某局点使用AC起远程portal配合我司IMC启用微信3.1组网,其组网方案为用户将经过两次portal认证,第一次使用临时账号认证,认证成功后再次使用正式账号上线。对于无线控制器AC来说可以理解为正常的portal认证。组网如下:
局点客户反馈有一些终端可以正常弹出微信认证页面但portal认证时失败,导致用户无法正常上网。问题发生没有明显的规律。已经严重影响了现场的无线体验,给客户和我司带来了较为恶劣的影响。
从IMC服务器portal日志上开看,发现portal认证失败的原因是设备拒绝请求。具体日志如下:
2015-11-17 21:01:17.766[Portal服务器][调试(0)][21][ProxyRequestHandler::run]14.34.0.118 ; ACK_AUTH(4) ; 3123 ; 14.30.0.1:2000 ; 设备拒绝请求(1)
<Content>
<Head>
Packet Type:ACK_AUTH(4)
SerialNo:3123
Address:10.3.3.243
Port:50908
RemoteIp:14.30.0.1
RemotePort:2000
Version:portal 2.0
Auth Type:PAP
ErrorID:1
UserIP:14.34.0.118
UserPort:0
ReqID:0
Rsvd:0
attriNum:4
</Head>
<Attributes>
Text Info:In the state,the REQ_AUTH should not received!
Device Ip:14.30.0.1
Session Id:c8 6f 1d 74 d4 d3
Device Time Stamp:1435129048
</Attributes>
因为对于无线控制器AC来说,微信认证3.1其实就是普通的portal认证,只要保证交互的报文按照正常的流程进行即可。而正常的portal报文交互都必须遵循以下几个报文:
Type1: portal服务器发给AC的REQ_CHALLENGE报文
Type2:AC发给portal服务器的ACK_CHALLENGE报文
Type3: Portal服务器发送给AC的REQ_AUTH报文
Code1:AC发送给Radius服务器的Access-Request认证请求报文
Code2:Radius服务器发送给AC的Access-Accept认证接受报文
Type4:AC发送给Portal服务器的ACK_AUTH报文
通过现场抓取debug信息,测试终端在portal交互时流程为Type3-Type4-Type5-Type6-Type3-Type4,但第二次的Type4中报了有errcode:1表示回应异常,并上报了In the state,the REQ_AUTH should not received!详细信息如下:
*Nov 26 18:41:52:526 2015 WX5540-1 DPPORTAL/7/DP_PORTAL_DEBUG:
Matched Redirect ACL.
IfName=Vlan-interface34, PortName=WLAN-DBSS2:9636, SrcIP=14.34.1.198, DstIP=117.121.58.221, Flow=916472553!
*Nov 26 18:41:52:527 2015 WX5540-1 PORTAL/7/PORTAL_DEBUG:
Portal receive packet length:68
Portal check packet OK
Portal packet head:
Type:3 SN:26 ReqId:0 AttrNum:3 ErrCode:0 UserIP:14.34.1.231 //服务器发给AC的接入请求
Portal packet attribute list:
[ 1 UserName ] [ 15] [1448534466327]
[ 2 PassWord ] [ 15] [***]
[ 10 BAS-IP ] [ 6] [14.30.0.1]
Portal raw packet:
02 03 01 00 00 1a 00 00 0e 22 01 e7 00 00 00 03
b0 9c 8b 7e f3 db bd a9 d9 25 ec 14 a6 86 36 d9
01 0f 31 34 34 38 35 33 34 34 36 36 33 32 37 02
0f 70 6f 72 74 61 6c 5f 77 65 69 78 69 6e 0a 06
0e 1e 00 01
*Nov 26 18:41:52:672 2015 WX5540-1 PORTAL/7/PORTAL_DEBUG:
Portal send packet length:117
Portal packet head:
Type:4 SN:26 ReqId:0 AttrNum:4 ErrCode:0 UserIP:14.34.1.231 //AC回应给服务器的接入回应
Portal packet attribute list:
