Print

有线portal认证,未认证时仍能访问业务地址

2021-07-29 发表

组网及说明

基本组网


问题描述

故障描述:终端设备在未通过iMC认证前所有网络都不通,认证通过后专线对端的内网通,后将用户强制下线后,理论上应该是所有网络都不通,但是实际上是终端ping不通网关10.249.2.1,10.249.190.1等业务内网地址可以ping通 

过程分析

测试故障现象

认证通过时:



未进行认证时:



终端网卡配置:



终端接汇聚下,网关在核心,在网关接口起二层portal认证,正常情况下,portal认证通过后,网关和对端业务地址才能访问,此时现象是正常的,但是当终端在未进行认证时,网关无法ping通,对端的业务地址却能够ping通,到对端业务地址是跨三层走网关转发的,网关不同如何能够进行转发报文呢?


检查交换机侧配置:

 

interface Vlan-interface12

 description IT

 ip address 10.249.2.1 255.255.255.0

 packet-filter 3000 inbound

 dhcp select relay

 dhcp relay server-address 10.249.1.47

 portal enable method direct

 portal bas-ip 10.249.2.1

 portal apply web-server myportal fail-permit

#

 radius session-control enable

#

radius scheme imc

 primary authentication 10.249.125.48

 primary accounting 10.249.125.48

 key authentication cipher $c$3$bJCEm0nlHcBxUcz4b1DQjdbxX37FjQY=

 key accounting cipher $c$3$oQwuXCtskHZJgnJ87YO4RVuILWL35UQ=

 nas-ip 10.249.127.3

#

domain tportal

 authorization-attribute idle-cut 30 10240000

 authentication portal radius-scheme imc

 authorization portal radius-scheme imc

 accounting portal radius-scheme imc

#

 portal free-rule 10 source ip any destination ip 10.249.1.59 255.255.255.255

 portal free-rule 20 source mac 10e7-c62b-1e85

 portal free-rule 21 source mac 907e-ba50-e3b7

 portal free-rule 22 source mac 907e-ba50-e402

 portal free-rule 23 source mac 5803-fb96-1062

 portal free-rule 24 source mac 5803-fb96-1082

 portal free-rule 25 source mac 5803-fb96-107e

 portal free-rule 26 source mac 5803-fb96-1241

 portal free-rule 27 source mac 5803-fb96-12dc

 portal free-rule 28 source mac bcad-28dc-2557

 portal free-rule 29 source mac 00e3-4f68-0ce7

 portal free-rule 30 source mac 7af6-7aa7-b968

 portal free-rule 31 source mac 0017-61c7-8ca1

 portal free-rule 32 source mac 0017-61c7-0eea

 portal free-rule 33 source mac d8ca-e5d2-cad2

 portal free-rule 34 source mac d811-1130-1130

 portal free-rule 35 source mac d8f6-e5d2-f6d2

 portal free-rule 36 source mac f80d-acd4-fc5d

 portal free-rule 37 source mac 9883-e5d2-83d2

 portal free-rule 38 source mac 982b-1130-2b30

 portal free-rule 39 source mac c465-16e0-a51a

 portal free-rule 40 source mac d857-e5d2-57d2

 portal free-rule 41 source mac d4ea-0e8e-65f2

 portal free-rule 42 source mac 5820-b1f3-768e

 portal free-rule 43 source mac 0017-6110-b140

 portal free-rule 44 source mac d8b9-1130-b930

 portal free-rule 45 source mac 74d4-35de-a5b4

 portal free-rule 46 source mac 00e0-4f68-9417

 portal free-rule 47 source mac 0017-6110-cb44

 portal free-rule 48 source mac 0017-6111-f05b

 portal free-rule 49 source mac 00e1-4f68-0339

 portal free-rule 50 source mac 00e0-6f68-08ea

 portal free-rule 51 source mac 1868-cb10-a3d8

 portal free-rule 52 source mac 8ce7-4848-492c

 portal free-rule 53 source mac ccf9-54aa-9145

 portal free-rule 54 source mac 0017-6110-7d43

 portal free-rule 55 source mac f439-09b9-627d

 portal free-rule 56 source mac dcbd-7a10-a41d

 portal free-rule 57 source mac 702e-d96f-4ed7

 portal free-rule 58 source ip 10.249.2.3 255.255.255.255

#

portal web-server myportal

 url http://10.249.125.48:8080/portal

#

portal server myportal

 ip 10.249.125.48 key cipher $c$3$RvNH7Ge8b5P5znrUWUbqr4myelAAZw==

 server-detect timeout 40 log

#

portal mac-trigger-server mtsp

 ip 10.249.125.48

#

 http-redirect https-port 8888

#


关于portal的基本配置没什么问题,portal free rule也没有放通专线对端的业务网段地址,终端的source mac也没用放通测试的终端mac地址


再次检查配置发现,在网关接口不仅仅配置portal认证,也配置了包过滤

 

