交换机配置telnet登录设备时采用radius认证终端一直登录设备失败
在交换机上debug radius发现实际认证是成功的,但是认证成功后马上又收到了计费停止响应报文
在radius服务器上抓包发现,计费停止报文是交换机主动发起的,debug telnet,在交换机发停止计费前并没有收到终端断开连接的请求。
关键debug信息如下:
*Aug 28 10:07:47:995 2023 SWAC-DCA3-01 RADIUS/7/EVENT: Sent request packet and create request context successfully.
*Aug 28 10:07:47:995 2023 SWAC-DCA3-01 RADIUS/7/EVENT: Added request context to global table successfully.
*Aug 28 10:07:47:995 2023 SWAC-DCA3-01 RADIUS/7/EVENT: Processing AAA request data.
*Aug 28 10:07:47:995 2023 SWAC-DCA3-01 RADIUS/7/EVENT: Reply SocketFd recieved EPOLLIN event.
*Aug 28 10:07:47:996 2023 SWAC-DCA3-01 RADIUS/7/EVENT: Received reply packet succuessfully.
*Aug 28 10:07:47:996 2023 SWAC-DCA3-01 RADIUS/7/EVENT: Found request context, dstIP: 10.86.8.21, dstPort: 1646, VPN instance: --(public), socketFd: 38, pktID: 144.
*Aug 28 10:07:47:997 2023 SWAC-DCA3-01 RADIUS/7/EVENT: The reply packet is valid.
*Aug 28 10:07:47:997 2023 SWAC-DCA3-01 RADIUS/7/EVENT: Decoded reply packet successfully.
*Aug 28 10:07:47:997 2023 SWAC-DCA3-01 RADIUS/7/PACKET:
05 90 00 14 aa af 19 af 4a 3f 8a 58 11 af 4e 1c
ca e9 92 4d
*Aug 28 10:07:48:000 2023 SWAC-DCA3-01 RADIUS/7/EVENT: PAM_RADIUS: RADIUS accounting stopped.
*Aug 28 10:07:48:001 2023 SWAC-DCA3-01 RADIUS/7/EVENT: PAM_RADIUS: Fetched accounting-stop reply-data successfully, resultCode: 0
*Aug 28 10:07:48:001 2023 SWAC-DCA3-01 RADIUS/7/EVENT: PAM_RADIUS: Received accounting-stop reply message, resultCode: 0
*Aug 28 10:07:48:007 2023 SWAC-DCA3-01 RADIUS/7/EVENT: Sent reply message successfully.
*Aug 28 10:07:48:024 2023 SWAC-DCA3-01 TELNETD/7/RUN: Successfully closed PTY.
*Aug 28 10:07:48:034 2023 SWAC-DCA3-01 TELNETD/7/RUN: Received the SIGCHLD signal.
*Aug 28 10:07:48:035 2023 SWAC-DCA3-01 TELNETD/7/RUN: Successfully cleared the user information.
Radius侧抓包结果(10.86.x.44是nas-ip):
经确认,对于通过AAA认证登录设备的用户,由服务器(远程认证服务器或本地认证服务器)为其授权对应的用户角色。如果用户没有被授权任何用户角色,将无法成功登录设备。若未通过authorization-attribute命令配置本地用户或用户组的授权属性,则必须使能缺省用户角色授权功能。使能该功能后,用户将在没有被服务器授权任何用户角色的情况下,具有一个缺省的用户角色。
若用户通过AAA认证且被授予了具体的用户角色,则用户不具有缺省的用户角色。
设备上进行优化加下面的配置
<Sysname> system-view
[Sysname] role default-role enable //如果不指定role-name参数,则缺省用户角色为network-operator
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作