• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
案例类型
搜索
取消
产品线
关键字
发布者
发布时间

某局点V7 AC板卡portal无感知异常的经验案例

  • 0关注
  • 0收藏,71浏览
0

组网及说明

组网:二层注册、本地转发、第三方服务器


问题描述

现场测试终端首次portal认证成功后,能够正常上网;后续再连接无线无需认证即可上网1-2分钟,然后通信中断,如此循环;

过程分析

1、开始能够正常上网1-2分钟,检查配置发现配置了 free-traffic threshold 1024000免认证流量阈值,即流量在未达到1024000字节时是可以正常上网的; 通信中断时,在AC上通过display portal user查看在线用户,发现测试终端不在线,说明流量达到阈值后用户被踢下线了,从现场故障现象看,怀疑无感知未成功;

2、检查现场配置正确,在AC上采集故障终端的debugging portal all和debugging radius all信息;

在看dbeug前,先看一下portal无感知认证的基本流程:

(1) 用户收发的流量达到设定的阈值之前,用户无需进行认证,接入设备将用户的MAC地址及接入端口信息保存为MAC-trigger表项;

(2) 当用户收发的流量达到设定的阈值时,AC 向MAC Server发送Portal Type:48(0x30)的查询报文,查询MAC-trigger表项里测试终端的MAC是否存在

(3)如果MAC Server中未查到终端的MAC(即此终端第一次关联无线),MAC Server向AC回应Portal Type:49(0x31)的应答报文,ErrCode为1表示MAC未绑定。AC就会将终端重定向到认证页面输入用户名密码,进行正常的portal认证流程;

(4)如果过MAC Server中查到终端的MAC, MAC Server向AC回应Portal Type:49(0x31)的应答报文,ErrCode为0表示MAC已绑定,会进行无感知认证。Portal Server/MAC Server向AC发起Portal认证,用于认证的用户名\密码为MAC Server从AAA同步过来的账号信息

(5)AC向Radius服务器发起AAA认证

(6)认证通过后用户能访问网络;

3、查看现场debug信息

测试终端地址:192.168.2.179    测试终端MAC:fc18-3c36-0f71  

*Aug 23 10:25:15:306 2019 AC PORTAL/7/MAC-trigger Event: Set MAC-trigger rule status 0.

*Aug 23 10:25:15:306 2019 AC PORTAL/7/MAC-trigger:

    MAC-trigger rule:

    InterfaceL3      = WLAN-BSS1/0/9292

    InterfaceL2      = WLAN-BSS1/0/9292

    VLAN             = 10

    SrcMAC           = fc18-3c36-0f71

    SrcIP            = 192.168.2.179

    Operation        = 0

*Aug 23 10:25:15:306 2019 AC PORTAL/7/MAC-trigger Event: Received MAC overflow event, MAC=fc18-3c36-0f71.

*Aug 23 10:25:15:306 2019 AC PORTAL/7/EVENT: Success to get ssid by user mac, ssid:ceshi, user MAC:FC-18-3C-36-0F-71.

*Aug 23 10:25:15:306 2019 AC PORTAL/7/PACKET:

Portal sent 41 bytes of packet: Type=req_macbind_info(48), ErrCode=0, IP=192.168.2.179    //AC向MAC Server发送48号查询报文

*Aug 23 10:25:15:306 2019 AC PORTAL/7/PACKET:

[ 11 SESSIONID           ] [  8] [fc18-3c36-0f71]

[ 10 BASIP               ] [  6] [10.0.0.5]

[ 48 NASID               ] [  4] [AC]

[ 30 SSID                ] [  7] [ceshi]

 

*Aug 23 10:25:15:307 2019 AC PORTAL/7/PACKET:

01 30 00 00 70 7d 00 00 c0 a8 02 b3 00 00 00 04

0b 08 fc 18 3c 36 0f 71 0a 06 0a 00 00 05 30 04

41 43 1e 07 63 65 73 68 69

 

*Aug 23 10:25:15:307 2019 AC PORTAL/7/MAC-trigger Event: MAC entry(fc18-3c36-0f71) state changed from DEFAULT to WAIT, user IP = 192.168.2.179.

