某金融客户,使用SR6608结合CISCO的ACS 5.3对SSH登陆用户进行认证;服务器侧显示认证成功了,但是客户端显示认证成功后又马上下线了。
%Jun 30 10:41:57:408 2017 XJ1_EP_AR_02 SSHS/6/SSHS_CONNECT: SSH user admin (IP: 192.168.115.65) connected to the server successfully.
%Jun 30 10:41:57:496 2017 XJ1_EP_AR_02 LOGIN/5/LOGIN_FAILED: admin failed to log in from 192.168.115.65.
%Jun 30 10:42:00:504 2017 XJ1_EP_AR_02 SSHS/6/SSHS_LOG: User admin logged out from 192.168.115.65 port 2244.
%Jun 30 10:42:00:504 2017 XJ1_EP_AR_02 SSHS/6/SSHS_DISCONNECT: SSH user admin (IP: 192.168.115.65) disconnected from the server.
1.查看设备的配置:
hwtacacs scheme hwtacacs
primary authentication 192.168.10.73
primary authorization 192.168.10.73
key authentication cipher $c$3$FD7Vnm5q9+TM1eJfSc/aukuXmt11RjMHNkH7
key authorization cipher $c$3$8yO4/RbsUWT+76PD2HNOpyyduF2WLQv/K0tH
user-name-format without-domain
nas-ip 192.168.0.2
#
domain ssh
authentication login hwtacacs-scheme hwtacacs local
authorization login hwtacacs-scheme hwtacacs local
#
domain default enable ssh
查看配置认证和授权配置均正确;
2.在SR6608上收集Debugging hwtacacs all的调试信息,服务器已经授权成功,并且下发的授权为level-15的等级,但是客户端随后就认证失败
*Jun 30 18:12:59:387 2017 XJ1_EP_AR_02 TACACS/7/recv_packet:
version: 0xc0 type: AUTHOR_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0x82e49ab
length of payload: 18
Status: STATUS_PASS_ADD arg_cnt: 1 server_msg len: 0 data len: 0
arg0_len: 11
server_msg:
data:
arg0: priv-lvl=15
3.客户端已经认证和授权成功,查看授权成功后的调试信息:
%Jun 30 18:12:59:417 2017 XJ1_EP_AR_02 SSHS/6/SSHS_CONNECT: SSH user admin (IP: 192.168.115.65) connected to the server successfully.
*Jun 30 18:12:59:417 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Compression: raw_len 725, compressed_len 177
*Jun 30 18:12:59:418 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Compression: raw_len 1909, compressed_len 314
*Jun 30 18:12:59:419 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Compression: raw_len 91, compressed_len 23
*Jun 30 18:12:59:419 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Input: Length before de-compress 10, length after de-compress 9
*Jun 30 18:12:59:419 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Received packet type 93.
*Jun 30 18:12:59:420 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Compression: raw_len 134, compressed_len 17
*Jun 30 18:12:59:421 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Compression: raw_len 317, compressed_len 36
*Jun 30 18:12:59:424 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: read_fd 36 is a TTY.
*Jun 30 18:12:59:424 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Prepare packet[93].
*Jun 30 18:12:59:424 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Compression: raw_len 14, compressed_len 14
*Jun 30 18:12:59:424 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Prepare packet[99].
*Jun 30 18:12:59:424 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Compression: raw_len 10, compressed_len 9
*Jun 30 18:12:59:424 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Compression: raw_len 1062, compressed_len 120
*Jun 30 18:13:02:462 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Input: Length before de-compress 8, length after de-compress 9
*Jun 30 18:13:02:462 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Received packet type 93.
*Jun 30 18:13:02:516 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: read failed
*Jun 30 18:13:02:516 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: input state changed (open -> drain)
*Jun 30 18:13:02:516 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: send EOF
*Jun 30 18:13:02:516 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Prepare packet[96].
*Jun 30 18:13:02:516 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Compression: raw_len 10, compressed_len 10
*Jun 30 18:13:02:516 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: input state changed (drain -> closed)
*Jun 30 18:13:02:516 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Received SIGCHLD.
*Jun 30 18:13:02:516 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: request exit-status confirm 0
*Jun 30 18:13:02:517 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Prepare packet[98].
*Jun 30 18:13:02:517 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Compression: raw_len 30, compressed_len 25
*Jun 30 18:13:02:517 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Release channel 0
*Jun 30 18:13:02:517 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: write failed
*Jun 30 18:13:02:517 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: send EOW
*Jun 30 18:13:02:517 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: output state changed (open -> closed)
*Jun 30 18:13:02:517 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Close pty: pseudo-terminal-master(-1), pseudo-terminal-sub(34)
*Jun 30 18:13:02:518 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: send SSH2_MSG_CHANNEL_CLOSE
*Jun 30 18:13:02:518 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Prepare packet[97].
*Jun 30 18:13:02:518 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Compression: raw_len 10, compressed_len 10
*Jun 30 18:13:02:518 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Input: Length before de-compress 9, length after de-compress 5
*Jun 30 18:13:02:518 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Received packet type 96.
*Jun 30 18:13:02:518 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: received EOF
*Jun 30 18:13:02:518 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Input: Length before de-compress 9, length after de-compress 5
*Jun 30 18:13:02:518 2017 XJ1_EP_AR_02 SSHS/7/MESSAGE: Received packet type 97.
*Jun 30 18:13:02:518 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: received SSH2_MSG_CHANNEL_CLOSE
*Jun 30 18:13:02:518 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Close session: session 0, pid 0
*Jun 30 18:13:02:518 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Close pty: pseudo-terminal-master(-1), pseudo-terminal-sub(-1)
*Jun 30 18:13:02:519 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Session id 0 unused.
*Jun 30 18:13:02:519 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Channel 0: garbage collecting
*Jun 30 18:13:02:519 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Connection closed by 192.168.115.65
*Jun 30 18:13:02:519 2017 XJ1_EP_AR_02 SSHS/7/EVENT: PAM: cleanup
*Jun 30 18:13:02:522 2017 XJ1_EP_AR_02 SSHS/7/EVENT: Transferred: sent 1936 bytes, received 1192 bytes
%Jun 30 18:13:02:522 2017 XJ1_EP_AR_02 SSHS/6/SSHS_LOG: User admin logged out from 192.168.115.65 port 3097.
%Jun 30 18:13:02:522 2017 XJ1_EP_AR_02 SSHS/6/SSHS_DISCONNECT: SSH user admin (IP: 192.168.115.65) disconnected from the server.
4.与产品线确认,Domain下没有配置计费,导致认证流程无法完成,所以在授权成功后紧接着客户端就断开连接。客户现场是不需要配置计费的,可以在Domain配置计费为none来解决:
domain ssh
accounting login none
在Domain下配置计费为none解决。
V7平台路由器在认证时,即使不需要计费也要在Domain下配置计费为none,否则会导致认证流程不完整进而下线。
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作