某局点使用iMC-EIA进行802.1x EAP-MD5认证,终端使用iNode客户端,终端认证成功后会马上下线,iMC-EIA接入明细中显示的下线原因为“重复认证报文”
一、首先收集UAM调试日志,调试日志收集方法不在详述,针对复现问题账号0404进行分析如下:
CODE = 1.
ID = 16.
ATTRIBUTES:
User-Name(1) = "..PmAIT0oCNiV8TBwxdVB5LAEHUqk= 0404".\\接入用户名0404
CHAP-Password(3) = "02708cfe96720f966f77d32f6ee6a64cb3".
CHAP-Challenge(60) = "21f0a8d9cbce3bdf0dc665c203de2f6a".
NAS-IP-Address(4) = 167972862.
NAS-Identifier(32) = "........".
NAS-Port(5) = 102401.
NAS-Port-Id(87) = "slot=0;subslot=0;port=25;vlanid=1".
NAS-Port-Type(61) = 15.
Service-Type(6) = 2.
Framed-Protocol(7) = 1.
Calling-Station-Id(31) = "00-26-2D-35-16-72".\\终端MAC地址00-26-2D-35-16-72
Acct-Session-Id(44) = "117100914237420".\\计费会话标识,用来标识计费ID
Framed-IP-Address(8) = 2886738698.\\用户IP地址,转换后为172.16.35.10
hw_Connect_ID(26) = 33.\\用户连接索引ID值
hw_Product_ID(255) = "H3C MSR30-11E".
hw_IP_Host_Addr(60) = "172.16.35.10 00:26:2d:35:16:72".
hw_Nas_Startup_Timetamp(59) = 1510170632.
设备正常发送RADIUS1号认证请求报文,紧接着iMC发送认证通过报文,如下所示:
Code = 2
ID = 16
ATTRIBUTES:
User-Name(1) = ..PmAIT0oCNiV8TBwxdVB5LAEHUqk= 0404
Service_Type(6) = 2
State(24) = O8dLZgKu
Class(25) = O8dLZgKu
Termination-Action(29) = 0
Session-Timeout(27) = 86400\\会话时长
Acct-Interim-Interval(85) = 600\\计费更新间隔
hw-Connect-Id(26) = 33\\连接索引
hw_User_Notify(61) =
IF_PROXY = 0
IF_DOUBLE_NETCARD = 0
IF_IE_PROXY = 0
FRAMED_IP_SET_MODE = 0
IF_CHECK_MODIFY_MAC = 0
IF_CHECK_SAME_MAC = 0
EIA_DETAIL_VERSION = V700R003B04D021
EAD_EVENT_SEQ_ID = O8dLZgKu
%% 2017-11-09 14:34:41.897 ; [LDBG] ; [1212] ; LAN ; lanAuthMsgProc.exec: end with evntSeq O8dLZgKu, rtnVal 63000.
%% 2017-11-09 14:34:41.897 ; [LDBG] ; [8660] ; UsrOnline ; buildSql: insert [976].\\同时UAM插入在线表
紧接着设备也正常发送了RADIUS 4号计费开始报文,如下所示:
CODE = 4.
ID = 17.
ATTRIBUTES:
User-Name(1) = "..PmAIT0oCNiV8TBwxdVB5LAEHUqk= 0404".
NAS-Identifier(32) = "........".
NAS-Port(5) = 102401.
NAS-Port-Id(87) = "slot=0;subslot=0;port=25;vlanid=1".
NAS-Port-Type(61) = 15.
Calling-Station-Id(31) = "00-26-2D-35-16-72".\\终端MAC地址
Acct-Status-Type(40) = 1.\\计费类型,1为计费开始报文
Acct-Authentic(45) = 1.
Acct-Session-Id(44) = "117100914237420".\\计费标识,与RADIUS1号报文中一致
Framed-IP-Address(8) = 2886738698.
NAS-IP-Address(4) = 167972862.
Event-Timestamp(55) = 1510237405.