*Aug 23 10:25:15:307 2019 AC PORTAL/7/EVENT: Success to get info from wlan snooping, vlan:10. mac:fc18-3c36-0f71,userip:192.168.2.179

*Aug 23 10:25:15:307 2019 AC PORTAL/7/EVENT: Success to get ifindex(128) and vlan(10) from IPCIM, user IP=192.168.2.179,MAC=fc18-3c36-0f71

*Aug 23 10:25:15:308 2019 AC PORTAL/7/PACKET:

Portal received 16 bytes of packet: Type=ack_macbind_info(49), ErrCode=0, IP=192.168.2.179   //AC收到MAC服务器 49号回应报文并且 ErrCode=0 证明MAC地址存在,接下来进行无感知portal认证

*Aug 23 10:25:15:308 2019 AC PORTAL/7/PACKET:

01 31 00 00 70 7d 00 00 c0 a8 02 b3 00 00 00 00

 

 

*Aug 23 10:25:15:308 2019 AC PORTAL/7/MAC-trigger Event: MAC entry(fc18-3c36-0f71) state changed from WAIT to BIND. user IP=192.168.2.179.

*Aug 23 10:25:15:308 2019 AC PORTAL/7/MAC-trigger Event: Set MAC-trigger rule status 3.

*Aug 23 10:25:15:308 2019 AC PORTAL/7/MAC-trigger:

    MAC-trigger rule:

    InterfaceL3      = WLAN-BSS1/0/9292

    InterfaceL2      = WLAN-BSS1/0/9292

    VLAN             = 10

    SrcMAC           = fc18-3c36-0f71

    SrcIP            = 192.168.2.179

    Mac status       = 3

*Aug 23 10:25:15:309 2019 AC PORTAL/7/EVENT: Success to get info from wlan snooping, vlan:10. mac:fc18-3c36-0f71,userip:192.168.2.179

*Aug 23 10:25:15:309 2019 AC PORTAL/7/EVENT: Success to get ifindex(128) and vlan(10) from IPCIM, user IP=192.168.2.179,MAC=fc18-3c36-0f71

*Aug 23 10:25:15:309 2019 AC PORTAL/7/EVENT: Success to get ifindex(128) and vlan(10) from IPCIM, user IP=192.168.2.179,MAC=fc18-3c36-0f71

*Aug 23 10:25:15:309 2019 AC PORTAL/7/PACKET:

Portal received 69 bytes of packet: Type=req_auth(3), ErrCode=0, IP=192.168.2.179   //AC直接收到portal服务器发起的req_auth报文;

这里有人可能会有疑问,从下图看,正常的portal认证流程,应该是portal服务器先发起req_info报文交互用户信息,第三方portal服务器是不是有问题?当portal认证采用了CMCC2.0的协议时,省略了req_info、req_challenge阶段,直接收到req_auth是正常的,AC能够正常识别;和第三方服务器厂商确认,他们最开始发的确实是req_auth报文;


*Aug 23 10:25:15:309 2019 AC PORTAL/7/PACKET:        //req_auth报文把用户名密码信息同步给了AC

[  1 USERNAME            ] [ 19] [fc:18:3c:36:0f:71] //注意这里的用户名是MAC地址,正常应该是时测试终端输入的账号

[  2 PASSWORD            ] [ 18] [******]

 

*Aug 23 10:25:15:310 2019 AC PORTAL/7/PACKET:

02 03 01 00 34 44 00 00 c0 a8 02 b3 00 00 00 02

98 f1 93 7f 98 50 31 b4 b1 93 66 63 42 92 28 a1

01 13 66 63 3a 31 38 3a 33 63 3a 33 36 3a 30 66

3a 37 31 02 12 32 38 65 38 66 61 64 30 32 64 39

39 39 33 33 66

 

*Aug 23 10:25:15:310 2019 AC PORTAL/7/EVENT:

Auth-SM [192.168.2.179]: Don't Started auth_sm timer for user from local web server or NOC.

*Aug 23 10:25:15:311 2019 AC PORTAL/7/EVENT: Success to get option info from IPCIM, user IP=192.168.2.179, user MAC=FC-18-3C-36-0F-71.

