Comware V7安全设备配合Cisco ACS服务器做TACACS认证问题处理案例

Comware V7设备配置TACACS认证后，测试时登录设备管理时能正常上线，ACS服务器上有认证成功记录，设备DEBUG能看到上线成功，但上线后立即停止了计费，随后客户端Telnet等软件便断开与服务器的连接。

现场的hwtacacs调试信息：

*Dec  4 17:04:31:929 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Processing TACACS authorization.

 *Dec  4 17:04:31:929 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Dispatching request, Primitive: authorization.

 *Dec  4 17:04:31:929 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Creating request data, data type: START

 *Dec  4 17:04:31:929 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Session successfully created.

 *Dec  4 17:04:31:929 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Getting available server, server-ip=10.11.162.2, server-port=49, VPN instance=--(public).

 *Dec  4 17:04:31:930 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Connecting to server...

 *Dec  4 17:04:31:931 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply SocketFd received EPOLLOUT event.

 *Dec  4 17:04:31:931 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Connection succeeded, server-ip=10.11.162.2, port=49, VPN instance=--(public).

 *Dec  4 17:04:31:931 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Encapsulating authorization request packet.

 *Dec  4 17:04:31:931 2015 DR_INTER_FW5020_01 TACACS/7/send_packet: -Context=1;

 version: 0xc0  type: AUTHOR_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG

 session-id: 0xa28312a8

 length of payload: 57

 authen_method: TACACSPLUS  priv_lvl: 0  authen_type: ASCII  authen_service: LOGIN

 user_len: 10   port_len: 9   rem_len: 11   arg_cnt: 2

 arg0_len: 13    arg1_len: 4 

 user: superbjrcb

 port: LoopBack0

 rem_addr: 10.11.178.4

 arg0: service=shell  arg1: cmd*

 *Dec  4 17:04:31:933 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply SocketFd received EPOLLIN event.

 *Dec  4 17:04:31:933 2015 DR_INTER_FW5020_01 TACACS/7/recv_packet: -Context=1;

 version: 0xc0  type: AUTHOR_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG

 session-id: 0xa28312a8

 length of payload: 6

 Status: STATUS_PASS_ADD  arg_cnt: 0  server_msg len: 0  data len: 0

 server_msg:

 data:                                         //没有数据

 *Dec  4 17:04:31:933 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Processing authorization reply packet.

 *Dec  4 17:04:31:933 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply message successfully sent.

 *Dec  4 17:04:31:934 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Processed authorization reply message, resultCode: 0.

 *Dec  4 17:04:31:935 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: TACACS authorization succeeded.

ACS服务器上没有为该用户账户配置授权，服务器向设备下发了空的授权信息，设备接收到该信息后断开与客户端的连接。

ACS服务器为该用户账户配置授权。

如下图所示例，为用户账户配置一个15级的权限。

正常情况下，Debug 认证过程应有如下的信息打印，可以看到服务器下发的用户权限级别。

*Dec  6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Processing TACACS authorization.                          

*Dec  6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Dispatching request, Primitive: authorization.            

*Dec  6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Creating request data, data type: START                   

*Dec  6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Session successfully created.                             

*Dec  6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Getting available server, server-ip=192.168.20.66, server-port=49, VPN instance=--(public).

*Dec  6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Connecting to server...                                   

*Dec  6 02:58:31:278 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply SocketFd received EPOLLOUT event.                   

*Dec  6 02:58:31:278 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Connection succeeded, server-ip=192.168.20.66, port=49, VPN instance=--(public).

*Dec  6 02:58:31:278 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Encapsulating authorization request packet.               

*Dec  6 02:58:31:278 2015 F5000_ TACACS/7/send_packet: -Context=1;                                                                 

version: 0xc0  type: AUTHOR_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG                                                                

session-id: 0xb829b3b6                                                                                                             

length of payload: 63                                                                                                               

authen_method: TACACSPLUS  priv_lvl: 0  authen_type: ASCII  authen_service: LOGIN                                                  

user_len: 4   port_len: 20   rem_len: 12   arg_cnt: 2                                                                               

arg0_len: 13    arg1_len: 4                                                                                                        

user: mike                                                                                                                          

port: GigabitEthernet1/0/0                                                                                                         

rem_addr: 192.168.20.6                                                                                                              

arg0: service=shell  arg1: cmd*                                                                                                    

*Dec  6 02:58:31:283 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply SocketFd received EPOLLIN event.                    

*Dec  6 02:58:31:283 2015 F5000_ TACACS/7/recv_packet: -Context=1;                                                                 

version: 0xc0  type: AUTHOR_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG                                                                 

session-id: 0xb829b3b6                                                                                                             

length of payload: 18                                                                                                              

Status: STATUS_PASS_ADD  arg_cnt: 1  server_msg len: 0  data len: 0                                                                

arg0_len: 11                                                                                                                       

server_msg:                                                                                                                        

data:                                                                                                                              

arg0: priv-lvl=15                         //下发了用户权限                                                     

*Dec  6 02:58:31:283 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Processing authorization reply packet.                    

*Dec  6 02:58:31:283 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply message successfully sent.                           

*Dec  6 02:58:31:284 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Processed authorization reply message, resultCode: 0.     

*Dec  6 02:58:31:284 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: TACACS authorization succeeded.