求一份debuging radius 详解
求一份debuging radius 详解
(0)
AAA调试命令 -- AAA调试命令 -- debugging radius
debugging radius { all | event | error | packet } [ acl acl-number | user username ]
undo debugging radius { all | event | error | packet }
1:监控级
all:所有调试信息开关。
event:表示事件调试信息开关。
error:表示错误调试信息开关。
packet:表示报文调试信息开关。
acl acl-number:指定匹配RADIUS调试信息的ACL规则。其中,acl-number表示ACL编号,取值范围为2000~3999。该参数可多次设置,但仅最后一次合法的配置生效。指定的ACL规则中仅源IP地址信息用于匹配用户IP,其他信息不做匹配项。
user username:指定匹配RADIUS调试信息的部分用户名。其中,username表示部分用户名,为1~80个字符的字符串,区分大小写。该参数用于匹配上线用户的完整用户名中的部分连续字符串。
debugging radius命令用来打开RADIUS调试信息开关。undo debugging radius命令用来关闭RADIUS调试信息开关。
缺省情况下,RADIUS调试信息开关处于关闭状态。
表1-9 debugging radius event命令输出信息描述表
处理AAA请求数据 | |
获取远端RADIUS服务器信息 | |
Sent request packet and create request context successfully. | |
Created request packet successfully, dstIP: dst-ip, dstPort: dst-port, socketFd: fd, pktID: id. | 成功创建请求报文,目的IP地址是dst-ip,目的端口是dst-port,套接字是fd,报文ID是id |
成功添加报文套接字到epoll控制变量中,套接字是fd | |
成功将PAM数据项映射为RADIUS属性 | |
成功填充RADIUS报文属性 | |
成功获取RADIUS用户名格式 | |
Found request context, dstIP: dst-ip, dstPort: dst-port, socketFd: fd, pktID: id. | 成功查找到请求上下文,目的IP地址是dst-ip,目的端口是dst-port,套接字是fd,报文ID是id |
Retransmitting request packet, currentTries: n, maxTries: max. | 重传请求报文,当前是第n次重传,最大重传次数是max |
Got next server successfully, serverIP: svr-ip, serverPort: svr-port. | 成功获取下一个服务器,服务器IP地址为svr-ip,服务器端口为svr-port |
Found request context, dstIP: dst-ip, dstPort: dst-port, socketFd: fd, pktID: id. | 成功查找到请求上下文,目的IP地址是dst-ip,目的端口是dst-port,套接字是fd,报文ID是id |
进行RADIUS认证 | |
进行RADIUS授权 | |
RADIUS授权成功 | |
RADIUS计费开始 | |
RADIUS计费结束 | |
RADIUS计费更新 | |
成功发送认证/授权/计费请求 | |
PAM_RADIUS: Received authentication reply message, resultCode: code. | |
PAM_RADIUS: Received authorization reply message, resultCode: code. | |
PAM_RADIUS: Received accounting-start reply message, resultCode: code. | |
PAM_RADIUS: Received accounting-stop reply message, resultCode: code. | |
PAM_RADIUS: Received accounting-update reply message, resultCode: code. | |
成功发送DAE 应答报文 | |
成功接收DAE请求报文 | |
识别DAE请求报文失败 | |
DAE请求报文长度无效 | |
DAE请求报文类型未知 | |
DAE请求报文校验字无效 | |
成功创建探测请求报文,目的IP地址是dst-ip,目的端口是dst-port,所属的MPLS L3VPN实例是vpn-instance,套接字是fd,报文ID是id | |
Found detection request context, dstIP: dst-ip, dstPort: dst-port, pktID: id. | 成功查找到探测请求上下文,目的IP地址是dst-ip,目的端口是dst-port,报文ID是id |
成功开启RADIUS服务器探测,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
开启RADIUS服务器探测失败,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
成功创建探测请求上下文,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
创建探测请求上下文失败,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
成功构建探测请求报文,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
成功发送探测请求报文,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
发送探测请求报文失败,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
保存探测请求报文ID失败,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
服务器探测的随机定时器超时,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
清除发送trap标记失败,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
清除block状态计数失败, RADIUS方案名是scheme-name,服务器IP地址是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
更新block状态计数失败,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
没有接收到探测应答报文,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
服务器探测定时器超时,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
发送trap成功,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
