现场组网如图,AC为V7版本,vlan1000为客户端的网关地址,认证服务器为第三方服务器。
现场做portal认证时,能够重定向到portal登录页面,但是输入用户名和密码后提示AC认证失败。portal认证不成功。
查看现场AC的配置,没有发现明显问题,portal服务器地址和radius服务器地址确认过没有配错,密钥和端口也都一一确认。
#
wlan service-template 1
ssid JTYH
vlan 1000
akm mode
psk preshared-key pass-phrase cipher $c$3$fqcq+qBsrZTIAmOKgLe/Q7vXn4C7kzP744IXEA==
cipher-suite ccmp
security-ie rsn
portal enable method direct
portal domain w-portal
portal bas-ip 192.168.2.2
portal apply web-server w-portal
service-template enable
#
interface Vlan-interface100
ip address 192.168.2.2 255.255.255.0
#
interface Vlan-interface1000
ip address 172.16.0.1 255.255.0.0
#
radius scheme w-portal
primary authentication 192.168.2.3
primary accounting 192.168.2.3
key authentication cipher $c$3$3mX4kDA6Ekcm1xq6OcfCtoBueHIXI690/E1tjLA=
key accounting cipher $c$3$tLLsfuzdgv6hBNlumYDa6jmHpc/u3Ukz
nas-ip 192.168.2.2
#
domain w-portal
authorization-attribute idle-cut 15 1024
authentication portal radius-scheme w-portal
authorization portal radius-scheme w-portal
accounting portal radius-scheme w-portal
#
portal web-server w-portal
url http://192.168.2.3/a79.htm
server-type cmcc
url-parameter ssid ssid
url-parameter wlanacname value AC
url-parameter wlanuserip source-address
#
portal server w-portal
ip 192.168.2.3 key cipher $c$3$QsRWuiDBB3Sluy7wFwRkacGvjwey+QB4
port 2000
server-type cmcc
于是让现场收集portal过程中的debug信息:debug portal all和debug radius all
检查debug信息后发现,重定向的报文都是正常的,设备也收到了服务器侧发来的req_auth报文,开始处理AAA请求:
*Nov 13 13:53:10:606 2018 AC PORTAL/7/PACKET: Portal received 51 bytes of packet: Type=req_auth(3), ErrCode=0, IP=172.16.16.106
*Nov 13 13:53:10:610 2018 AC RADIUS/7/EVENT: PAM_RADIUS: Processing RADIUS authentication.
*Nov 13 13:53:10:610 2018 AC RADIUS/7/EVENT: Processing AAA request data.
*Nov 13 13:53:10:610 2018 AC RADIUS/7/EVENT: Got request data successfully, primitive: authentication.
*Nov 13 13:53:10:611 2018 AC RADIUS/7/EVENT: Getting RADIUS server info.
*Nov 13 13:53:10:611 2018 AC RADIUS/7/EVENT: Got RADIUS server info successfully.
*Nov 13 13:53:10:611 2018 AC RADIUS/7/EVENT: Created request context successfully.
*Nov 13 13:53:10:611 2018 AC RADIUS/7/ERROR: Failed to fill RADIUS attribute in packet.
*Nov 13 13:53:10:611 2018 AC RADIUS/7/ERROR: Failed to compose request packet.
但是仔细分析报文发现,radius报文有两条报错:Failed to fill RADIUS attribute in packet.Failed to compose request packet.怀疑引起这两条报错的原因是设备侧和服务器侧配置的portal协议版本不一样,让现场去询问服务器侧工程师,查看服务器侧配置的protal协议是portal2.0,但是设备侧配置portal server中的server-type配置的是cmcc,也就是portal1.0协议。
修改服务器侧配置的portal协议版本与设备侧的一致后,portal认证成功了。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作