Print

某局点 SR6608 SSH hwtacacs 认证授权成功后闪退 问题

2020-05-21发表

组网及说明

无组网

问题描述

问题描述:

客户之前使用V5 SR6608与思科服务器进行hwtacacs认证,业务是SSH,正常使用;现在用V7SR6608替换V5SR6608R2420P07),出现用户成功SSH到设备,但是紧接着闪退的问题。

过程分析

目前进行的排查:

(1)检查 V5  V7  SR6608 hwtacacs配置,都是基本配置,没有发现异常;

(2)查看最初的debug hwtacacs all,看到Processing TACACS stop-accounting.,不确定是我们收到思科的计费停止报文,还是我们发给思科。

跟现场确认思科侧没有配置计费,所以让现场将SR6608的计费改为nonelocal方式,但是问题依旧(认证授权都成功,但是还是登陆成功后闪退)。麻烦研发帮忙一起看下,谢谢!附件是现在SR6608配置信息、以前V5SR6608配置、三次debug信息。

最初debug信息:

*Apr 24 17:08:14:048 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processing accounting reply packet.

*Apr 24 17:08:14:048 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processed accounting-start reply message, resultCode: 0.

*Apr 24 17:08:14:048 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: TACACS start-accounting succeeded.

*Apr 24 17:08:14:049 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Reply message successfully sent.

*Apr 24 17:08:14:057 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processing TACACS stop-accounting.    

*Apr 24 17:08:14:057 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Dispatching request, Primitive: accounting-stop.

*Apr 24 17:08:14:057 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Creating request data, data type: START

*Apr 24 17:08:14:057 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Session successfully created.

*Apr 24 17:08:14:057 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Getting available server, server-ip=10.19.18.24, server-port=49, VPN instance=--(public).

*Apr 24 17:08:14:059 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Connecting to server...

*Apr 24 17:08:14:059 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Reply SocketFd received EPOLLOUT event.

*Apr 24 17:08:14:059 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Connection succeeded, server-ip=10.19.18.24, port=49, VPN instance=--(public).

*Apr 24 17:08:14:060 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Encapsulating accounting request packet.

*Apr 24 17:08:14:062 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processing accounting reply packet.

*Apr 24 17:08:14:062 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Reply message successfully sent.

*Apr 24 17:08:14:062 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processed accounting-stop reply message, resultCode: 0.

*Apr 24 17:08:14:062 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: TACACS stop-accounting succeeded.

%Apr 24 17:08:14:074 2020 HN_MN_VN_AR SSHS/6/SSHS_LOG: -MDC=1; User test@aaa logged out from 10.22.13.75 port 15849.

%Apr 24 17:08:14:074 2020 HN_MN_VN_AR SSHS/6/SSHS_DISCONNECT: -MDC=1; SSH user test@aaa (IP: 10.22.13.75) disconnected from the server.

 

计费改为nonelocal之后,问题依旧

*Apr 30 09:22:58:637 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processing authorization reply packet.

*Apr 30 09:22:58:637 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Reply message successfully sent.

*Apr 30 09:22:58:638 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: Processed authorization reply message, resultCode: 0.

*Apr 30 09:22:58:638 2020 HN_MN_VN_AR TACACS/7/EVENT: -MDC=1; PAM_TACACS: TACACS authorization succeeded.

%Apr 30 09:22:58:639 2020 HN_MN_VN_AR SSHS/6/SSHS_LOG: -MDC=1; Accepted password for test@aaa from 10.22.13.75 port 9476.

%Apr 30 09:22:59:662 2020 HN_MN_VN_AR SSHS/6/SSHS_CONNECT: -MDC=1; SSH user test@aaa (IP: 10.22.13.75) connected to the server successfully.

%Apr 30 09:22:59:816 2020 HN_MN_VN_AR LOGIN/5/LOGIN_FAILED: -MDC=1; test@aaa failed to log in from 10.22.13.75.

%Apr 30 09:23:02:826 2020 HN_MN_VN_AR SSHS/6/SSHS_LOG: -MDC=1; User test@aaa logged out from 10.22.13.75 port 9476.

%Apr 30 09:23:02:826 2020 HN_MN_VN_AR SSHS/6/SSHS_DISCONNECT: -MDC=1; SSH user test@aaa (IP: 10.22.13.75) disconnected from the server.

 

登录界面&&&&&&&&&&&&

* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

Login failed.



解决方法

配置问题,V5 V7在用户角色上有不同,V7设备上缺少了这个命令role default-role enable命令,为用户设置一个缺省的角色,可以登录设备。而以前的V5设备为什么不存在这个问题呢?是因为V5平台的设备默认这个命令是开启的。


解决措施两种办法:

1)系统试图配置role default-role enable

2)认证服务器上配置下发用户角色。