Comware V7设备配置TACACS认证后,测试时登录设备管理时能正常上线,ACS服务器上有认证成功记录,设备DEBUG能看到上线成功,但上线后立即停止了计费,随后客户端Telnet等软件便断开与服务器的连接。
现场的hwtacacs调试信息:
*Dec 4 17:04:31:929 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Processing TACACS authorization.
ACS服务器上没有为该用户账户配置授权,服务器向设备下发了空的授权信息,设备接收到该信息后断开与客户端的连接。
ACS服务器为该用户账户配置授权。
如下图所示例,为用户账户配置一个15级的权限。
正常情况下,Debug 认证过程应有如下的信息打印,可以看到服务器下发的用户权限级别。
*Dec 6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Processing TACACS authorization.
*Dec 6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Dispatching request, Primitive: authorization.
*Dec 6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Creating request data, data type: START
*Dec 6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Session successfully created.
*Dec 6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Getting available server, server-ip=192.168.20.66, server-port=49, VPN instance=--(public).
*Dec 6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Connecting to server...
*Dec 6 02:58:31:278 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Dec 6 02:58:31:278 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Connection succeeded, server-ip=192.168.20.66, port=49, VPN instance=--(public).
*Dec 6 02:58:31:278 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Encapsulating authorization request packet.
*Dec 6 02:58:31:278 2015 F5000_ TACACS/7/send_packet: -Context=1;
version: 0xc0 type: AUTHOR_REQUEST seq_no: 1 flag: ENCRYPTED_FLAG
session-id: 0xb829b3b6
length of payload: 63
authen_method: TACACSPLUS priv_lvl: 0 authen_type: ASCII authen_service: LOGIN
user_len: 4 port_len: 20 rem_len: 12 arg_cnt: 2
arg0_len: 13 arg1_len: 4
user: mike
port: GigabitEthernet1/0/0
rem_addr: 192.168.20.6
arg0: service=shell arg1: cmd*
*Dec 6 02:58:31:283 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply SocketFd received EPOLLIN event.
*Dec 6 02:58:31:283 2015 F5000_ TACACS/7/recv_packet: -Context=1;
version: 0xc0 type: AUTHOR_REPLY seq_no: 2 flag: ENCRYPTED_FLAG
session-id: 0xb829b3b6
length of payload: 18
Status: STATUS_PASS_ADD arg_cnt: 1 server_msg len: 0 data len: 0
arg0_len: 11
server_msg:
data:
arg0: priv-lvl=15 //下发了用户权限
*Dec 6 02:58:31:283 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Processing authorization reply packet.
*Dec 6 02:58:31:283 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply message successfully sent.
*Dec 6 02:58:31:284 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Processed authorization reply message, resultCode: 0.
*Dec 6 02:58:31:284 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: TACACS authorization succeeded.
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作