*Aug 23 10:25:15:311 2019 AC PORTAL/7/EVENT: Success to get option55 from DHCP option55:1,121,3,6,15,119,252,len:7, user IP-192.168.2.179, user MAC=FC-18-3C-36-0F-71

*Aug 23 10:25:15:312 2019 AC PORTAL/7/EVENT: Success to get ssid by user mac, ssid:ceshi, user MAC:FC-18-3C-36-0F-71.

*Aug 23 10:25:15:312 2019 AC PORTAL/7/EVENT: Success to get ap mac by user mac, ap mac: 3C-8C-40-45-0B-60, user MAC: FC-18-3C-36-0F-71.

*Aug 23 10:25:15:312 2019 AC PORTAL/7/EVENT: User-SM[192.168.2.179]: Notified Auth-SM to process the REQ_AUTH packet.

*Aug 23 10:25:15:312 2019 AC PORTAL/7/FSM: Auth-SM: Started to run.

*Aug 23 10:25:15:312 2019 AC PORTAL/7/FSM: Auth-SM [192.168.2.179]: Entered state Authenticating. //进入RADIUS认证阶段,RADIUS报文中,code=1是认证请求报文,code=2是认证成功报文,code=3是认证失败报文,这三种报文只在用户上线时产生;code4、code5是认证成功后计费用的;

*Aug 23 10:25:15:312 2019 AC PORTAL/7/MAC-trigger:

    MAC-trigger rule:

    InterfaceL3      = WLAN-BSS1/0/9292

    InterfaceL2      = WLAN-BSS1/0/9292

    VLAN             = 10

    SrcMAC           = fc18-3c36-0f71

    SrcIP            = 192.168.2.179

    Operation        = 1

*Aug 23 10:25:15:313 2019 AC RADIUS/7/EVENT:

PAM_RADIUS: Processing RADIUS authentication.

*Aug 23 10:25:15:313 2019 AC RADIUS/7/EVENT:

Processing AAA request data.

*Aug 23 10:25:15:313 2019 AC RADIUS/7/EVENT:

Got request data successfully, primitive: authentication.

*Aug 23 10:25:15:313 2019 AC RADIUS/7/EVENT:

Getting RADIUS server info.

*Aug 23 10:25:15:313 2019 AC RADIUS/7/EVENT:

Got RADIUS server info successfully.

*Aug 23 10:25:15:313 2019 AC RADIUS/7/EVENT:

Created request context successfully.

*Aug 23 10:25:15:314 2019 AC RADIUS/7/EVENT:

Created request packet successfully, dstIP: 10.0.0.3, dstPort: 1812, VPN instance: --(public), socketFd: 84, pktID: 69.

*Aug 23 10:25:15:314 2019 AC RADIUS/7/EVENT:

Added packet socketfd to epoll successfully, socketFd: 84.

*Aug 23 10:25:15:314 2019 AC RADIUS/7/EVENT:

Mapped PAM item to RADIUS attribute successfully.

*Aug 23 10:25:15:314 2019 AC RADIUS/7/EVENT:

Got RADIUS username format successfully, format: 2.

*Aug 23 10:25:15:314 2019 AC RADIUS/7/EVENT:

Added attribute user-name successfully, user-name: fc:18:3c:36:0f:71.

*Aug 23 10:25:15:314 2019 AC RADIUS/7/EVENT:

Filled RADIUS attributes in packet successfully.

*Aug 23 10:25:15:315 2019 AC RADIUS/7/EVENT:

Composed request packet successfully.

*Aug 23 10:25:15:315 2019 AC RADIUS/7/EVENT:

Created response timeout timer successfully.

*Aug 23 10:25:15:315 2019 AC RADIUS/7/EVENT:

PAM_RADIUS: Sent authentication request successfully.

