SSLVPN使用radius认证,给用户下发指定IP失败
- 0关注
- 0收藏,74浏览
问题描述:
SSLVPN使用radius认证,是否支持给用户下发指定IP,radius服务器抓包可以看到下发的地址,用户拨入后,下发地址没有成功
组网及组网描述:
sslvpn context hscm
gateway sslvpn_gw
ip-tunnel interface SSLVPN-AC0
ip-tunnel address-pool vpn mask x.x.x.x
ip-tunnel dns-server primary x.x.x.x
ip-tunnel dns-server secondary x.x.x.x
policy-group hscm
filter ip-tunnel 3999
aaa domain ***.***
service enable
-----------------
radius scheme sslvpn-radius
primary authentication x.x.x.x vpn-instance management key cipher
primary accounting x.x.x.x vpn-instance management key cipher
nas-ip x.x.x.x
vpn-instance management
----------------------------
domain *.*
authentication login radius-scheme radius local
authorization login radius-scheme radius local
accounting login none
authentication sslvpn radius-scheme sslvpn-radius local
authorization sslvpn radius-scheme sslvpn-radius local
accounting sslvpn radius-scheme sslvpn-radius local
截图
1. 核心配置:确认SSLVPN上下文下已配置ip-tunnel address-assign radius(默认用本地地址池,需手动开启RADIUS下发),未配置则添加该命令。
2. RADIUS属性校验:RADIUS需下发标准属性8(Framed-IP-Address)或H3C私有属性26/25506/1(指定IP),抓包确认属性存在、值合法,无地址冲突。
3. 关键命令:
display sslvpn session username <用户名>:查看用户IP分配来源(本地池/RADIUS)
display ip-tunnel address-pool:确认地址池配置正常
debugging sslvpn ip-tunnel event:排查IP分配交互故障
ip-tunnel address-assign radius没有当前命令
ip-tunnel address-assign radius没有当前命令
1. 检查防火墙本地地址池配置(最常见原因)
- 排查建议:检查你配置中引用的地址池
vpn的网段范围。 - 解决方法:
- 方案A(推荐):确保 RADIUS 下发的指定 IP 落在防火墙本地地址池
vpn的范围内。 - 方案B:如果希望完全由 RADIUS 决定 IP,需要在 SSL VPN 的上下文(context)或网关(gateway)配置中,将 IP 分配方式设置为“外部获取”(类似于华为的
network-extension external-server逻辑,H3C 也有类似的ip-tunnel address-pool external或相关授权配置)。
- 方案A(推荐):确保 RADIUS 下发的指定 IP 落在防火墙本地地址池
2. 检查 RADIUS 下发的属性(Attribute)是否匹配
- 标准属性:通常是
Framed-IP-Address(属性号 8)。 - 厂商私有属性(VSA):有些 RADIUS 服务器可能会下发 H3C 的私有属性(如
H3C-User-IP-Address)。如果下发了私有属性,需要确保防火墙的 RADIUS 方案(radius scheme sslvpn-radius)中正确加载了对应的厂商字典。
3. 检查本地策略组(Policy-Group)的绑定冲突
sslvpn context hscm 下绑定了 policy-group hscm。如果这个策略组(policy-group hscm)下通过 address-pool 命令强制绑定了另一个本地地址池,本地策略组的配置优先级可能会高于 RADIUS 的授权结果,导致 RADIUS 下发的 IP 被覆盖或忽略。- 排查建议:检查
policy-group hscm的配置,看是否强制绑定了地址池。如果有,尝试解除绑定或将其配置为允许外部授权。
4. 开启 SSL VPN 调试日志精准定位
- 操作步骤:
- 在防火墙命令行(CLI)中依次执行:
1<H3C> terminal monitor 2<H3C> terminal debugging 3<H3C> debugging sslvpn error 4<H3C> debugging sslvpn event - 让终端用户重新拨入一次 SSL VPN。
- 观察命令行输出的日志,重点关注带有
Failed to allocate IP address(分配 IP 失败)或RADIUS授权相关的报错信息。这条日志通常会直接告诉你防火墙为什么拒绝了 RADIUS 下发的这个 IP(例如:IP 不在地址池范围内、地址池耗尽、属性不识别等)。 - 排查完成后,记得关闭调试:
<H3C> undo debugging all。
- 在防火墙命令行(CLI)中依次执行:
=9175;MatchCount(1069)=1;Event(1048)=Permit; *May 29 17:22:56:844 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Processing RADIUS authentication. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Sent authentication request successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Processing AAA request data. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got request data successfully, primitive: authentication. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Getting RADIUS server info. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got RADIUS server info successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created request context successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created request packet successfully, dstIP: 10.2.4.18, dstPort: 1812, VPN instance: management, socketFd: 37, pktID: 231. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added packet socketfd to epoll successfully, socketFd: 37. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Mapped PAM item to RADIUS attribute successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got RADIUS username format successfully, format: 1. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added attribute user-name successfully, user-name: xiaoyayun@***.***. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Filled RADIUS attributes in packet successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Composed request packet successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created response timeout timer successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; User-Name="xiaoyayun@***.