设置发送trap标记失败,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
成功关闭RADIUS服务器探测,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
关闭RADIUS服务器探测失败,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
不能开启RADIUS服务器探测,指定的探测模版不存在,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
成功开启RADIUS服务器静默,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
开启RADIUS服务器静默失败,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
成功关闭RADIUS服务器静默,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
关闭RADIUS服务器静默失败,RADIUS方案名是scheme-name,服务器IP地址是server-ip,服务器端口号是server-port,服务器所属的MPLS L3VPN实例是vpn-instance | |
Aaad发送了服务器状态转换的通知给应用进程,服务器状态是server-state | |
应用进程接收了来自aaad进程的服务器状态转换的通知,服务器状态是server-state |
表1-10 debugging radius error命令输出信息描述表
表1-11 debugging radius packet命令输出信息描述表
报文中包含的RADIUS属性及其取值。 其中RADIUS属性遵从RFC2865/2866/2869/3580描述,不再赘述;另外还支持一些厂商定制属性(Vender Specific Attribute),在下面单独描述 | |
3Com用户访问级别为level,取值为0~3 | |
H3c-Ftp用户工作路径为dir | |
H3c-Exec用户访问级别为level,取值为0~15 | |
H3c-Ftp用户工作路径为dir | |
Hw-Exec用户访问级别为level,取值为 0~15 | |
Type取值及其涵义为: · 1:DVPN · 2:FTP · 3:网络接入类型(802.1X、MAC地址认证) · 4:PAD · 5:SSH · 6:Telnet · 7:Terminal · 8:Portal · 9:PPP · 10:L2TP · 11:命令行 |
# 在一台设备上配置Login用户的认证方案为RADIUS认证、授权,并打开RADIUS事件调试信息开关。当有一个Console用户登录本设备时,输出如下调试信息。
<Sysname> debugging radius event
*Dec 31 16:04:36:438 2009 Sysname RADIUS/7/EVENT:
PAM_RADIUS: Processing RADIUS authentication.
// 进行RADIUS认证
*Jan 3 02:17:27:660 2011 Sysname RADIUS/7/EVENT:
PAM_RADIUS: Sent authentication request successfully.
// 成功发送认证请求
*Jan 3 02:17:27:667 2011 Sysname RADIUS/7/EVENT:
Processing AAA request data.
// 处理AAA请求数据
*Jan 3 02:17:27:667 2011 Sysname RADIUS/7/EVENT:
Got request data successfully, primitive: authentication.
// 成功接收到用户的认证请求,原语是认证
*Jan 3 02:17:27:668 2011 Sysname RADIUS/7/EVENT:
Getting RADIUS server info.
*Jan 3 02:17:27:669 2011 Sysname RADIUS/7/EVENT:
Got RADIUS server info successfully.
// 成功获取RADIUS服务器信息
*Jan 3 02:17:27:669 2011 Sysname RADIUS/7/EVENT:
Created request context successfully.
// 成功创建请求上下文
*Jan 3 02:17:27:670 2011 Sysname RADIUS/7/EVENT:
Created request packet successfully, dstIP: 192.168.0.244, dstPort: 1812, VPN in
stance: --(public), socketFd: 23, pktID: 61.
// 成功创建认证请求报文,目的地址是192.168.0.244,目的端口是1812,VPN实例是public,套接字是23,报文ID是61
*Jan 3 02:17:27:671 2011 Sysname RADIUS/7/EVENT:
Added packet socketfd to epoll successfully, socketFd: 23.
*Jan 3 02:17:27:672 2011 Sysname RADIUS/7/EVENT:
Mapped PAM item to RADIUS attribute successfully.
// 成功将PAM数据项映射为RADIUS属性
*Jan 3 02:17:27:673 2011 Sysname RADIUS/7/EVENT:
Got RADIUS username format successfully, format: 2.
*Jan 3 02:17:27:674 2011 Sysname RADIUS/7/EVENT:
Added attribute user-name successfully, user-name: test.
// 成功添加用户名属性,属性值是test
*Jan 3 02:17:27:674 2011 Sysname RADIUS/7/EVENT:
Filled RADIUS attributes in packet successfully.
// 成功填充报文属性,并构建认证请求报文
*Jan 3 02:17:27:675 2011 Sysname RADIUS/7/EVENT:
Composed request packet successfully.
*Jan 3 02:17:27:675 2011 Sysname RADIUS/7/EVENT:
Created response timeout timer successfully.
// 成功创建应答超时定时器
*Jan 3 02:17:27:679 2011 Sysname RADIUS/7/EVENT:
Sent request packet successfully.
*Jan 3 02:17:27:679 2011 Sysname RADIUS/7/EVENT:
Sent request packet and create request context successfully.
// 成功发送认证请求报文,并创建请求上下文
*Jan 3 02:17:27:680 2011 Sysname RADIUS/7/EVENT:
Added request context to global table successfully.
