组网及说明
问题描述
终端通过企业微信扫码认证出现向设备发送请求超时的提示
过程分析
确定NAS-IP和Portal服务器地址后debug查看报文交互过程
debugging radius all
debugging portal all
acl ad 3000
rule 5 permit ip source 10.30.63.17 0.0.0.0 des 10.30.80.10 0.0.0.0
debugging udp packet acl 3000
t m
t d
在DeviceA上debug发现没收到服务器radius的回包,现网配置两台设备nas-ip一样,怀疑回包hash到DeviceB上去了。
*Jan 16 21:57:03:091 2026 YP01-2FC03-OA-H3CS7503X-HJSW02 RADIUS/7/EVENT: Retransmitting request packet, currentTries: 3, maxTries: 3.
*Jan 16 21:57:06:091 2026 YP01-2FC03-OA-H3CS7503X-HJSW02 RADIUS/7/EVENT: Reached the maximum retries.
解决方法
M-LAG场景下portal认证NAS-IP配置有以下两个注意事项:
1、 使用双活网关接口地址作为nas-ip源地址时,需要配置virtal-ip
A设备
interface Vlan-interface902
ip address 10.30.63.17 255.255.255.248
port mlag virtual-ip 10.30.63.18 255.255.255.248 active
port mlag virtual-ip 10.30.63.19 255.255.255.248 standby
mac-address 0058-0058-0058
#
B设备
interface Vlan-interface902
ip address 10.30.63.17 255.255.255.248
port mlag virtual-ip 10.30.63.19 255.255.255.248 active
port mlag virtual-ip 10.30.63.18 255.255.255.248 standby
mac-address 0058-0058-0058
#
2、 使用双活网关接口地址作为nas-ip源地址时,需要在radius scheme内配置nas-ip m-lag local peer命令
A设备
radius scheme ldtest
primary authentication 10.30.80.10
primary accounting 10.30.80.10
key authentication cipher $c$3$ruYqQq35y7KVUNEUuB7iFbx+GDO9CI27sg==
key accounting cipher $c$3$k02A1EzoWZtArU1w14p+glFfUJmaSbMKBQ==
user-name-format without-domain
nas-ip m-lag local 10.30.63.18 peer 10.30.63.19
#B设备
radius scheme ldtest
primary authentication 10.30.80.10
primary accounting 10.30.80.10
key authentication cipher $c$3$ruYqQq35y7KVUNEUuB7iFbx+GDO9CI27sg==
key accounting cipher $c$3$k02A1EzoWZtArU1w14p+glFfUJmaSbMKBQ==
user-name-format without-domain
nas-ip m-lag local 10.30.63.19 peer 10.30.63.18