一、收集Portal调试日志,日志分析如下:
2017-09-25 14:01:06.791[Portal服务器][调试(0)][24][ProxyResponseDeviceHandler::run]192.168.15.111 ; REQ_AUTH(3) ; 11280 ; 192.168.220.1:2000 ; 报文处理成功
Packet Type:REQ_AUTH(3)
SerialNo:11280
Address:192.168.220.254
Port:50300
RemoteIp:192.168.220.1\\Portal设备IP地址
RemotePort:2000
Version:portal 1.0\\Portal协议为Portal1.0,即CMCC方式
Auth Type:CHAP
ErrorID:0
UserIP:192.168.15.111\\用户IP地址
UserPort:0
ReqID:10488
Rsvd:0
attriNum:3
User Name:test1\\接入用户名
Challenge Password:***
Challenge Type:CHAP
REQ_AUTH报文为Portal Server发送给Portal BAS,在Portal Server发送此报文之后,接入设备就要向RADIUS服务器发送RADIUS 1号认证请求报文
对应收集UAM调试日志进行分析,如下:
%% 2017-09-25 14:01:06.793 ; [LDBG] ; [6688] ; LAN ; test1 ; 1 ; 8e0f9e9173fd43f0a82d8799a3cd3b39 ; Received message from 192.168.220.1:
CODE = 1.\\认证请求报文
ID = 183.
ATTRIBUTES:
User-Name(1) = "...test1".
NAS-Identifier(32) = "hexin".
Framed-Protocol(7) = 255.
Attribute (25506-230) is not defined in dic file r2.
NAS-Port(5) = 49167.
NAS-Port-Id(87) = "0000012000000015".
hw_IP_Host_Addr(60) = "192.168.15.111 f0:de:f1:7c:83:f4".
Calling-Station-Id(31) = "F0-DE-F1-7C-83-F4".\\用户MAC地址
CHAP-Password(3) = "f8f625c63f4551ac87b462105161ae080f".
CHAP-Challenge(60) = "b396bd80df0ebca10e3d66173488836e".
Framed-IP-Address(8) = 3232239471.
Acct-Session-Id(44) = "00000007201709251401220004b64800100927".
Service-Type(6) = 2.
NAS-IP-Address(4) = 3232291841.
hw_Product_ID(255) = "H3C S7503E-M".
hw_Nas_Startup_Timetamp(59) = 1505665836.
设备正常发送了认证请求报文,紧接着UAM回应了RADIUS 2号认证通过报文,如下:
%% 2017-09-25 14:01:06.795 ; [LDBG] ; [15308] ; LAN ; test1 ; 2 ; OAsxGF9A ; Send message attribute list:
Code = 2\\认证回应报文
ID = 183
ATTRIBUTES:
User-Name(1) = test1
Service_Type(6) = 2
State(24) = OAsxGF9A
Class(25) = OAsxGF9A
Termination-Action(29) = 0
Session-Timeout(27) = 86400
Acct-Interim-Interval(85) = 600
hw-User-Group(140) = 2\\下发了用户组USER-GROUP 2
hw_User_Notify(61) =
IF_PROXY = 0
IF_DOUBLE_NETCARD = 0
IF_IE_PROXY = 0
FRAMED_IP_SET_MODE = 0
IF_CHECK_MODIFY_MAC = 0
IF_CHECK_SAME_MAC = 0
EIA_DETAIL_VERSION = V700R003B04D021
EAD_EVENT_SEQ_ID = OAsxGF9A
再之后设备变没有继续发送CODE= 4即RADIUS 4号计费请求报文,此时再去查看Portal日志,发现如下信息:
2017-09-25 14:01:06.797[Portal服务器][调试(0)][21][ProxyRequestHandler::run]192.168.15.111 ; NTF_LOGOUT(8) ; 11280 ; 192.168.220.1:2000 ; 报文处理成功
Packet Type:NTF_LOGOUT(8)\\下线请求,由接入设备发送给Portal Server
SerialNo:11280
Address:192.168.220.254
Port:50908
RemoteIp:192.168.220.1
RemotePort:2000
Version:portal 1.0
Auth Type:CHAP
ErrorID:0
UserIP:192.168.15.111
UserPort:0
ReqID:10488
Rsvd:0
attriNum:1
Text Info:Failed to set user rule
设备在NTF_LOGOUT报文中携带了错误信息为:Failed to set user rule,说明有用户的特殊权限设置失败了,而通常这种设置都是由AAA服务器下发而设备不能正常执行导致的。
通过UAM调试日志RADIUS 2号报文可以看出,EIA给用户下发了USER-GROUP属性值,此项属性值需要提前在接入设备上配置,下发才能生效。而查看现场的接入设备配置,并没有找到USER-GROUP的配置项,因此才会导致下发属性失败,从而最终导致Portal认证失败。