*Aug 23 10:25:15:315 2019 AC RADIUS/7/PACKET:

    User-Name="fc:18:3c:36:0f:71"      //可以看到radius报文的用户密码封装的还是MAC地址

    User-Password=******

    Service-Type=Framed-User

    Framed-Protocol=255

    NAS-Identifier="AC"

    NAS-Port=16777226

    NAS-Port-Type=Wireless-802.11

    NAS-Port-

    Calling-Station-

    Called-Station-

    Acct-Session-

    H3c-User-Vlan-Id=10

    Framed-IP-Address=192.168.2.179

    H3c-Ip-Host-Addr="192.168.2.179 fc:18:3c:36:0f:71"

    H3c_DHCP_OPTION55=0x017903060f77fc

    NAS-IP-Address=10.0.0.5

    H3c-Product-

    H3c-Nas-Startup-Timestamp=1565282790

*Aug 23 10:25:15:315 2019 AC PORTAL/7/EVENT: User-SM[192.168.2.179]: AAA processed authentication request and returned processing.

*Aug 23 10:25:15:315 2019 AC PORTAL/7/FSM: User-SM[192.168.2.179]: Begin to run.

*Aug 23 10:25:15:316 2019 AC RADIUS/7/EVENT:

Sent request packet successfully.  //发送RADIUS认证请求报文

*Aug 23 10:25:15:316 2019 AC PORTAL/7/FSM: User-SM [192.168.2.179]: State changed from Initial to Authenticating.

*Aug 23 10:25:15:316 2019 AC RADIUS/7/PACKET:

 01 45 01 2d 49 aa b8 b9 e0 61 2b ed c6 31 35 5b   //第一个字节01表示code=1,是radius的认证请求报文

 73 0c fd bf 01 13 66 63 3a 31 38 3a 33 63 3a 33

 36 3a 30 66 3a 37 31 02 12 bc 2f 4b 9d e1 1f f9

 f2 56 07 28 f2 b3 4d fa e6 06 06 00 00 00 02 07

 06 00 00 00 ff 20 04 41 43 05 06 01 00 00 0a 3d

 06 00 00 00 13 57 12 30 31 30 30 30 30 30 30 30

 30 30 30 30 30 31 30 1f 13 46 43 2d 31 38 2d 33

 43 2d 33 36 2d 30 46 2d 37 31 1e 19 33 43 2d 38

 43 2d 34 30 2d 34 35 2d 30 42 2d 36 30 3a 63 65

 73 68 69 2c 28 30 30 30 30 30 30 30 37 32 30 31

 39 30 38 32 33 31 30 32 35 31 35 30 30 30 30 33

 34 61 65 30 38 31 30 39 39 33 36 1a 0c 00 00 63

 a2 85 06 00 00 00 0a 08 06 c0 a8 02 b3 1a 27 00

 00 63 a2 3c 21 31 39 32 2e 31 36 38 2e 32 2e 31

 37 39 20 66 63 3a 31 38 3a 33 63 3a 33 36 3a 30

*Aug 23 10:25:15:317 2019 AC RADIUS/7/PACKET:

 66 3a 37 31 1a 0f 00 00 63 a2 d0 09 01 79 03 06

 0f 77 fc 04 06 0a 00 00 05 1a 18 00 00 63 a2 ff

 12 48 33 43 20 45 57 50 58 4d 32 57 43 4d 44 30

 46 1a 0c 00 00 63 a2 3b 06 5d 4c 51 e6

*Aug 23 10:25:15:317 2019 AC RADIUS/7/EVENT:

Sent request packet and create request context successfully. //RADIUS请求报文发送成功

*Aug 23 10:25:15:317 2019 AC RADIUS/7/EVENT:

Added request context to global table successfully.

*Aug 23 10:25:15:317 2019 AC RADIUS/7/EVENT:

Processing AAA request data.

*Aug 23 10:25:15:317 2019 AC RADIUS/7/EVENT:

Reply SocketFd recieved EPOLLIN event.

*Aug 23 10:25:15:317 2019 AC RADIUS/7/EVENT:

Received reply packet succuessfully.  //收到RADIUS服务器的回复报文

*Aug 23 10:25:15:317 2019 AC RADIUS/7/EVENT:

Found request context, dstIP: 10.0.0.3, dstPort: 1812, VPN instance: --(public), socketFd: 84, pktID: 69.

*Aug 23 10:25:15:318 2019 AC RADIUS/7/EVENT:

The reply packet is valid.