***" User-Password=****** Service-Type=Framed-User NAS-Identifier="DX-F1050" Calling-Station- Acct-Session- H3c-Server-String=[] Framed-IP-Address=172.20.254.2 H3c-Ip-Host-Addr="172.20.254.2 7c:4d:8f:11:9e:d8" NAS-IP-Address=10.254.0.248 H3c-Product- H3c-Nas-Startup-Timestamp=1778130916 *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent request packet successfully. *May 29 17:22:56:846 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 01 e7 01 3e f5 4b e6 00 97 12 b5 f3 20 36 a0 1f 7c 54 b3 3a 01 18 78 69 61 6f 79 61 79 75 6e 40 62 79 64 6f 6d 61 69 6e 2e 63 6f 6d 02 12 c5 dd ae 6e 7e 9c e2 c8 ab 8b 6c 58 15 87 55 99 06 06 00 00 00 02 20 0a 44 58 2d 46 31 30 35 30 1f 13 37 63 2d 34 64 2d 38 66 2d 31 31 2d 39 65 2d 64 38 2c 29 30 30 30 30 30 30 31 31 32 30 32 36 30 35 32 39 30 39 32 32 35 36 30 30 30 30 30 30 33 31 30 38 31 31 32 38 38 38 35 1a 5d 00 00 63 a2 3d 57 01 16 38 35 59 1a 1f 53 63 23 7a 19 4e 60 21 01 2c 2a 76 6c 2e 38 43 55 52 52 45 4e 54 5f 43 48 41 4c 4c 45 4e 47 5f 54 49 4d 45 3d 31 37 38 30 30 34 36 35 37 38 3b 4c 41 53 54 5f 43 48 41 4c 4c 45 4e 47 45 5f 54 49 4d 45 3d 31 37 38 30 30 34 36 35 35 39 08 06 ac 14 fe 02 1a 26 00 *May 29 17:22:56:846 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 00 63 a2 3c 20 31 37 32 2e 32 30 2e 32 35 34 2e 32 20 37 63 3a 34 64 3a 38 66 3a 31 31 3a 39 65 3a 64 38 04 06 0a fe 00 f8 1a 19 00 00 63 a2 ff 13 48 33 43 20 53 65 63 50 61 74 68 20 46 31 30 35 30 1a 0c 00 00 63 a2 3b 06 69 fc 1f e4 *May 29 17:22:56:846 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent request packet and create request context successfully. *May 29 17:22:56:846 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added request context to global table successfully. *May 29 17:22:56:846 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Processing AAA request data. *May 29 17:22:56:853 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Reply SocketFd recieved EPOLLIN event. *May 29 17:22:56:853 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Received reply packet succuessfully. *May 29 17:22:56:853 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Found request context, dstIP: 10.2.4.18, dstPort: 1812, VPN instance: management, socketFd: 37, pktID: 231. *May 29 17:22:56:853 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; The reply packet is valid. *May 29 17:22:56:853 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Decoded reply packet successfully. *May 29 17:22:56:853 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; H3c-User-Group="hscm" Service-Type=Framed-User Framed-IP-Address=172.20.253.222 Framed-Route="5.5.5.5/32 0.0.0.0 1" Class=0x8641080c00000137000102000a02041200000000e01d11638742d72701dcdf8a94d630900000000000000204 Microsoft-Attr-14=0x00000032 Microsoft-Attr-15=0x00000078 *May 29 17:22:56:854 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 02 e7 00 88 bb 57 39 41 77 86 58 e4 1e ac be 75 34 d8 cb 7a 1a 0c 00 00 63 a2 8c 06 68 73 63 6d 06 06 00 00 00 02 08 06 ac 14 fd de 16 16 35 2e 35 2e 35 2e 35 2f 33 32 20 30 2e 30 2e 30 2e 30 20 31 19 2e 86 41 08 0c 00 00 01 37 00 01 02 00 0a 02 04 12 00 00 00 00 e0 1d 11 63 87 42 d7 27 01 dc df 8a 94 d6 30 90 00 00 00 00 00 00 02 04 1a 0c 00 00 01 37 0e 06 00 00 00 32 1a 0c 00 00 01 37 0f 06 00 00 00 78 *May 29 17:22:56:854 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent reply message successfully. *May 29 17:22:56:854 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Processing RADIUS authentication. *May 29 17:22:56:854 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0 *May 29 17:22:56:854 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Processing RADIUS authorization. *May 29 17:22:56:854 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: RADIUS Authorization successfully. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: RADIUS accounting started. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Sent accounting-start request successfully. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Processing AAA request data. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got request data successfully, primitive: accounting-start. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Getting RADIUS server info. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got RADIUS server info successfully. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created request context successfully. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created request packet successfully, dstIP: 10.2.4.18, dstPort: 1813, VPN instance: management, socketFd: 37, pktID: 70. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added packet socketfd to epoll successfully, socketFd: 37. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Mapped PAM item to RADIUS attribute successfully. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got RADIUS username format successfully, format: 1. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added attribute user-name successfully, user-name: xiaoyayun@***.***. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Filled RADIUS attributes in packet successfully. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Composed request packet successfully. *May 29 17:22:56:856 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created response timeout timer successfully. *May 29 17:22:56:856 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; User-Name="xiaoyayun@***.***" NAS-Identifier="DX-F1050" NAS-IP-Address=10.254.0.248 Calling-Station- Framed-IP-Address=172.20.254.2 Acct-Session- Class=0x8641080c00000137000102000a02041200000000e01d11638742d72701dcdf8a94d630900000000000000204 H3c-Ip-Host-Addr="172.20.254.2 7c:4d:8f:11:9e:d8" Acct-Authentic=RADIUS Acct-Status-Type=Start Acct-Delay-Time=0 Event-Timestamp="May 29 2026 17:22:56 utf-8" H3c-Product- H3c-Nas-Startup-Timestamp=1778130916 *May 29 17:22:56:856 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent request packet successfully. *May 29 17:22:56:856 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 04 46 01 0f ca 9d 65 03 b5 3d 3e 00 06 db c6 bf 54 41 00 f5 01 18 78 69 61 6f 79 61 79 75 6e 40 62 79 64 6f 6d 61 69 6e 2e 63 6f 6d 20 0a 44 58 2d 46 31 30 35 30 04 06 0a fe 00 f8 1f 13 37 63 2d 34 64 2d 38 66 2d 31 31 2d 39 65 2d 64 38 08 06 ac 14 fe 02 2c 29 30 30 30 30 30 30 31 31 32 30 32 36 30 35 32 39 30 39 32 32 35 36 30 30 30 30 30 30 33 31 30 38 31 31 32 38 38 38 35 19 2e 86 41 08 0c 00 00 01 37 00 01 02 00 0a 02 04 12 00 00 00 00 e0 1d 11 63 87 42 d7 27 01 dc df 8a 94 d6 30 90 00 00 00 00 00 00 02 04 1a 26 00 00 63 a2 3c 20 31 37 32 2e 32 30 2e 32 35 34 2e 32 20 37 63 3a 34 64 3a 38 66 3a 31 31 3a 39 65 3a 64 38 2d 06 00 00 00 01 28 06 00 00 00 01 29 06 00 00 00 00 37 06 6a 19 5a f0 1a 19 00 00 63 a2 *May 29 17:22:56:856 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; ff 13 48 33 43 20 53 65 63 50 61 74 68 20 46 31 30 35 30 1a 0c 00 00 63 a2 3b 06 69 fc 1f e4 *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent request packet and create request context successfully. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added request context to global table successfully. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Processing AAA request data. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Reply SocketFd recieved EPOLLIN event. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Received reply packet succuessfully. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Found request context, dstIP: 10.2.4.18, dstPort: 1813, VPN instance: management, socketFd: 37, pktID: 70. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; The reply packet is valid. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Decoded reply packet successfully. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 05 46 00 14 09 ab 27 40 71 c1 23 75 9a cc 3c c0 43 f0 61 1e *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent reply message successfully. *May 29 17:22:56:858 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: RADIUS accounting started. *May 29 17:22:56:858 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Fetched accounting-start reply-data successfully, resultCode: 0 %May 29 17:22:56:890 2026 DX-F1050 FILTER/6/FILTER_ZONE_IPV4_EXECUTION: -COntext=1; SrcZoneName(1025)=Trust;DstZoneName(1035)=Untrust;Type(1067)=ACL;ObjectPolicy(1072)=Trust-Untrust;RuleID(1078)=0;Protocol(1001)=TCP;Application(1002)=http;SrcIPAddr(1003)=172.22.14.120;SrcPort(1004)=50709;DstIPAddr(1007)=36.99.172.113;DstPort(1008)=80;MatchCount(1069)=4;Event(1048)=Permit; *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: RADIUS accounting updated. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Sent accounting-update request successfully. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Processing AAA request data. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got request data successfully, primitive: accounting-update. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Getting RADIUS server info. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got RADIUS server info successfully. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created request context successfully. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created request packet successfully, dstIP: 10.2.4.18, dstPort: 1813, VPN instance: management, socketFd: 37, pktID: 71. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added packet socketfd to epoll successfully, socketFd: 37. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Mapped PAM item to RADIUS attribute successfully. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got RADIUS username format successfully, format: 1. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added attribute user-name successfully, user-name: xiaoyayun@***.***. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Filled RADIUS attributes in packet successfully. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Composed request packet successfully. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created response timeout timer successfully. *May 29 17:22:56:957 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; User-Name="xiaoyayun@***.***" NAS-Identifier="DX-F1050" NAS-IP-Address=10.254.0.248 Calling-Station- Framed-IP-Address=172.20.253.1 Acct-Session- Acct-Session-Time=0 Class=0x8641080c00000137000102000a02041200000000e01d11638742d72701dcdf8a94d630900000000000000204 H3c-Ip-Host-Addr="172.20.253.1 7c:4d:8f:11:9e:d8" Acct-Authentic=RADIUS Acct-Status-Type=Interim-Update Acct-Delay-Time=0 Event-Timestamp="May 29 2026 17:22:56 utf-8" H3c-Product- H3c-Nas-Startup-Timestamp=1778130916 *May 29 17:22:56:957 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent request packet successfully. *May 29 17:22:56:957 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 04 47 01 15 1d 49 75 99 da 3a b3 11 52 1f 10 5f 2a 8a b3 72 01 18 78 69 61 6f 79 61 79 75 6e 40 62 79 64 6f 6d 61 69 6e 2e 63 6f 6d 20 0a 44 58 2d 46 31 30 35 30 04 06 0a fe 00 f8 1f 13 37 63 2d 34 64 2d 38 66 2d 31 31 2d 39 65 2d 64 38 08 06 ac 14 fd 01 2c 29 30 30 30 30 30 30 31 31 32 30 32 36 30 35 32 39 30 39 32 32 35 36 30 30 30 30 30 30 33 31 30 38 31 31 32 38 38 38 35 2e 06 00 00 00 00 19 2e 86 41 08 0c 00 00 01 37 00 01 02 00 0a 02 04 12 00 00 00 00 e0 1d 11 63 87 42 d7 27 01 dc df 8a 94 d6 30 90 00 00 00 00 00 00 02 04 1a 26 00 00 63 a2 3c 20 31 37 32 2e 32 30 2e 32 35 33 2e 31 20 37 63 3a 34 64 3a 38 66 3a 31 31 3a 39 65 3a 64 38 2d 06 00 00 00 01 28 06 00 00 00 03 29 06 00 00 00 00 37 06 6a 19 5a f0 *May 29 17:22:56:957 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 1a 19 00 00 63 a2 ff 13 48 33 43 20 53 65 63 50 61 74 68 20 46 31 30 35 30 1a 0c 00 00 63 a2 3b 06 69 fc 1f e4 *May 29 17:22:56:958 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent request packet and create request context successfully. *May 29 17:22:56:958 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added request context to global table successfully. *May 29 17:22:56:958 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Processing AAA request data. *May 29 17:22:56:970 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Reply SocketFd recieved EPOLLIN event. *May 29 17:22:56:970 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Received reply packet succuessfully. *May 29 17:22:56:970 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Found request context, dstIP: 10.2.4.18, dstPort: 1813, VPN instance: management, socketFd: 37, pktID: 71. *May 29 17:22:56:971 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; The reply packet is valid. *May 29 17:22:56:971 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Decoded reply packet successfully. *May 29 17:22:56:971 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 05 47 00 14 d8 bb 2f 9b 48 0f 9a f9 8e 3f c7 46 d1 bf dd 0d *May 29 17:22:56:971 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent reply message successfully. *May 29 17:22:56:971 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: RADIUS accounting updated. *May 29 17:22:56:971 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Fetched accounting-update reply-data successfully, resultCode: 0
=9175;MatchCount(1069)=1;Event(1048)=Permit; *May 29 17:22:56:844 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Processing RADIUS authentication. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Sent authentication request successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Processing AAA request data. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got request data successfully, primitive: authentication. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Getting RADIUS server info. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got RADIUS server info successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created request context successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created request packet successfully, dstIP: 10.2.4.18, dstPort: 1812, VPN instance: management, socketFd: 37, pktID: 231. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added packet socketfd to epoll successfully, socketFd: 37. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Mapped PAM item to RADIUS attribute successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got RADIUS username format successfully, format: 1. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added attribute user-name successfully, user-name: xiaoyayun@***.***. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Filled RADIUS attributes in packet successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Composed request packet successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created response timeout timer successfully. *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; User-Name="xiaoyayun@***.***" User-Password=****** Service-Type=Framed-User NAS-Identifier="DX-F1050" Calling-Station- Acct-Session- H3c-Server-String=[] Framed-IP-Address=172.20.254.2 H3c-Ip-Host-Addr="172.20.254.2 7c:4d:8f:11:9e:d8" NAS-IP-Address=10.254.0.248 H3c-Product- H3c-Nas-Startup-Timestamp=1778130916 *May 29 17:22:56:845 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent request packet successfully. *May 29 17:22:56:846 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 01 e7 01 3e f5 4b e6 00 97 12 b5 f3 20 36 a0 1f 7c 54 b3 3a 01 18 78 69 61 6f 79 61 79 75 6e 40 62 79 64 6f 6d 61 69 6e 2e 63 6f 6d 02 12 c5 dd ae 6e 7e 9c e2 c8 ab 8b 6c 58 15 87 55 99 06 06 00 00 00 02 20 0a 44 58 2d 46 31 30 35 30 1f 13 37 63 2d 34 64 2d 38 66 2d 31 31 2d 39 65 2d 64 38 2c 29 30 30 30 30 30 30 31 31 32 30 32 36 30 35 32 39 30 39 32 32 35 36 30 30 30 30 30 30 33 31 30 38 31 31 32 38 38 38 35 1a 5d 00 00 63 a2 3d 57 01 16 38 35 59 1a 1f 53 63 23 7a 19 4e 60 21 01 2c 2a 76 6c 2e 38 43 55 52 52 45 4e 54 5f 43 48 41 4c 4c 45 4e 47 5f 54 49 4d 45 3d 31 37 38 30 30 34 36 35 37 38 3b 4c 41 53 54 5f 43 48 41 4c 4c 45 4e 47 45 5f 54 49 4d 45 3d 31 37 38 30 30 34 36 35 35 39 08 06 ac 14 fe 02 1a 26 00 *May 29 17:22:56:846 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 00 63 a2 3c 20 31 37 32 2e 32 30 2e 32 35 34 2e 32 20 37 63 3a 34 64 3a 38 66 3a 31 31 3a 39 65 3a 64 38 04 06 0a fe 00 f8 1a 19 00 00 63 a2 ff 13 48 33 43 20 53 65 63 50 61 74 68 20 46 31 30 35 30 1a 0c 00 00 63 a2 3b 06 69 fc 1f e4 *May 29 17:22:56:846 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent request packet and create request context successfully. *May 29 17:22:56:846 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added request context to global table successfully. *May 29 17:22:56:846 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Processing AAA request data. *May 29 17:22:56:853 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Reply SocketFd recieved EPOLLIN event. *May 29 17:22:56:853 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Received reply packet succuessfully. *May 29 17:22:56:853 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Found request context, dstIP: 10.2.4.18, dstPort: 1812, VPN instance: management, socketFd: 37, pktID: 231. *May 29 17:22:56:853 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; The reply packet is valid. *May 29 17:22:56:853 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Decoded reply packet successfully. *May 29 17:22:56:853 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; H3c-User-Group="hscm" Service-Type=Framed-User Framed-IP-Address=172.20.253.222 Framed-Route="5.5.5.5/32 0.0.0.0 1" Class=0x8641080c00000137000102000a02041200000000e01d11638742d72701dcdf8a94d630900000000000000204 Microsoft-Attr-14=0x00000032 Microsoft-Attr-15=0x00000078 *May 29 17:22:56:854 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 02 e7 00 88 bb 57 39 41 77 86 58 e4 1e ac be 75 34 d8 cb 7a 1a 0c 00 00 63 a2 8c 06 68 73 63 6d 06 06 00 00 00 02 08 06 ac 14 fd de 16 16 35 2e 35 2e 35 2e 35 2f 33 32 20 30 2e 30 2e 30 2e 30 20 31 19 2e 86 41 08 0c 00 00 01 37 00 01 02 00 0a 02 04 12 00 00 00 00 e0 1d 11 63 87 42 d7 27 01 dc df 8a 94 d6 30 90 00 00 00 00 00 00 02 04 1a 0c 00 00 01 37 0e 06 00 00 00 32 1a 0c 00 00 01 37 0f 06 00 00 00 78 *May 29 17:22:56:854 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent reply message successfully. *May 29 17:22:56:854 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Processing RADIUS authentication. *May 29 17:22:56:854 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0 *May 29 17:22:56:854 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Processing RADIUS authorization. *May 29 17:22:56:854 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: RADIUS Authorization successfully. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: RADIUS accounting started. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Sent accounting-start request successfully. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Processing AAA request data. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got request data successfully, primitive: accounting-start. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Getting RADIUS server info. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got RADIUS server info successfully. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created request context successfully. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created request packet successfully, dstIP: 10.2.4.18, dstPort: 1813, VPN instance: management, socketFd: 37, pktID: 70. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added packet socketfd to epoll successfully, socketFd: 37. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Mapped PAM item to RADIUS attribute successfully. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got RADIUS username format successfully, format: 1. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added attribute user-name successfully, user-name: xiaoyayun@***.***. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Filled RADIUS attributes in packet successfully. *May 29 17:22:56:855 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Composed request packet successfully. *May 29 17:22:56:856 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created response timeout timer successfully. *May 29 17:22:56:856 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; User-Name="xiaoyayun@***.***" NAS-Identifier="DX-F1050" NAS-IP-Address=10.254.0.248 Calling-Station- Framed-IP-Address=172.20.254.2 Acct-Session- Class=0x8641080c00000137000102000a02041200000000e01d11638742d72701dcdf8a94d630900000000000000204 H3c-Ip-Host-Addr="172.20.254.2 7c:4d:8f:11:9e:d8" Acct-Authentic=RADIUS Acct-Status-Type=Start Acct-Delay-Time=0 Event-Timestamp="May 29 2026 17:22:56 utf-8" H3c-Product- H3c-Nas-Startup-Timestamp=1778130916 *May 29 17:22:56:856 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent request packet successfully. *May 29 17:22:56:856 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 04 46 01 0f ca 9d 65 03 b5 3d 3e 00 06 db c6 bf 54 41 00 f5 01 18 78 69 61 6f 79 61 79 75 6e 40 62 79 64 6f 6d 61 69 6e 2e 63 6f 6d 20 0a 44 58 2d 46 31 30 35 30 04 06 0a fe 00 f8 1f 13 37 63 2d 34 64 2d 38 66 2d 31 31 2d 39 65 2d 64 38 08 06 ac 14 fe 02 2c 29 30 30 30 30 30 30 31 31 32 30 32 36 30 35 32 39 30 39 32 32 35 36 30 30 30 30 30 30 33 31 30 38 31 31 32 38 38 38 35 19 2e 86 41 08 0c 00 00 01 37 00 01 02 00 0a 02 04 12 00 00 00 00 e0 1d 11 63 87 42 d7 27 01 dc df 8a 94 d6 30 90 00 00 00 00 00 00 02 04 1a 26 00 00 63 a2 3c 20 31 37 32 2e 32 30 2e 32 35 34 2e 32 20 37 63 3a 34 64 3a 38 66 3a 31 31 3a 39 65 3a 64 38 2d 06 00 00 00 01 28 06 00 00 00 01 29 06 00 00 00 00 37 06 6a 19 5a f0 1a 19 00 00 63 a2 *May 29 17:22:56:856 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; ff 13 48 33 43 20 53 65 63 50 61 74 68 20 46 31 30 35 30 1a 0c 00 00 63 a2 3b 06 69 fc 1f e4 *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent request packet and create request context successfully. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added request context to global table successfully. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Processing AAA request data. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Reply SocketFd recieved EPOLLIN event. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Received reply packet succuessfully. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Found request context, dstIP: 10.2.4.18, dstPort: 1813, VPN instance: management, socketFd: 37, pktID: 70. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; The reply packet is valid. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Decoded reply packet successfully. *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 05 46 00 14 09 ab 27 40 71 c1 23 75 9a cc 3c c0 43 f0 61 1e *May 29 17:22:56:857 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent reply message successfully. *May 29 17:22:56:858 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: RADIUS accounting started. *May 29 17:22:56:858 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Fetched accounting-start reply-data successfully, resultCode: 0 %May 29 17:22:56:890 2026 DX-F1050 FILTER/6/FILTER_ZONE_IPV4_EXECUTION: -COntext=1; SrcZoneName(1025)=Trust;DstZoneName(1035)=Untrust;Type(1067)=ACL;ObjectPolicy(1072)=Trust-Untrust;RuleID(1078)=0;Protocol(1001)=TCP;Application(1002)=http;SrcIPAddr(1003)=172.22.14.120;SrcPort(1004)=50709;DstIPAddr(1007)=36.99.172.113;DstPort(1008)=80;MatchCount(1069)=4;Event(1048)=Permit; *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: RADIUS accounting updated. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Sent accounting-update request successfully. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Processing AAA request data. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got request data successfully, primitive: accounting-update. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Getting RADIUS server info. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got RADIUS server info successfully. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created request context successfully. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created request packet successfully, dstIP: 10.2.4.18, dstPort: 1813, VPN instance: management, socketFd: 37, pktID: 71. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added packet socketfd to epoll successfully, socketFd: 37. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Mapped PAM item to RADIUS attribute successfully. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Got RADIUS username format successfully, format: 1. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added attribute user-name successfully, user-name: xiaoyayun@***.***. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Filled RADIUS attributes in packet successfully. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Composed request packet successfully. *May 29 17:22:56:956 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Created response timeout timer successfully. *May 29 17:22:56:957 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; User-Name="xiaoyayun@***.***" NAS-Identifier="DX-F1050" NAS-IP-Address=10.254.0.248 Calling-Station- Framed-IP-Address=172.20.253.1 Acct-Session- Acct-Session-Time=0 Class=0x8641080c00000137000102000a02041200000000e01d11638742d72701dcdf8a94d630900000000000000204 H3c-Ip-Host-Addr="172.20.253.1 7c:4d:8f:11:9e:d8" Acct-Authentic=RADIUS Acct-Status-Type=Interim-Update Acct-Delay-Time=0 Event-Timestamp="May 29 2026 17:22:56 utf-8" H3c-Product- H3c-Nas-Startup-Timestamp=1778130916 *May 29 17:22:56:957 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent request packet successfully. *May 29 17:22:56:957 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 04 47 01 15 1d 49 75 99 da 3a b3 11 52 1f 10 5f 2a 8a b3 72 01 18 78 69 61 6f 79 61 79 75 6e 40 62 79 64 6f 6d 61 69 6e 2e 63 6f 6d 20 0a 44 58 2d 46 31 30 35 30 04 06 0a fe 00 f8 1f 13 37 63 2d 34 64 2d 38 66 2d 31 31 2d 39 65 2d 64 38 08 06 ac 14 fd 01 2c 29 30 30 30 30 30 30 31 31 32 30 32 36 30 35 32 39 30 39 32 32 35 36 30 30 30 30 30 30 33 31 30 38 31 31 32 38 38 38 35 2e 06 00 00 00 00 19 2e 86 41 08 0c 00 00 01 37 00 01 02 00 0a 02 04 12 00 00 00 00 e0 1d 11 63 87 42 d7 27 01 dc df 8a 94 d6 30 90 00 00 00 00 00 00 02 04 1a 26 00 00 63 a2 3c 20 31 37 32 2e 32 30 2e 32 35 33 2e 31 20 37 63 3a 34 64 3a 38 66 3a 31 31 3a 39 65 3a 64 38 2d 06 00 00 00 01 28 06 00 00 00 03 29 06 00 00 00 00 37 06 6a 19 5a f0 *May 29 17:22:56:957 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 1a 19 00 00 63 a2 ff 13 48 33 43 20 53 65 63 50 61 74 68 20 46 31 30 35 30 1a 0c 00 00 63 a2 3b 06 69 fc 1f e4 *May 29 17:22:56:958 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent request packet and create request context successfully. *May 29 17:22:56:958 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Added request context to global table successfully. *May 29 17:22:56:958 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Processing AAA request data. *May 29 17:22:56:970 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Reply SocketFd recieved EPOLLIN event. *May 29 17:22:56:970 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Received reply packet succuessfully. *May 29 17:22:56:970 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Found request context, dstIP: 10.2.4.18, dstPort: 1813, VPN instance: management, socketFd: 37, pktID: 71. *May 29 17:22:56:971 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; The reply packet is valid. *May 29 17:22:56:971 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Decoded reply packet successfully. *May 29 17:22:56:971 2026 DX-F1050 RADIUS/7/PACKET: -COntext=1; 05 47 00 14 d8 bb 2f 9b 48 0f 9a f9 8e 3f c7 46 d1 bf dd 0d *May 29 17:22:56:971 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; Sent reply message successfully. *May 29 17:22:56:971 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: RADIUS accounting updated. *May 29 17:22:56:971 2026 DX-F1050 RADIUS/7/EVENT: -COntext=1; PAM_RADIUS: Fetched accounting-update reply-data successfully, resultCode: 0
先给结论:华三 SSLVPN 用 Radius 下发固定 IP 是支持的,但你现在的配置少了关键授权与地址池放行,且 Radius 属性必须用正确的编号 / 格式,否则设备拿到也不生效。
下面按 “抓包有地址→但不生效” 一步步排查和补配置(全是 V7 命令)。
一、先确认:华三 SSLVPN 支持 Radius 下发 IP 吗?
