S5100系列交换机使用正确的用户名和密码进行SSH登录时提示错误的解决方法
- 0关注
- 0收藏 2080浏览
S5100系列交换机使用正确的用户名和密码进行SSH登录时提示错误的解决方法
一、 组网:
无
二、 问题描述:
使用远程认证方式(Radius或Tacacas Server)对登录到S5100系列交换机上的SSH用户进行认证时,输入正确的用户名和密码后系统却提示密码错误。
三、 过程分析:
查看交换机Logbuffer,发现如下记录。
%May 28 08:20:25:015 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_
Main_Connect TO SSH_Main_VersionMatch
%May 28 08:20:25:027 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_
Main_VersionMatch TO SSH_Main_SSHProcess
%May 28 08:20:25:029 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_
Sub1_KEX_Init TO SSH_Sub1_KEX_GEX_Group
%May 28 08:20:27:645 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_
Sub1_KEX_GEX_Group TO SSH_Sub1_KEX_GEX_Reply
%May 28 08:20:30:779 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_
Sub1_KEX_GEX_Reply TO SSH_Sub1_KEX_NewKey
%May 28 08:20:31:088 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_
Sub1_KEX_NewKey TO SSH_Sub1_Authentication
%May 28 08:20:33:920 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_
Sub2_Service_Acc TO SSH_Sub2_Auth_Init
%May 28 08:20:42:281 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_
Sub2_Auth_Init TO SSH_Sub2_Auth_Password
%May 28 08:20:42:941 2008 PHPAM-ACCESS-52 VTY/5/VTY_LOG:- 1 - SSH user rcaballeg
an failed to login from 10.160.225.108 on VTY0.
%May 28 08:21:01:803 2008 PHPAM-ACCESS-52 SSH/5/err_disconnect:- 1 -The connection is closed by SSH Server
在交换机上开启debug命令如下。
[PHPAM-ACCESS-52]dis debug
SSH Debugging switch on VTY 0 is on
SSH Debugging switch on VTY 1 is on
SSH Debugging switch on VTY 2 is on
SSH Debugging switch on VTY 3 is on
SSH Debugging switch on VTY 4 is on
HWTACACS error debugging is on
HWTACACS event debugging is on
HWTACACS message debugging is on
HWTACACS send-packet debugging is on
HWTACACS receive-packet debugging is on
<PHPAM-ACCESS-52>
*0.12805107 PHPAM-ACCESS-52 SSH/8/debugging_msg_send:- 1 -SSH_VERSION_SEND message sent on VTY 0
*0.12805214 PHPAM-ACCESS-52 SSH/8/msg_rcv_vty:- 1 -SSH_VERSION_RECEIVE message received on VTY 0
*0.12817054 PHPAM-ACCESS-52 TAC/8/Event:- 1 - Create TACACS authentication request packet success
*0.12817168 PHPAM-ACCESS-52 TAC/8/Event:- 1 -
TAC_MESSAGE for AAA->TAC:
*0.12817247 PHPAM-ACCESS-52 TAC/8/Event:- 1 -
UserID=29 PacketType=3 AuthenType=1
AuthenService=1 PrivLevel=0 Version=c0 TemplateNum=0
UserName=rcaballegan PortName=vty0 RemAddress=async
UserMsg=******** DataMsg=********
*0.12817530 PHPAM-ACCESS-52 TAC/8/Event:- 1 -
hwtacacs create new session :
session id: 12720, user id: 29, server ip: 170.65.230.18
*0.12817697 PHPAM-ACCESS-52 TAC/8/Event:- 1 -
version:c0 type:AUTHEN_REQUEST
seq_no:1 flag:ENCRYPTED_FLAG
session_id:31b0 length:28
action:AUTHEN_LOGIN priv_lvl:VISIT authen_type:AUTHEN_TYPE_ASCII
service:AUTHEN_SVC_LOGIN
user len:11 port len:4 rem_addr len:5 data len:0
user name:rcaballegan port:vty0 rem_addr:async data:
*0.12818114 PHPAM-ACCESS-52 TAC/8/Event:- 1 -statics: transmit flag:1, server flag: 0,packet flag:0xff
*0.12818230 PHPAM-ACCESS-52 TAC/8/Event:- 1 -
hwtacacs packet sending success!
version:c0 type:1 sequence:1 flag:0 session id:12720 length:28
*0.12818417 PHPAM-ACCESS-52 TAC/8/Event:- 1 -
version:c0 type:AUTHEN_REPLY
seq_no:2 flag:ENCRYPTED_FLAG
session_id:31b0 length:6
packet body is error
*0.12818614 PHPAM-ACCESS-52 TAC/8/Event:- 1 -
TAC_MESSAGE for TAC->AAA:
*0.12818697 PHPAM-ACCESS-52 TAC/8/Event:- 1 -
ulUserID=29
ucTACTemplateNO=0
ucflag=2
ServerMsg=
Echo=0
*0.12818833 PHPAM-ACCESS-52 TAC/8/Event:- 1 -statics: transmit flag:2, server flag: 0,packet flag:0x88
*0.12818947 PHPAM-ACCESS-52 TAC/8/Event:- 1 -
hwtacacs session is deleted due to finishing session:
session id: 12720, user id: 29, server ip: 170.65.230.18
从debug信息中显示的“packet body is error”信息看,产生上述提示的原因有两种:
(1)远端Server上配置允许接入的IP网段与客户端不匹配。
(2)Server上配置的key与交换机上配置的key不同。
四、 解决方法:
查看远端Server上配置的IP网段与接入客户端是否匹配;并确认Server与交换机上配置的key值是否一致。
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作