问题现象

Comware V7设备配置TACACS认证后,测试时登录设备管理时能正常上线,ACS服务器上有认证成功记录,设备DEBUG能看到上线成功,但上线后立即停止了计费,随后客户端Telnet等软件便断开与服务器的连接。

告警信息

现场的hwtacacs调试信息:

*Dec  4 17:04:31:929 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Processing TACACS authorization.

 *Dec  4 17:04:31:929 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Dispatching request, Primitive: authorization.

 *Dec  4 17:04:31:929 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Creating request data, data type: START

 *Dec  4 17:04:31:929 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Session successfully created.

 *Dec  4 17:04:31:929 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Getting available server, server-ip=10.11.162.2, server-port=49, VPN instance=--(public).

 *Dec  4 17:04:31:930 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Connecting to server...

 *Dec  4 17:04:31:931 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply SocketFd received EPOLLOUT event.

 *Dec  4 17:04:31:931 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Connection succeeded, server-ip=10.11.162.2, port=49, VPN instance=--(public).

 *Dec  4 17:04:31:931 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Encapsulating authorization request packet.

 *Dec  4 17:04:31:931 2015 DR_INTER_FW5020_01 TACACS/7/send_packet: -Context=1;

 version: 0xc0  type: AUTHOR_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG

 session-id: 0xa28312a8

 length of payload: 57

 authen_method: TACACSPLUS  priv_lvl: 0  authen_type: ASCII  authen_service: LOGIN

 user_len: 10   port_len: 9   rem_len: 11   arg_cnt: 2

 arg0_len: 13    arg1_len: 4 

 user: superbjrcb

 port: LoopBack0

 rem_addr: 10.11.178.4

 arg0: service=shell  arg1: cmd*

 *Dec  4 17:04:31:933 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply SocketFd received EPOLLIN event.

 *Dec  4 17:04:31:933 2015 DR_INTER_FW5020_01 TACACS/7/recv_packet: -Context=1;

 version: 0xc0  type: AUTHOR_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG

 session-id: 0xa28312a8

 length of payload: 6

 Status: STATUS_PASS_ADD  arg_cnt: 0  server_msg len: 0  data len: 0

 server_msg:

 data:                                         //没有数据

 *Dec  4 17:04:31:933 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Processing authorization reply packet.

 *Dec  4 17:04:31:933 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply message successfully sent.

 *Dec  4 17:04:31:934 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: Processed authorization reply message, resultCode: 0.

 *Dec  4 17:04:31:935 2015 DR_INTER_FW5020_01 TACACS/7/EVENT: -Context=1; PAM_TACACS: TACACS authorization succeeded.

原因分析

ACS服务器上没有为该用户账户配置授权,服务器向设备下发了空的授权信息,设备接收到该信息后断开与客户端的连接。

解决办法

ACS服务器为该用户账户配置授权。

如下图所示例,为用户账户配置一个15级的权限。

建议与总结

正常情况下,Debug 认证过程应有如下的信息打印,可以看到服务器下发的用户权限级别。

*Dec  6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Processing TACACS authorization.                          

*Dec  6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Dispatching request, Primitive: authorization.            

*Dec  6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Creating request data, data type: START                   

*Dec  6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Session successfully created.                             

*Dec  6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Getting available server, server-ip=192.168.20.66, server-port=49, VPN instance=--(public).

*Dec  6 02:58:31:277 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Connecting to server...                                   

*Dec  6 02:58:31:278 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply SocketFd received EPOLLOUT event.                   

*Dec  6 02:58:31:278 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Connection succeeded, server-ip=192.168.20.66, port=49, VPN instance=--(public).

*Dec  6 02:58:31:278 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Encapsulating authorization request packet.               

*Dec  6 02:58:31:278 2015 F5000_ TACACS/7/send_packet: -Context=1;                                                                 

version: 0xc0  type: AUTHOR_REQUEST  seq_no: 1  flag: ENCRYPTED_FLAG                                                                

session-id: 0xb829b3b6                                                                                                             

length of payload: 63                                                                                                               

authen_method: TACACSPLUS  priv_lvl: 0  authen_type: ASCII  authen_service: LOGIN                                                  

user_len: 4   port_len: 20   rem_len: 12   arg_cnt: 2                                                                               

arg0_len: 13    arg1_len: 4                                                                                                        

user: mike                                                                                                                          

port: GigabitEthernet1/0/0                                                                                                         

rem_addr: 192.168.20.6                                                                                                              

arg0: service=shell  arg1: cmd*                                                                                                    

*Dec  6 02:58:31:283 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply SocketFd received EPOLLIN event.                    

*Dec  6 02:58:31:283 2015 F5000_ TACACS/7/recv_packet: -Context=1;                                                                 

version: 0xc0  type: AUTHOR_REPLY  seq_no: 2  flag: ENCRYPTED_FLAG                                                                 

session-id: 0xb829b3b6                                                                                                             

length of payload: 18                                                                                                              

Status: STATUS_PASS_ADD  arg_cnt: 1  server_msg len: 0  data len: 0                                                                

arg0_len: 11                                                                                                                       

server_msg:                                                                                                                        

data:                                                                                                                              

arg0: priv-lvl=15                         //下发了用户权限                                                     

*Dec  6 02:58:31:283 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Processing authorization reply packet.                    

*Dec  6 02:58:31:283 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Reply message successfully sent.                           

*Dec  6 02:58:31:284 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: Processed authorization reply message, resultCode: 0.     

*Dec  6 02:58:31:284 2015 F5000_ TACACS/7/EVENT: -Context=1; PAM_TACACS: TACACS authorization succeeded.

案例信息

案例类型:经验案例
案例号:201609100005
创建时间:2016年9月10日
更新时间:2016年9月12日
发布时间:2016/9/12 15:45:06
文章密级:游客可见
有效期:长期有效
发布者:金山【技术大咖】 [j06566]
点击次数:1794
评论平均得分:0
关键词:ACS,TACACS
产品线:安全产品
产品系列:
产品版本:
故障类型:

常用操作
收藏