interface Vlan-interface12

 description IT

 ip address 10.249.2.1 255.255.255.0

 packet-filter 3000 inbound

 dhcp select relay

 dhcp relay server-address 10.249.1.47

 portal enable method direct

 portal bas-ip 10.249.2.1

 portal apply web-server myportal fail-permit


查看对应包过滤的acl规则,最后是有全放通的

acl advanced 3000

.....

rule 882 permit ip source 10.249.2.0 0.0.0.15 destination 10.249.177.3 0

 rule 900 deny ip destination 10.249.0.0 0.0.255.255

 rule 1000 permit ip



查看设备常规底层acl优先级

[H3C-probe]debug  qacl show acl-prioinfo slot 1

--------------------------Qacl Type Priority Info---------------------------

32    Portal Free                        FALSE       4         12   

33    Portal User                        FALSE       4         11   

34    Portal Redirect                  FALSE       4         9    

35    Portal Deny                       FALSE       4         8    

68    Portal User ACL                 FALSE       4         10   

....

94    PktFilter Eth_Mac on PORT          FALSE       8         28   

95    PktFilter IP on PORT               FALSE       8         27   

96    PktFilter IP on VRF                FALSE       8         6    

97    PktFilter Eth_Mac on VRF           FALSE       8         7    

98    PktFilter IP on VSIPORT            FALSE       8         39    

99    PktFilter Eth_Mac on VSIPORT       FALSE       8         40   

100   PktFilter VSI DEFAULT MAC          FALSE       8         35   

101   PktFilter VRF DEFAULT MAC          FALSE       8         1    

102   PktFilter PORT DEFAULT MAC         FALSE       8         22   


可见基本的QACL包过滤的主优先级是比portal的主优先级要高的,按理报文会先匹配包过滤,无法匹配portal的acl去阻断流量


在设备的隐藏视图通过命令查看QACL详细信息

debug qacl show 1 0 verbose 0

debug qacl show 1 0 verbose 20

debug qacl show 1 0 verbose 40

debug qacl show 1 0 verbose 60

  (每20 一个步长,一直收集到没有显示内容为止)


========

Acl-Type PktFilter IPV4 on VRF, Stage IFP, Group 3[3], EntryID 1944, Active

Health 1, PoolFree 0, PoolID 0, Prio_Mjr 517, Prio_Sub 52,Slice 2,SliceIdx 34

ACL GroupNo : 3000, RuleID : 1000

Rule Match --------

        Ports: 0x03ffffffc, 0x03fffffff

        Lookup: STP forwarding, L2 dst L3 bit, 0x118, 0x118

        Outer Vlan: 0x136, 0xfff

        IP Type: Any IPv4 packet

Actions --------

        Permit

========

 

========

Acl-Type Portal 2, Stage IFP, Group 3[3], EntryID 639, Inactive

Health 1, PoolFree 0, PoolID 1, Prio_Mjr 517, Prio_Sub 38,Slice 2,SliceIdx 35

Rule Match --------

        Ports: 0x003fffffc, 0x03fffffff

        Source mac: 0000-0000-0000, 0000-0000-0000

        Outer Vlan: 0x6e, 0xfff

        Source IP: 21.32.0.0, 255.255.0.0

        IP Type: Any IPv4 packet

        SRC TRUNK : Don"t care( 0 0)

Actions --------

        Redirect do NOT

        Copy_to_cpu : No

        Permit

        Remark DSCP 0

        Red Permit

        Yel Permit

========


从收集的信息来看,包过滤和portalacl是下在同一个slice中的,且两者主优先级一致,包过滤的子优先级是52,高于portal 238,所有ipv4报文匹配优先级更高的包过滤直接permit了,而portal对放通网关的优先级比包过滤要更高,所以网关不通。

解决方法

删除包过滤后portal业务恢复正常


应该把包过滤掉用在上行接口,不要和portal使能在同一接口,否则流量优先匹配包过滤影响portal正常业务