[ 10 BAS-IP ] [ 6] [14.30.0.1]
[ 11 Session-ID ] [ 8] [f48e92596d0d]
[ 33 RelayMessage ] [ 65] [6]
[ 38 DeviceStartTime ] [ 6] [1435129048]
Portal raw packet:
02 04 01 00 00 1a 00 00 0e 22 01 e7 00 00 00 04
81 f4 a5 11 1a 34 35 95 8d bc 9f 31 d6 47 49 e7
0a 06 0e 1e 00 01 0b 08 f4 8e 92 59 6d 0d 21 41
36 06 00 00 00 00 37 06 00 00 00 00 38 06 00 00
00 00 3a 06 00 00 00 00 42 06 00 00 00 00 4a 06
00 00 00 00 43 11 52 30 30 33 42 30 33 44 30 30
34 53 50 31 35 3d 0a 68 55 45 57 43 6a 4c 51 26
06 55 8a 54 d8
*Nov 26 18:42:04:063 2015 WX5540-1 PORTAL/7/PORTAL_DEBUG:
Portal receive packet length:44
Portal check packet OK
Portal packet head:
Type:5 SN:27 ReqId:0 AttrNum:2 ErrCode:0 UserIP:14.34.1.231 //服务器发给AC的用户下线请求
Portal packet attribute list:
[ 10 BAS-IP ] [ 6] [14.30.0.1]
[ 12 Delay-Time ] [ 6] []
Portal raw packet:
02 05 01 00 00 1b 00 00 0e 22 01 e7 00 00 00 02
65 f9 d9 75 e8 45 f3 38 e9 df 65 e9 9b 6c 75 9f
0a 06 0e 1e 00 01 0c 06 00 00 00 00
*Nov 26 18:42:04:063 2015 WX5540-1 PORTAL/7/PORTAL_DEBUG:
Portal send packet length:52
Portal packet head:
Type:6 SN:27 ReqId:0 AttrNum:3 ErrCode:0 UserIP:14.34.1.231 //AC相应服务器的用户下线请求
Portal packet attribute list:
[ 10 BAS-IP ] [ 6] [14.30.0.1]
[ 11 Session-ID ] [ 8] [f48e92596d0d]
[ 38 DeviceStartTime ] [ 6] [1435129048]
Portal raw packet:
02 06 01 00 00 1b 00 00 0e 22 01 e7 00 00 00 03
48 7b 01 25 5a 5a 2e 91 e4 3e d1 4b 2f 2a 09 80
0a 06 0e 1e 00 01 0b 08 f4 8e 92 59 6d 0d 26 06
55 8a 54 d8
*Nov 26 18:42:05:068 2015 WX5540-1 PORTAL/7/PORTAL_DEBUG:
Portal receive packet length:34
Portal check packet OK
Portal packet head:
Type:9 SN:28 ReqId:0 AttrNum:1 ErrCode:0 UserIP:14.34.1.231 //信息询问请求
Portal packet attribute list:
[ 8 Port ] [ 2] []
Portal raw packet:
02 09 01 00 00 1c 00 00 0e 22 01 e7 00 00 00 01
22 d5 81 a9 ae cc 87 1f ed 7b db 4b 8e 3e d0 34
08 02
*Nov 26 18:42:05:068 2015 WX5540-1 PORTAL/7/PORTAL_DEBUG:
Portal send packet length:88
Portal packet head:
Type:10 SN:28 ReqId:0 AttrNum:3 ErrCode:0 UserIP:14.34.1.231 //回应信息询问
Portal packet attribute list:
[ 8 Port ] [ 44] [WX5540-1-vlan-01-0034@vlan-SSID-CDRCB@SSID]
[ 10 BAS-IP ] [ 6] [14.30.0.1]
[ 38 DeviceStartTime ] [ 6] [1435129048]
Portal raw packet:
02 0a 01 00 00 1c 00 00 0e 22 01 e7 00 00 00 03
4e 5a e3 34 70 27 78 26 b1 29 08 f4 24 53 bf 8d
08 2c 57 58 35 35 34 30 2d 31 2d 76 6c 61 6e 2d
30 31 2d 30 30 33 34 40 76 6c 61 6e 2d 53 53 49
44 2d 43 44 52 43 42 40 53 53 49 44 0a 06 0e 1e
00 01 26 06 55 8a 54 d8
*Nov 26 18:42:05:072 2015 WX5540-1 PORTAL/7/PORTAL_DEBUG:
Portal receive packet length:98
Portal check packet OK
Portal packet head:
Type:3 SN:28 ReqId:0 AttrNum:3 ErrCode:0 UserIP:14.34.1.231 //服务器发送AC再次上线请求
Portal packet attribute list:
[ 1 UserName ] [ 30] [obER5uPO7S4yXHY5zAokBf3GrTkc]
[ 2 PassWord ] [ 30] [***]
[ 10 BAS-IP ] [ 6] [14.30.0.1]
Portal raw packet:
02 03 01 00 00 1c 00 00 0e 22 01 e7 00 00 00 03
91 69 e4 1d 10 cf 44 6a f5 5a 08 14 3e ed 50 0c
01 1e 6f 62 45 52 35 75 50 4f 37 53 34 79 58 48
59 35 7a 41 6f 6b 42 66 33 47 72 54 6b 63 02 1e
6f 62 45 52 35 75 50 4f 37 53 34 79 58 48 59 35
7a 41 6f 6b 42 66 33 47 72 54 6b 63 0a 06 0e 1e
00 01
*Nov 26 18:42:05:072 2015 WX5540-1 PORTAL/7/PORTAL_DEBUG:
Portal send packet length:100
Portal packet head:
Type:4 SN:28 ReqId:0 AttrNum:4 ErrCode:1 UserIP:14.34.1.231 //AC回应时拒绝接入,错误原因码1
Portal packet attribute list:
[ 5 TextInfo ] [ 48] [In the state,the REQ_AUTH should not received!]
[ 10 BAS-IP ] [ 6] [14.30.0.1]
[ 11 Session-ID ] [ 8] [f48e92596d0d]
[ 38 DeviceStartTime ] [ 6] [1435129048]
Portal raw packet:
02 04 01 00 00 1c 00 00 0e 22 01 e7 00 00 01 04
26 3a 6b 03 40 7f f4 a9 ab 97 49 0d c4 2f 1e 71
05 30 49 6e 20 74 68 65 20 73 74 61 74 65 2c 74
68 65 20 52 45 51 5f 41 55 54 48 20 73 68 6f 75
6c 64 20 6e 6f 74 20 72 65 63 65 69 76 65 64 21
0a 06 0e 1e 00 01 0b 08 f4 8e 92 59 6d 0d 26 06
55 8a 54 d8
经观察第一次下线时时间点为Nov 26 18:42:04:063第二次发起请求的时间点为Nov 26 18:42:05:072两次报文间隔时间很短,大量测试后发现问题触发原因与第一次下线Type6和第二次上线Type3的处理时间有很大关系。查询相关资料得知现有软件版本的portal处理机制是当遇到服务器发过来的Type5(下线请求时)我们AC设备会即时回应Type6但其实该用户的下线并不一定已经结束,这时候当原终端再次上线时AC设备就会查到该用户的在线信息导致再次上线不成功即Type4中errcode原因码为1且伴有In the state,the REQ_AUTH should not received!信息。
这种情况通常只有在某些特殊场景下才会出现,触发条件通常为一个终端反复认证,AC的portal认证机制在V7平台版本已经优化并将合入V5平台的最新版本,portal机制将改为设备会在第一次下线完成后再发送Type4。建议出现问题时:
1、 升级至V7版本
2、 升级至V5最新版本(参考版本说明书或咨询400无线技术支持)
协调服务器侧调整portal下线后再次上线的时间间隔,建议值参考2S。
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作