

[BTRACE][2016/07/08 11:48:17][DHCPPRO][d461-2e34-8897]:Receives DHCP REQUEST packet from interface GigabitEthernet0/0/1.

[BTRACE][2016/07/08 11:48:17][DHCPPRO][d461-2e34-8897]:Receive DHCP REQUEST message.orgif:GE0/0/1 srcif:Vlanif101 L3if:Vlanif101 srcmac:d461-2e34-8897 dstmac:ffff-ffff-ffff vsi:- vlan:101/0 srcip:0.0.0.0 dstip:255.255.255.255 VPN:- src-port:68 dst-port:67 msgtype:BOOT-REQUEST dhcp msgtype:DHCP REQUEST bflag:uc chaddr:d461-2e34-8897 ciaddr:0.0.0.0 reqip:10.10.21.8 giaddr:0.0.0.0 serverid:0.0.0.0

[BTRACE][2016/07/08 11:48:17][DHCPPRO][d461-2e34-8897]:New soft l2fdb entry(mac:d461-2e34-8897 interface:GE0/0/1 vsi:65535 vlan:101/0 vt-mode:0)

[BTRACE][2016/07/08 11:48:17][SAVI][d461-2e34-8897]:Receive DHCP REQUEST message.(srcif:Vlanif101, srcl2if:GE0/0/1, dstif:GE0/0/1, vsi:65535, vlan(O/I:101/0), mac(client:d461-2e34-8897 src:d461-2e34-8897 dst:ffff-ffff-ffff), port(src:68 dst:67))

[BTRACE][2016/07/08 11:48:17][DHCPS][d461-2e34-8897]:DHCP Server is not enable.

[BTRACE][2016/07/08 11:48:17][DHCPR][d461-2e34-8897]:Receives DHCP REQUEST message from interface Vlanif101.(sip:0.0.0.0, dip:255.255.255.255, VPN:-).

[BTRACE][2016/07/08 11:48:17][DHCPR][d461-2e34-8897]:DHCP Relay is disable on interface: Vlanif101.

[BTRACE][2016/07/08 11:48:17][DHCPPRO][d461-2e34-8897]:Update packet option.(BitMap:0x0 Total length:351, IP:333, UDP:313)

[BTRACE][2016/07/08 11:48:17][DHCPPRO][d461-2e34-8897]:Snooping or trust is not enabled on original port. ulSrcIfIndex:3

[BTRACE][2016/07/08 11:48:17][DHCPPRO][d461-2e34-8897]:Receive DHCP packet (srcif:Vlanif101 orgif:GigabitEthernet0/0/1 length:351 mflg:UC/BC).

[BTRACE][2016/07/08 11:48:17][DHCPPRO][d461-2e34-8897]:Receives DHCP REQUEST packet from interface GigabitEthernet0/0/1.

[BTRACE][2016/07/08 11:48:17][DHCPPRO][d461-2e34-8897]:Receive DHCP REQUEST message.orgif:GE0/0/1 srcif:Vlanif101 L3if:Vlanif101 srcmac:d461-2e34-8897 dstmac:ffff-ffff-ffff vsi:- vlan:101/0 srcip:0.0.0.0 dstip:255.255.255.255 VPN:- src-port:68 dst-port:67 msgtype:BOOT-REQUEST dhcp msgtype:DHCP REQUEST bflag:uc chaddr:d461-2e34-8897 ciaddr:0.0.0.0 reqip:10.10.21.8 giaddr:0.0.0.0 serverid:0.0.0.0

[BTRACE][2016/07/08 11:48:17][DHCPPRO][d461-2e34-8897]:Find old soft l2fdb entry(mac:d461-2e34-8897 interface:GE0/0/1 vsi:65535 vlan:101/0 vt-mode:0)

[BTRACE][2016/07/08 11:48:17][SAVI][d461-2e34-8897]:Receive DHCP REQUEST message.(srcif:Vlanif101, srcl2if:GE0/0/1, dstif:GE0/0/1, vsi:65535, vlan(O/I:101/0), mac(client:d461-2e34-8897 src:d461-2e34-8897 dst:ffff-ffff-ffff), port(src:68 dst:67))

[BTRACE][2016/07/08 11:48:17][DHCPS][d461-2e34-8897]:DHCP Server is not enable.

[BTRACE][2016/07/08 11:48:17][DHCPR][d461-2e34-8897]:Receives DHCP REQUEST message from interface Vlanif101.(sip:0.0.0.0, dip:255.255.255.255, VPN:-).

[BTRACE][2016/07/08 11:48:17][DHCPR][d461-2e34-8897]:DHCP Relay is disable on interface: Vlanif101.

[BTRACE][2016/07/08 11:48:17][DHCPPRO][d461-2e34-8897]:Update packet option.(BitMap:0x0 Total length:351, IP:333, UDP:313)

[BTRACE][2016/07/08 11:48:17][DHCPPRO][d461-2e34-8897]:Snooping or trust is not enabled on original port. ulSrcIfIndex:3

[BTRACE][2016/07/08 11:48:18][CM][d461-2e34-8897]:CM receive SRV_MSG_AUTH_REQ from WEB module (msg code: 184 userid:8209).

[BTRACE][2016/07/08 11:48:18][CM][d461-2e34-8897]:State from IDLE(substate:BUTT) to AUTH(substate:BUTT). (cib=8209, event=AUTH_REQ)

[BTRACE][2016/07/08 11:48:18][CM][d461-2e34-8897]:CM send authentication request mssage to AAA module (userid:8209).

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:

 AAA receive AAA_SRV_MSG_AUTHEN_REQ message from UCM module.