// 成功将请求上下文加入全局上下文信息表
*Jan 3 02:17:27:714 2011 Sysname RADIUS/7/EVENT:
Reply SocketFd recieved EPOLLIN event.
*Jan 3 02:17:27:715 2011 Sysname RADIUS/7/EVENT:
Received reply packet succuessfully.
// 接收到应答报文
*Jan 3 02:17:27:716 2011 Sysname RADIUS/7/EVENT:
Found request context, dstIP: 192.168.0.244, dstPort: 1812, VPN instance: --(pub
lic), socketFd: 23, pktID: 61.
// 查找到请求上下文
*Jan 3 02:17:27:717 2011 Sysname RADIUS/7/EVENT:
The reply packet is valid.
*Jan 3 02:17:27:718 2011 Sysname RADIUS/7/EVENT:
Decoded reply packet successfully.
// 应答报文有效,对应答报文解码成功
*Jan 3 02:17:27:719 2011 Sysname RADIUS/7/EVENT:
Sent reply message successfully.
//成功发送应答消息
*Jan 3 02:17:27:719 2011 Sysname RADIUS/7/EVENT:
PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0
*Jan 3 02:17:27:720 2011 Sysname RADIUS/7/EVENT:
PAM_RADIUS: Received authentication reply message, resultCode: 0
// 收到认证应答消息
*Jan 3 02:17:27:721 2011 Sysname RADIUS/7/EVENT:
PAM_RADIUS: Processing RADIUS authorization.
// 开始进行RADIUS授权
*Jan 3 02:17:27:724 2011 Sysname RADIUS/7/EVENT:
PAM_RADIUS: RADIUS Authorization successfully.
// RADIUS授权请求成功
*Jan 3 02:17:27:743 2011 Sysname RADIUS/7/EVENT:
PAM_RADIUS: RADIUS accounting started.
// RADIUS计费开始
*Jan 3 02:17:27:744 2011 Sysname RADIUS/7/EVENT:
Processing AAA request data.
*Jan 3 02:17:27:744 2011 Sysname RADIUS/7/EVENT:
PAM_RADIUS: Sent accounting-start request successfully.
*Jan 3 02:17:27:744 2011 Sysname RADIUS/7/EVENT:
Got request data successfully, primitive: accounting-start.
// 成功获取计费请求数据,原语是开始计费
*Jan 3 02:17:27:745 2011 Sysname RADIUS/7/EVENT:
Getting RADIUS server info.
*Jan 3 02:17:27:745 2011 Sysname RADIUS/7/EVENT:
Got RADIUS server info successfully.
// 成功获取服务器信息
*Jan 3 02:17:27:746 2011 Sysname RADIUS/7/EVENT:
Created request context successfully.
*Jan 3 02:17:27:747 2011 Sysname RADIUS/7/EVENT:
Created request packet successfully, dstIP: 192.168.0.244, dstPort: 1813, VPN in
stance: --(public), socketFd: 23, pktID: 184.
// 成功创建计费开始请求报文,目的IP地址是192.168.0.244,目的端口号是1813,VPN实例是public,套接字是23,报文ID是184
*Jan 3 02:17:27:747 2011 Sysname RADIUS/7/EVENT:
Added packet socketfd to epoll successfully, socketFd: 23.
*Jan 3 02:17:27:749 2011 Sysname RADIUS/7/EVENT:
Mapped PAM item to RADIUS attribute successfully.
*Jan 3 02:17:27:749 2011 Sysname RADIUS/7/EVENT:
Got RADIUS username format successfully, format: 2.
*Jan 3 02:17:27:750 2011 Sysname RADIUS/7/EVENT:
Added attribute user-name successfully, user-name: test.
// 成功添加用户名属性,属性值是test
*Jan 3 02:17:27:751 2011 Sysname RADIUS/7/EVENT:
Filled RADIUS attributes in packet successfully.
*Jan 3 02:17:27:751 2011 Sysname RADIUS/7/EVENT:
Composed request packet successfully.
// 成功填充报文属性,并构建请求报文
*Jan 3 02:17:27:752 2011 Sysname RADIUS/7/EVENT:
Created response timeout timer successfully.
// 成功创建应答超时定时器
*Jan 3 02:17:27:754 2011 Sysname RADIUS/7/EVENT:
Sent request packet successfully.
*Jan 3 02:17:27:754 2011 Sysname RADIUS/7/EVENT:
Sent request packet and create request context successfully.