支持,依赖两个条件:
Radius 服务器下发 Framed-IP-Address(属性 8) 或 Framed-IP-Netmask(属性 9);
华三设备上 SSLVPN 域启用 radius 授权,且 地址池不冲突、不被本地池覆盖。
你现在现象:Radius 抓包能看到 IP→用户拨入后还是分配地址池里的地址,典型是:
授权没开 / 没调用 radius 授权;
地址池配置和下发 IP 不在同一网段 / 掩码不匹配;
Radius 用了私有属性 / 格式不对;
全局默认优先本地地址池,Radius 下发被忽略。
二、你现有配置的问题(直接说重点)
1)域下只配了认证,SSLVPN 授权没绑 radius
你现在:
plaintext
domain *.*
authentication sslvpn radius-scheme sslvpn-radius local
authorization sslvpn radius-scheme sslvpn-radius local ← 这条在,但还要看是否真正生效
accounting sslvpn radius-scheme sslvpn-radius local
但 V7 下 必须在 sslvpn context 里显式开启 radius 授权,否则域下 authorization 不生效。
2)sslvpn context 里 ip-tunnel address-pool 存在,会默认优先本地池
plaintext
ip-tunnel address-pool vpn mask x.x.x.x
有这条时,Radius 下发 IP 必须属于这个池的网段 + 掩码一致,否则设备拒绝下发地址,改用本地池分配。
3)radius scheme 缺少 授权相关参数(可选但建议补)
如:
plaintext
radius-scheme xxx
authorization-type extended
三、正确配置(直接复制替换)
1)radius scheme 补全
plaintext
radius scheme sslvpn-radius
primary authentication x.x.x.x vpn-instance management key cipher xxx
primary accounting x.x.x.x vpn-instance management key cipher xxx
nas-ip x.x.x.x
vpn-instance management
authorization-type extended ← 关键:支持下发 IP/路由等授权属性
user-name-format without-domain
2)domain 保持(你现在的没问题)
plaintext
domain *.*
authentication login radius-scheme radius local
authorization login radius-scheme radius local
accounting login none
authentication sslvpn radius-scheme sslvpn-radius local
authorization sslvpn radius-scheme sslvpn-radius local
accounting sslvpn radius-scheme sslvpn-radius local
3)sslvpn context 关键:允许 radius 下发 IP、地址池网段必须匹配
plaintext
sslvpn context hscm
gateway sslvpn_gw
ip-tunnel interface SSLVPN-AC0
# 方案A:保留地址池,但下发IP必须在这个网段
ip-tunnel address-pool vpn mask 255.255.255.0 ← 掩码必须和 Radius 下发一致
ip-tunnel dns-server primary x.x.x.x
ip-tunnel dns-server secondary x.x.x.x
# 关键:开启 radius 授权(V7必须)
authorization radius
policy-group hscm
filter ip-tunnel 3999
service enable
方案 B(推荐,纯固定 IP):删除本地地址池,完全由 Radius 分配
plaintext
undo ip-tunnel address-pool vpn
四、Radius 服务器侧必须满足(你抓包有地址也要核对)
属性必须是标准 IETF:
Framed-IP-Address (8):固定 IP(如 10.5.5.10);
Framed-IP-Netmask (9):掩码(如 255.255.255.255 或 /24)。
不能用私有属性、不能带前缀、不能下发网段,必须是单个 IP + 掩码。
用户拨入时,Access-Request 里必须带 Service-Type=Framed(7)。
示例(FreeRADIUS 用户配置)
plaintext
user1
Framed-IP-Address = 10.5.5.10
Framed-IP-Netmask = 255.255.255.255
Service-Type = Framed-User
五、调试命令(定位到底哪一步丢了)
看 SSLVPN 用户授权结果
plaintext
display sslvpn user
若 IP Address 是 Radius 下发值 → 设备已拿到,问题在客户端 / 路由;
若仍是地址池 IP → 授权没生效,回到配置。
看 Radius 授权详细
plaintext
display radius statistics
debug radius packet
看 Access-Accept 里是否有 Framed-IP-Address。
看 SSLVPN 授权日志
plaintext
debug sslvpn all
六、总结一句话
你缺了 sslvpn context 下的 authorization radius,且地址池网段 / 掩码必须和 Radius 下发一致;Radius 必须用标准属性 8+9,不能用私有属性。
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明