Class(25) = "O8dLZgKu".
hw_Connect_ID(26) = 33.
hw_Input_Peak_Rate(1) = 0.
hw_Input_Average_Rate(2) = 0.
hw_Output_Peak_Rate(4) = 0.
hw_Output_Average_Rate(5) = 0.
hw_Priority(22) = 0.
hw_IP_Host_Addr(60) = "172.16.35.10 00:26:2d:35:16:72".
iMC正常回应RADIUS5号报文,如下所示:
Code = 5
ID = 17
ATTRIBUTES:
hw-Connect-Id(26) = 33
hw_User_Notify(61) =
EAD_EVENT_SEQ_ID = O8dLZgKu
EAD_PROXY_IP = 2886886480\\策略服务器IP地址
EAD_PROXY_PORT = 9019\\策略服务器端口号
EAD_PROXY_IP_PREFERENCE = 0
IF_DEPLOY_EMO = 0
ISP_EMO_UDP_PORT = 0
ISP_EMO_TCP_PORT = 0
但是紧接着从UAM日志又收到了如下认证请求报文:
CODE = 1.
ID = 18.
ATTRIBUTES:
User-Name(1) = "00262d351672".\\用户名为MAC地址
Password(2) = "$$$".
NAS-IP-Address(4) = 167972862.
NAS-Identifier(32) = "........".
NAS-Port(5) = 102401.
NAS-Port-Id(87) = "slot=0;subslot=0;port=25;vlanid=1".
NAS-Port-Type(61) = 15.
Service-Type(6) = 10.
Framed-Protocol(7) = 1.
Calling-Station-Id(31) = "00-26-2D-35-16-72".\\终端MAC地址
Acct-Session-Id(44) = "117100914237430".
hw_Connect_ID(26) = 34.
hw_Product_ID(255) = "H3C MSR30-11E".
hw_Nas_Startup_Timetamp(59) = 1510170632.
仔细分析发现,该报文的接入用户为MAC地址,且MAC地址与之前接入账号0404的终端MAC地址是一样的,说明用户在完成了802.1x认证之后设备又发起了MAC认证请求,进一步继续分析如下:
%% 2017-11-09 14:34:43.518 ; [LDBG] ; [6288] ; LAN ; stopOneUsrAtLocal: delete the online record(online-id 976).\\就在设备再次发来MAC认证请求之后,因为用户的MAC地址相同,NAS相同,USERID相同,因此UAM会认证该MAC已经在线,会把之前802.1x认证通过的在线记录清楚,同时接入明细中记录的下线原因为“重复认证”
%% 2017-11-09 14:34:43.518 ; [LDBG] ; [6288] ; LAN ; stopOrphans: the online record had been deleted, user: 0404.
Code = 3
ID = 18
ATTRIBUTES:
Reply-Message(18) = E63100: The authentication client version is invalid.
hw-Connect-Id(26) = 34
而因为接入策略中勾选了“仅限iNode客户端”,而MAC认证接入请求中是没有携带iNode客户端版本,因此UAM会提示“无效的客户端版本”,携带iNode客户端版本号的日志如下:
%% 2017-11-09 14:34:41.895 ; [LDBG] ; [1212] ; LAN ; parseVer: client ver iNode PC 7.3 (E0511), ClientOsType Windows.
而后续设备再次发计费更新报文是,发现802.1x的在线信息已经被清除,服务器就会在RADIUS 5号报文中下发session-time-out=0
Code = 5
ID = 8
ATTRIBUTES:
Session-Timeout(27) = 0
当设备收到此报文时,就会立即发送计费结束报文,下线原因为“Session-Timeout”,但实际上,由于之前EIA在收到MAC认证请求时已经将802.1x认证的在线信息清除,此时也就不会再在接入明细中记录“Session-Timeout”的相关信息。这也就解释了为何接入明细中只能看到“重复认证”的信息而看不到“Session-Timeout”的信息。
所以此问题的根本原因还是设备在完成802.1x认证之后继续发送MAC认证请求导致的。
有几种解决办法如下:
1、在接入策略管理-业务参数配置-系统配置-终端管理参数配置中,将“无感知认证”按钮关闭,该参数用来控制Portal无感知和MAC无感知的处理,由于该局点启用了MAC认证,如果开启该参数,那么终端完成802.1x认证之后,如果终端的无感知状态为“启用”,则当UAM再次受到MAC认证报文,终端会通过认证,会影响用户的正常上下线。
2、端口只启用MAC认证或802.1x认证
3、排查网络设备问题,该局点端口下同时开启了802.1X和MAC认证,正常情况下完成某种认证之后设备不会再次发送另一种认证请求,因此需要排查是否为设备配置不合理导致。
1、该问题分析需要对UAM认证流程较为清楚,且熟悉UAM的处理机制