*Jan 3 02:17:27:755 2011 Sysname RADIUS/7/EVENT:
Added request context to global table successfully.
*Jan 3 02:17:27:755 2011 Sysname RADIUS/7/EVENT:
Reply SocketFd recieved EPOLLIN event.
*Jan 3 02:17:27:756 2011 Sysname RADIUS/7/EVENT:
Received reply packet succuessfully.
// 成功接收到计费应答报文
*Jan 3 02:17:27:757 2011 Sysname RADIUS/7/EVENT:
Found request context, dstIP: 192.168.0.244, dstPort: 1813, VPN instance: --(pub
lic), socketFd: 23, pktID: 184.
// 成功查找到计费应答报文对应的请求上下文,目的IP地址是192.168.0.244;目的端口号是1646;套接字是14;报文ID是0
*Jan 3 02:17:27:758 2011 Sysname RADIUS/7/EVENT:
The reply packet is valid.
*Jan 3 02:17:27:759 2011 Sysname RADIUS/7/EVENT:
Decoded reply packet successfully.
// 计费应答报文有效,对计费应答报文解码成功
# 在一台设备上配置Login用户的认证方案为RADIUS认证、授权、计费,并打开RADIUS报文调试信息开关。当有一个Console用户登录本设备时,输出如下调试信息。
<Sysname> debugging radius packet
*Jan 3 02:33:18:686 2011 Sysname RADIUS/7/PACKET:
User-Name="rbac"
User-Password=******
Service-Type=Login-User
Framed-IP-Address=192.168.0.17
NAS-IP-Address=192.168.0.16
// 认证请求报文中的属性列表
*Jan 3 02:33:18:690 2011 Sysname RADIUS/7/PACKET:
01 ed 00 3e 44 13 50 f2 54 58 6f e8 39 e9 05 ff
6c 7e 18 a3 01 06 72 62 61 63 02 12 71 a1 e1 46
cc a2 77 97 a4 95 57 54 db f6 3b 0b 06 06 00 00
00 01 08 06 c0 a8 00 11 04 06 c0 a8 00 10
// 发送的access-request报文原始信息
*Jan 3 02:33:18:707 2011 Sysname RADIUS/7/PACKET:
Service-Type=Login-User
Session-Timeout=86400
Login-Service=Telnet
// access-accept应答报文的属性列表
*Jan 3 02:33:18:708 2011 Sysname RADIUS/7/PACKET:
02 ed 00 26 71 d9 71 09 75 7b af d9 2d fc 10 59
4d ee 66 ae 06 06 00 00 00 01 1b 06 00 01 51 80
0f 06 00 00 00 00
// access-accept报文的原始数据
*Jan 3 02:33:18:727 2011 Sysname RADIUS/7/PACKET:
User-Name="rbac"
Framed-IP-Address=192.168.0.17
Acct-Session-
Login-Service=Telnet
Acct-Authentic=RADIUS
NAS-IP-Address=192.168.0.16
Acct-Status-Type=Start
Acct-Delay-Time=0
Event-Timestamp="Jan 3 2011 02:33:18 UTC"
// 计费开始请求报文中的属性列表
*Jan 3 02:33:18:729 2011 Sysname RADIUS/7/PACKET:
04 3c 00 6c 21 aa 18 4e 38 c8 60 f1 12 76 97 26
e2 04 d8 28 01 06 72 62 61 63 08 06 c0 a8 00 11
2c 28 30 30 30 30 30 30 30 33 32 30 31 31 2d 30
31 2d 30 33 3a 30 32 3a 33 33 3a 31 38 2d 30 30
30 30 30 30 30 31 30 31 0f 06 00 00 00 00 2d 06
00 00 00 01 04 06 c0 a8 00 10 28 06 00 00 00 01
29 06 00 00 00 00 37 06 4d 21 35 6e
// 计费开始请求报文原始数据
*Jan 3 02:33:18:731 2011 Sysname RADIUS/7/PACKET:
05 3c 00 14 5f 8f 2f e7 21 86 a7 db 52 b3 39 09
86 92 80 b0
// 计费应答报文原始数据
# 在一台设备上配置Login用户的认证方案为本地认证、RADIUS授权,并打开RADIUS错误调试信息开关。当有一个Console用户登录本设备时,输出如下调试信息。
<Sysname> debugging radius error
*Dec 31 16:04:41:324 2009 Sysname RADIUS/7/ERROR:
PAM_RADIUS: Failed to get reply-data from pam-module-data..
// 从PAM数据获取应答数据失败
(0)
老哥这个手册可以给一份不
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
老哥这个手册可以给一份不