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:

    DestIndex:8209 SrcIndex:8209 Slot:0

    User:d4612e348897 Password:*** MAC:d461-2e34-8897

    Slot:0 SubSlot:0 Port:1 VLAN:4294967295

    IP:10.10.21.8 AccessType:web AuthenType:PAP

    AdminLevel:255 EapSize:0 AuthenCode:WEB

    ulInterface:616 ChallengeLen:255 ChapID:255

    LineType:4294967295 LineIndex:4294967295 PortType:19

    AcctSessionId:XNZQ-2F0000165535655350c1888008209

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:User authentication domain name is default

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:The authentication place is RADIUS.

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:Failed to send authen-req.

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:

 AAA send AAA_SRV_MSG_AUTHEN_ACK message to UCM module.

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:

    DestIndex:8209 SrcIndex:8209 Slot:4294967295

    Result:1 DomainIndex:0 ServiceScheme:65535

    AuthedPalace:3 VLAN:4294967295 IsCallBackVerify:0 IsCallbackUser:0

    IfSessionTimeout:0 IfRemanentVolume:0 IfIdleCut:0

    SessionTimeout:4294967295 RemanentVolume:4294967295 IdleTimeout:4294967295

    EAPSessionTimeout:4294967295 EAPPasswordRetry:4294967295

    RTAcctInterval:4294967295 Priority:[255,255]

    AdminLevel:255 NextHop:4294967295

    EapSize:0 ReplyMessage:Remote authentication is rejected.

    TunnelType:0 MediumType:0 PrivateGroupID:

[BTRACE][2016/07/08 11:48:18][CM][d461-2e34-8897]:CM receive AAA_AUTH_ACK from AAA module (msg code: 35 userid:8209).

[BTRACE][2016/07/08 11:48:18][CM][d461-2e34-8897]:CM send authentication ack message to AAA module (userid:8209).

[BTRACE][2016/07/08 11:48:18][CM][d461-2e34-8897]:State from AUTH(substate:BUTT) to IDLE(substate:BUTT). (cib=8209, event=AUTH_FAIL)

[BTRACE][2016/07/08 11:48:18][CM][d461-2e34-8897]:State from IDLE(substate:BUTT) to DELETING(substate:BUTT). (cib=8209, event=CONN_DOWN)

[BTRACE][2016/07/08 11:48:18][CM][d461-2e34-8897]:User connection down (userid:8209).

[BTRACE][2016/07/08 11:48:18][CM][d461-2e34-8897]:CM receive SRV_MSG_AUTH_REQ from WEB module (msg code: 184 userid:1498).

[BTRACE][2016/07/08 11:48:18][CM][d461-2e34-8897]:State from IDLE(substate:BUTT) to AUTH(substate:BUTT). (cib=1498, event=AUTH_REQ)

[BTRACE][2016/07/08 11:48:18][CM][d461-2e34-8897]:CM send authentication request mssage to AAA module (userid:1498).

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:

 AAA receive AAA_SRV_MSG_AUTHEN_REQ message from UCM module.

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:

    DestIndex:1498 SrcIndex:1498 Slot:0

    User:d4612e348897 Password:*** MAC:d461-2e34-8897

    Slot:0 SubSlot:0 Port:1 VLAN:4294967295

    IP:10.10.21.8 AccessType:web AuthenType:PAP

    AdminLevel:255 EapSize:0 AuthenCode:WEB

    ulInterface:616 ChallengeLen:255 ChapID:255

    LineType:4294967295 LineIndex:4294967295 PortType:19

    AcctSessionId:XNZQ-2F000016553565535e4880e001498

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:User authentication domain name is default

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:The authentication place is RADIUS.

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:Failed to send authen-req.

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:

 AAA send AAA_SRV_MSG_AUTHEN_ACK message to UCM module.

[BTRACE][2016/07/08 11:48:18][AAA][d461-2e34-8897]:

    DestIndex:1498 SrcIndex:1498 Slot:4294967295

    Result:1 DomainIndex:0 ServiceScheme:65535

    AuthedPalace:3 VLAN:4294967295 IsCallBackVerify:0 IsCallbackUser:0

    IfSessionTimeout:0 IfRemanentVolume:0 IfIdleCut:0

    SessionTimeout:4294967295 RemanentVolume:4294967295 IdleTimeout:4294967295

    EAPSessionTimeout:4294967295 EAPPasswordRetry:4294967295

    RTAcctInterval:4294967295 Priority:[255,255]

    AdminLevel:255 NextHop:4294967295

    EapSize:0 ReplyMessage:Remote authentication is rejected.

......

......

         短时间内大量的认证失败。


[XNZQ-2FwAC6605-01]dis remote-user authen-fail  blocked

  ----------------------------------------------------------------------------

  Username                   RetryInterval(Mins) RetryTimeLeft BlockTime(Mins)

  ----------------------------------------------------------------------------

  38bc1afebaea               0                   0             6        

  90671c5da366               0                   0             7        

  f01b6c16fbf0               0                   0             9        

  acfdec894a05               0                   0             12       

  8013822e1fdb               0                   0             16       

  d4612e348897               0                   0             19       

  bc3aeab1df11               0                   0             27       

  ----------------------------------------------------------------------------

  Total 7, 7 printed

 

[XNZQ-2FwAC6605-01]

根据trace信息可知,在信号不稳定情况下触发大量的认证后,用户锁定。




根因
在信号不稳定情况下触发大量的认证后,用户锁定。 缺省情况下,AAA远端认证失败后账号锁定功能处于使能状态,AAA远端认证失败后用户的重试时间间隔为30分钟,连续认证失败的限制次数为30次,账号锁定时间为30分钟。
解决方案
配置undo remote-aaa-user authen-fail后问题解决。

END