*Aug 23 10:25:15:318 2019 AC RADIUS/7/EVENT:

Decoded reply packet successfully. //解析RADIUS回复报文

*Aug 23 10:25:15:318 2019 AC RADIUS/7/PACKET:

    User-Name="fc:18:3c:36:0f:71"   //用户名错误  

    Reply-Message="authen reject"   //认证请求被拒绝

*Aug 23 10:25:15:318 2019 AC RADIUS/7/PACKET:

 03 45 00 36 2a d8 b4 9e de 7e 22 18 39 55 68 0e   //第一个字节03表示code=3,是radius的认证失败报文

 24 c8 1d be 01 13 66 63 3a 31 38 3a 33 63 3a 33

 36 3a 30 66 3a 37 31 12 0f 61 75 74 68 65 6e 20

 72 65 6a 65 63 74

*Aug 23 10:25:15:318 2019 AC RADIUS/7/EVENT:

Sent reply message successfully.

*Aug 23 10:25:15:318 2019 AC RADIUS/7/EVENT:

PAM_RADIUS: Processing RADIUS authentication.

*Aug 23 10:25:15:319 2019 AC RADIUS/7/EVENT:

PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 1

*Aug 23 10:25:15:319 2019 AC PORTAL/7/EVENT: User-SM[192.168.2.179]: Received authentication response, RespCode=26.

*Aug 23 10:25:15:319 2019 AC PORTAL/7/FSM: Auth-SM: Started to run.

*Aug 23 10:25:15:320 2019 AC PORTAL/7/PACKET:

Portal sent 62 bytes of packet: Type=ack_auth(4), ErrCode=1, IP=192.168.2.179

*Aug 23 10:25:15:320 2019 AC PORTAL/7/PACKET:

[ 11 SESSIONID           ] [  8] [fc18-3c36-0f71]

[  5 TEXTINFO            ] [ 16] [authen reject]

[ 10 BASIP               ] [  6] [10.0.0.5]

 

*Aug 23 10:25:15:321 2019 AC PORTAL/7/PACKET:

02 04 01 00 34 44 00 00 c0 a8 02 b3 00 00 01 03

0e 17 07 c4 50 7a a5 02 1f 24 e7 69 58 6d 75 38

0b 08 fc 18 3c 36 0f 71 05 10 61 75 74 68 65 6e

20 72 65 6a 65 63 74 00 0a 06 0a 00 00 05

 

*Aug 23 10:25:15:321 2019 AC PORTAL/7/EVENT: User-SM[192.168.2.179]: Auth-SM logged out the user and notified User-SM to process.

*Aug 23 10:25:15:321 2019 AC PORTAL/7/FSM: User-SM[192.168.2.179]: Begin to run.

*Aug 23 10:25:15:321 2019 AC PORTAL/7/FSM: User-SM [192.168.2.179]: State changed from Authenticating to Done. //用户认证失败状态变为DOWN

*Aug 23 10:25:15:321 2019 AC PORTAL/7/FSM: User-SM[192.168.2.179]: User was destroyed.

*Aug 23 10:25:15:323 2019 AC PORTAL/7/EVENT: User-SM[192.168.2.179]: Notified User-Detect-SM to stop detection.

4、从debug过程可以看到,portal无感知在radius认证阶段失败,由于认证的用户名错误,而用户名密码是第三方服务器通过req_auth报文同步给我们的,协调第三方服务器排查修改服务器侧配置后认证成功;


解决方法

第三方服务器问题,修改服务器侧配置解决;

总结:

1、MAC Server回应Portal Type:49(0x31)的应答报文,ErrCode为0表示MAC已绑定,ErrCode为1表示MAC未绑定;

2、 portal认证采用了CMCC2.0的协议时,省略了req_info、req_challenge阶段;

3、Radius报文中,code=1是认证请求报文,code=2和code=3分别是认证通过和认证失败报文,这三种报文只在用户上线时产生。在用户上网的漫长过程中,是依靠code=4报文来维系计费和用户在线信息。

0 个评论

该案例暂时没有网友评论

编辑评论

举报

×

侵犯我的权益 >
对根叔知了社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作