Print

ADCampus组网中哑终端mac认证异常掉线问题

2020-10-31 发表

组网及说明

不涉及

问题描述

部分哑终端大概10分钟左右就掉线,下线原因Idle Timeout(空闲时间超时),DR2000控制器上没有做相关限制,有问题的普遍是刷卡门禁哑终端,一段时间没人刷卡就掉线了。


过程分析

1、首先查看认证设备leaf上的配置,未发现特殊的配置,leaf下行口主要配置如下:

interface GigabitEthernet1/0/10
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 port-isolate enable group 1
 stp tc-restriction
 mac-based ac
 dot1x
 dot1x critical vsi vsi3501
 mac-authentication
 mac-authentication domain adcampus
 mac-authentication critical vsi vsi3501 url-user-logoff
 port-security free-vlan 1 3501 to 3508 4093 to 4094
 #
 service-instance 3501
  encapsulation s-vid 3501
  xconnect vsi vsi3501
  arp detection trust

2、哑终端掉线过程中,采集debugging mac-authentication all 、debugging radius all信息,发现如下信息:

*May 17 16:36:49:590 2019 zyzyl-1F-zhibanshi-leaf RADIUS/7/EVENT:
PAM_RADIUS: RADIUS accounting updated.
*May 17 16:36:49:591 2019 zyzyl-1F-zhibanshi-leaf RADIUS/7/EVENT:
PAM_RADIUS: Fetched accounting-update reply-data successfully, resultCode: 0
*May 17 16:36:49:591 2019 zyzyl-1F-zhibanshi-leaf RADIUS/7/EVENT:
Sent reply message successfully.

<zyzyl-1F-zhibanshi-leaf>*May 17 16:37:02:581 2019 zyzyl-1F-zhibanshi-leaf RADIUS/7/EVENT:
PAM_RADIUS: RADIUS accounting stopped.
*May 17 16:37:02:581 2019 zyzyl-1F-zhibanshi-leaf RADIUS/7/EVENT:
PAM_RADIUS: Sent accounting-stop request successfully.
*May 17 16:37:02:581 2019 zyzyl-1F-zhibanshi-leaf RADIUS/7/EVENT:
Processing AAA request data.
*May 17 16:37:02:581 2019 zyzyl-1F-zhibanshi-leaf RADIUS/7/EVENT:
Got request data successfully, primitive: accounting-stop.

从上述信息看,设备主动发送计费停止报文,radius服务器相应计费停止报文后,终端掉线。

至于设备为什么会主动发出计费停止报文?查阅官网mac地址认证章节,发现设备端口开启mac地址认证时,端口的MAC地址认证下线检测功能缺省是处于开启状态(mac-authentication offline-detect enable)。于是,告知现场工程师手动关闭端口的MAC地址认证下线检测功能(undo mac-authentication offline-detect enable),经测试,哑终端不再下线,故障问题解决。

解决方法

关闭leaf下行认证接口的MAC地址认证下线检测功能undo mac-authentication offline-detect enable