无组网
问题描述:
客户之前使用V5 SR6608与思科服务器进行hwtacacs认证,业务是SSH,正常使用;现在用V7SR6608替换V5SR6608(R2420P07),出现用户成功SSH到设备,但是紧接着闪退的问题。
目前进行的排查:
(1)检查 V5 V7 SR6608 hwtacacs配置,都是基本配置,没有发现异常;
(2)查看最初的debug hwtacacs all,看到Processing TACACS stop-accounting.,不确定是我们收到思科的计费停止报文,还是我们发给思科。
跟现场确认思科侧没有配置计费,所以让现场将SR6608的计费改为none、local方式,但是问题依旧(认证授权都成功,但是还是登陆成功后闪退)。麻烦研发帮忙一起看下,谢谢!附件是现在SR6608配置信息、以前V5SR6608配置、三次debug信息。
最初debug信息:
*Apr 24 17:08:14:048 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processing accounting reply packet.
*Apr 24 17:08:14:048 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processed accounting-start reply message, resultCode: 0.
*Apr 24 17:08:14:048 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: TACACS start-accounting succeeded.
*Apr 24 17:08:14:049 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Reply message successfully sent.
*Apr 24 17:08:14:057 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processing TACACS stop-accounting.
*Apr 24 17:08:14:057 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Dispatching request, Primitive: accounting-stop.
*Apr 24 17:08:14:057 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Creating request data, data type: START
*Apr 24 17:08:14:057 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Session successfully created.
*Apr 24 17:08:14:057 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Getting available server, server-ip=10.19.18.24, server-port=49, VPN instance=--(public).
*Apr 24 17:08:14:059 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Connecting to server...
*Apr 24 17:08:14:059 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Reply SocketFd received EPOLLOUT event.
*Apr 24 17:08:14:059 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Connection succeeded, server-ip=10.19.18.24, port=49, VPN instance=--(public).
*Apr 24 17:08:14:060 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Encapsulating accounting request packet.
*Apr 24 17:08:14:062 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processing accounting reply packet.
*Apr 24 17:08:14:062 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Reply message successfully sent.
*Apr 24 17:08:14:062 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processed accounting-stop reply message, resultCode: 0.
*Apr 24 17:08:14:062 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: TACACS stop-accounting succeeded.
%Apr 24 17:08:14:074 2020 HN_MN_VN_AR SSHS/6/SSHS_LOG: -MDC=1; User test@aaa logged out from 10.22.13.75 port 15849.
%Apr 24 17:08:14:074 2020 HN_MN_VN_AR SSHS/6/SSHS_DISCONNECT: -MDC=1; SSH user test@aaa (IP: 10.22.13.75) disconnected from the server.
计费改为none、local之后,问题依旧
*Apr 30 09:22:58:637 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processing authorization reply packet.
*Apr 30 09:22:58:637 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Reply message successfully sent.
*Apr 30 09:22:58:638 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processed authorization reply message, resultCode: 0.
*Apr 30 09:22:58:638 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: TACACS authorization succeeded.
%Apr 30 09:22:58:639 2020 HN_MN_VN_AR SSHS/6/SSHS_LOG: -MDC=1; Accepted password for test@aaa from 10.22.13.75 port 9476.
%Apr 30 09:22:59:662 2020 HN_MN_VN_AR SSHS/6/SSHS_CONNECT: -MDC=1; SSH user test@aaa (IP: 10.22.13.75) connected to the server successfully.
%Apr 30 09:22:59:816 2020 HN_MN_VN_AR LOGIN/5/LOGIN_FAILED: -MDC=1; test@aaa failed to log in from 10.22.13.75.
%Apr 30 09:23:02:826 2020 HN_MN_VN_AR SSHS/6/SSHS_LOG: -MDC=1; User test@aaa logged out from 10.22.13.75 port 9476.
%Apr 30 09:23:02:826 2020 HN_MN_VN_AR SSHS/6/SSHS_DISCONNECT: -MDC=1; SSH user test@aaa (IP: 10.22.13.75) disconnected from the server.
登录界面&&&&&&&&&&&&
* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Login failed.
配置问题,V5 V7在用户角色上有不同,V7设备上缺少了这个命令role default-role enable命令,为用户设置一个缺省的角色,可以登录设备。而以前的V5设备为什么不存在这个问题呢?是因为V5平台的设备默认这个命令是开启的。
解决措施两种办法:
1)系统试图配置role default-role enable
2)认证服务器上配置下发用户角色。