某局点S5130-52S-EI MAC地址认证失败问题处理经验案例
- 0关注
- 0收藏 1914浏览
组网及说明
无
问题描述
某局点采用S5130-52S-EI作为接入设备,为了保证安全开启了MAC地址认证,但是发现有个打印机一直认证不通过,无法连接,认证服务器是华为的服务器,查看配置并无发现异常,指导客户采集debug mac-au和debug radius 分析。
过程分析
关键配置:
mac-authentication
mac-authentication timer offline-detect 60
mac-authentication domain xx
mac-authentication user-name-format mac-address with-hyphen
关键debug信息如下:
*Mar 19 12:52:45:013 2020 CIB69_6LJR RADIUS/7/PACKET:
User-Name="00-17-xx@xx"
User-Password=******
Service-Type=Call-Check
NAS-Identifier="CIB69_6LJR"
NAS-Port=16842857
NAS-Port-Type=Ethernet
NAS-Port-
NAS-IP-Address=xx
*Mar 19 12:52:45:013 2020 CIB69_6LJR MACA/7/EVENT: [0017-c805-ba36:VLAN105:GE1/0/16] AAA processed authentication request and returned Processing.
*Mar 19 12:52:45:014 2020 CIB69_6LJR RADIUS/7/EVENT:
Sent request packet successfully.
*Mar 19 12:52:45:015 2020 CIB69_6LJR MACA/7/EVENT: [0017-c805-ba36:VLAN105:GE1/0/16] Notified PortSec of new_mac result: 1.
*Mar 19 12:52:45:015 2020 CIB69_6LJR RADIUS/7/PACKET:
01 cb 00 c1 bb bd 36 f7 c6 47 7b 2b 77 c5 86 fa
f0 21 64 b1 01 1c 30 30 2d 31 37 2d 63 38 2d 30
35 2d 62 61 2d 33 36 40 63 69 62 67 2e 63 6f 6d
02 22 9c 8a dc b3 f3 6e 7e d4 6e 94 a2 c2 46 6e
ab 60 1b 4c 14 26 8c 23 fe 35 64 98 e2 85 46 2b
8c 92 06 06 00 00 00 0a 20 0c 43 49 42 36 39 5f
36 4c 4a 52 05 06 01 01 00 69 3d 06 00 00 00 0f
1f 13 30 30 2d 31 37 2d 43 38 2d 30 35 2d 42 41
2d 33 36 1e 13 41 43 2d 37 34 2d 30 39 2d 43 35
2d 34 46 2d 41 46 57 25 73 6c 6f 74 3d 31 3b 73
75 62 73 6c 6f 74 3d 30 3b 70 6f 72 74 3d 31 36
3b 76 6c 61 6e 69 64 3d 31 30 35 04 06 a8 45 01
fc
*Mar 19 12:52:45:016 2020 CIB69_6LJR RADIUS/7/EVENT:
Sent request packet and create request context successfully.
*Mar 19 12:52:45:016 2020 CIB69_6LJR RADIUS/7/EVENT:
Added request context to global table successfully.
*Mar 19 12:52:45:208 2020 CIB69_6LJR RADIUS/7/EVENT:
Reply SocketFd received EPOLLIN event.
*Mar 19 12:52:45:208 2020 CIB69_6LJR RADIUS/7/EVENT:
Received reply packet succuessfully.
*Mar 19 12:52:45:208 2020 CIB69_6LJR RADIUS/7/EVENT:
Found request context, dstIP: x.x.x.x, dstPort: 1812, VPN instance: --(public), socketFd: 52, pktID: 203.
*Mar 19 12:52:45:209 2020 CIB69_6LJR RADIUS/7/EVENT:
The reply packet is valid.
*Mar 19 12:52:45:209 2020 CIB69_6LJR RADIUS/7/EVENT:
Decoded reply packet successfully.
*Mar 19 12:52:45:209 2020 CIB69_6LJR RADIUS/7/PACKET:
Reply-Message="ErrCode:4101"
*Mar 19 12:52:45:210 2020 CIB69_6LJR RADIUS/7/PACKET:
03 cb 00 22 c2 bc 14 7a 80 21 75 fd 2d 75 b6 b6
bb e0 eb 00 12 0e 45 72 72 43 6f 64 65 3a 34 31
30 31
从debug信息来看,是服务器回应了code 3认证拒绝报文,导致认证失败,但是看关键配置,并无发现异常,认证服务器上添加的用户名也无问题。
解决方法
查看认证报文code 1,发现设备侧发送过去的用户带了域名后缀,怀疑是服务器侧不需要后缀名,让客户修改radius 方案中不带后缀测试,问题解决,认证成功。user-name-format without-domain 。
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作