H3C 设备与ACS5.2 telnet 登录认证，请高手帮忙！

liprose · 发表于 2014-5-29 16:01:08

这两天使用H3C的s3100V2-ei 和 ACS5.2进行远程telnet登录交换机用户认证的实验，遇到比较棘手的问题，关键是不了解acs 在aaa认证时候应该如何配置。
之前看了明教教主的acs视频，但帮助不是很大，因为用的都是cisco的设备，看以往网上有文章写acs4.X系列可以完成这项认证工作，于是开始执着的搞。

设备：H3C s3100v2-si    radius 服务器：ACS 5.2（虚拟机）

目前配置：

version 5.20, Release 5103P01
#
sysname H3C
#
super authentication-mode scheme
#
domain default enable test
#
telnet server enable
#
vlan 1
#
hwtacacs scheme test
primary authentication 172.38.0.219
primary authorization 172.38.0.219
primary accounting 172.38.0.219
key authentication cipher UXbCHBX4Rsw=
key authorization cipher UXbCHBX4Rsw=
key accounting cipher UXbCHBX4Rsw=
user-name-format without-domain
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
domain test
authentication login hwtacacs-scheme test
authorization login hwtacacs-scheme test
accounting login none
authentication super hwtacacs-scheme test
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
interface NULL0
#
interface Vlan-interface1
ip address 172.38.0.218 255.255.255.0
#

user-interface vty 0 4
authentication-mode scheme
protocol inbound telnet

目前，telnet 登录没有问题，正常登录进设备，但是权限为0，要使用super 3 进行用户级别切换。这里是失败的。
在acs 4.X中高级tacacs+属性中可以有一个max-exec-privilege 设置为 level-3，但是在acs5.2中不知道该如何进行授权！

debug信息如下：
<H3C>
*Apr 27 10:09:49:755 2000 H3C TAC/7/Event:  Create HWTACACS authentication request packet success
*Apr 27 10:09:49:876 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*Apr 27 10:09:49:967 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=30  PacketType=3  AuthenType=1
AuthenService=1  PrivLevel=0  Version=c0  TemplateNum=0
UserName=test  PortName=vty0  RemAddress=172.38.0.215
UserMsg=  DataMsg=

*Apr 27 10:09:50:268 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*Apr 27 10:09:50:359 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=30  PacketType=3  AuthenType=1
AuthenService=1  PrivLevel=0  Version=c0  TemplateNum=0
UserName=test  PortName=vty0  RemAddress=172.38.0.215
UserMsg=  DataMsg=

*Apr 27 10:09:50:660 2000 H3C TAC/7/Event: Successfully found the FIB information for the server (Server IP: 172.38.0.219, VPN index: 0).
*Apr 27 10:09:50:831 2000 H3C TAC/7/Event: Got nas-ip 172.38.0.218 and VPN 0 of server 172.38.0.219.
*Apr 27 10:09:50:952 2000 H3C TAC/7/Event: Successfully set socket VPN attribute (VPN index: 0).
*Apr 27 10:09:51:073 2000 H3C TAC/7/Event:
hwtacacs create new session :
session id: 18172, user id: 30, server ip: 172.38.0.219
*Apr 27 10:09:51:254 2000 H3C TAC/7/Event:
version:c0  type:AUTHEN_REQUEST
seq_no:1  flag:ENCRYPTED_FLAG
session_id:46fc  length:28
action:AUTHEN_LOGIN  priv_lvl:VISIT  authen_type:AUTHEN_TYPE_ASCII
service:AUTHEN_SVC_LOGIN
user len:4    port len:4    rem_addr len:12       data len:0
user name:test  port:vty0  rem_addr:172.38.0.215  data:

*Apr 27 10:09:51:675 2000 H3C TAC/7/Event: statistic: transmit flag:1, server flag: 0,packet flag:0xff
*Apr 27 10:09:51:806 2000 H3C TAC/7/Event:
hwtacacs packet sending success!
version:c0 type:01 sequence:01 flag:00 session id:18172 length:28
*Apr 27 10:09:51:997 2000 H3C TAC/7/Event: Authentication sending(Result = 0)
*Apr 27 10:09:52:088 2000 H3C TAC/7/Event:
version:c0  type:AUTHEN_REPLY
seq_no:2  flag:ENCRYPTED_FLAG
session_id:46fc  length:16
status:AUTHEN_STATUS_GETPASS  flag:REPLY_FLAG_NOECHO
server_msg len:10  data len:0
server_msg:password: data:

*Apr 27 10:09:52:399 2000 H3C TAC/7/Event: statistic: transmit flag:2, server flag: 0,packet flag:0x5
*Apr 27 10:09:52:520 2000 H3C TAC/7/Event:
version:c0  type:AUTHEN_CONTINUE
seq_no:3  flag:ENCRYPTED_FLAG
session_id:46fc  length:11
user_msg len:******  data len:0 flag:0
user_msg:******
data:

*Apr 27 10:09:52:771 2000 H3C TAC/7/Event:
hwtacacs packet sending success!
version:c0 type:01 sequence:03 flag:00 session id:18172 length:11
*Apr 27 10:09:53:560 2000 H3C TAC/7/Event: statistic: transmit flag:1, server flag: 0,packet flag:0xff
*Apr 27 10:09:53:768 2000 H3C TAC/7/Event: Authentication sending(Result = 0)
*Apr 27 10:09:53:859 2000 H3C TAC/7/Event:
version:c0  type:AUTHEN_REPLY
seq_no:4  flag:ENCRYPTED_FLAG
session_id:46fc  length:6
status:AUTHEN_STATUS_PASS  flag:REPLY_FLAG_ECHO
server_msg len:0  data len:0
server_msg:  data:

#Apr 27 10:09:54:150 2000 H3C SHELL/4/LOGIN:
Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1<hh3cLogIn>:test login from VTY
%Apr 27 10:09:54:295 2000 H3C SHELL/5/SHELL_LOGIN: test logged in from 172.38.0.215.
*Apr 27 10:09:54:401 2000 H3C TAC/7/Event:
TAC_MESSAGE for TAC->AAA:
*Apr 27 10:09:54:492 2000 H3C TAC/7/Event:
TAC_MESSAGE for TAC->AAA:
ulUserID=30
ucTACTemplateNO=0
ucflag=1
Echo=0
ServerMsg=

*Apr 27 10:09:54:663 2000 H3C TAC/7/Event: statistic: transmit flag:2, server flag: 0,packet flag:0x1
*Apr 27 10:09:54:784 2000 H3C TAC/7/Event:
hwtacacs session is deleted due to finishing session:
session id: 18172, user id: 30, server ip: 172.38.0.219
*Apr 27 10:09:55:005 2000 H3C TAC/7/Event: Tac receive 6 message, but cannot find according session.
*Apr 27 10:09:55:126 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*Apr 27 10:09:55:217 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=30  AuthorType=4  AuthenMethod=6  AuthenType=1  AuthenService=1
PrivLevel=0  TemplateNum=0  ArgNum=2
UserName=test  PortName=vty0
Service=shell  Protocol=cmd*  RemAddress=172.38.0.215

*Apr 27 10:09:55:548 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*Apr 27 10:09:55:646 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=30  AuthorType=4  AuthenMethod=6  AuthenType=1  AuthenService=1
PrivLevel=0  TemplateNum=0  ArgNum=2
UserName=test  PortName=vty0
Service=shell  Protocol=cmd*  RemAddress=172.38.0.215

*Apr 27 10:09:55:978 2000 H3C TAC/7/Event: Successfully found the FIB information for the server (Server IP: 172.38.0.219, VPN index: 0).
*Apr 27 10:09:56:186 2000 H3C TAC/7/Event: Got nas-ip 172.38.0.218 and VPN 0 of server 172.38.0.219.
*Apr 27 10:09:56:307 2000 H3C TAC/7/Event: Successfully set socket VPN attribute (VPN index: 0).
*Apr 27 10:09:56:428 2000 H3C TAC/7/Event:
hwtacacs create new session :
session id: 2242, user id: 30, server ip: 172.38.0.219
*Apr 27 10:09:56:599 2000 H3C TAC/7/Event:
version:c0  type:AUTHOR_REQUEST
seq_no:1  flag:ENCRYPTED_FLAG
session_id:8c2  length:47
authen_method:AUTHEN_METH_PLUS  priv_lvl:VISIT
authen_type:AUTHEN_TYPE_ASCII  authen_service:AUTHEN_SVC_LOGIN
user len:4    port len:4    rem_addr len:12
arg_cnt:2
arg1 len:13  arg2 len:4
user:test  port:vty0  rem_addr:172.38.0.215
arg1 :service=shell arg2 :cmd*

*Apr 27 10:09:57:101 2000 H3C TAC/7/Event: statistic: transmit flag:1, server flag: 1,packet flag:0xff
*Apr 27 10:09:57:232 2000 H3C TAC/7/Event:
hwtacacs packet sending success!
version:c0 type:02 sequence:01 flag:00 session id:2242 length:47
*Apr 27 10:09:57:423 2000 H3C TAC/7/Event: Authorization sending(Result = 0)
*Apr 27 10:09:57:516 2000 H3C TAC/7/Event:
version:c0  type:AUTHOR_REPLY
seq_no:2  flag:ENCRYPTED_FLAG
session_id:8c2  length:6
status:AUTHOR_STATUS_PASS_ADD
server_msg len:0       data len:0
arg_cnt:0
server_msg:
data:

*Apr 27 10:09:57:797 2000 H3C TAC/7/Event:
TAC_MESSAGE for TAC->AAA:
*Apr 27 10:09:57:888 2000 H3C TAC/7/Event:
TAC_MESSAGE for TAC->AAA:
AuthorType=4  DataMsg=
Acl=0  Timeout=0  PrivLevel=0  NoHangup=0
AutoExec=  ServerMsg=

*Apr 27 10:09:58:090 2000 H3C TAC/7/Event: statistic: transmit flag:2, server flag: 1,packet flag:0x1
*Apr 27 10:09:58:245 2000 H3C TAC/7/Event:
hwtacacs session is deleted due to finishing session:
session id: 2242, user id: 30, server ip: 172.38.0.219
*Apr 27 10:09:58:456 2000 H3C TAC/7/Event: Tac receive 6 message, but cannot find according session.

super password 认证（用户级别转换）

*Apr 27 10:11:18:653 2000 H3C AAA/7/Event: UserID=0xffffffff,Service-type=0x6000 Authen-req (AccessHandle = 1, AccessID = 1).
*Apr 27 10:11:18:804 2000 H3C AAA/7/Event:
[AAA_UserName                , 1,                                  test]
[AAA_UserPassword             , 2,                               ******]
[AAA_Service                , 4,                                  24585]
[AAA_AccessUserType          ,  80,                                     11]
[AAA_AuthType                ,  82,                                     1]
[AAA_Privilege                ,  52,                                     3]
[AAA_UserIPAddress
*Apr 27 10:11:19:501 2000 H3C AAA/7/Event:  , 6,                         172.38.0.215]
*Apr 27 10:11:19:612 2000 H3C AAA/7/Event: UserID=0xffffffff,Service-type=0x6009 Failed to get domain name. It will use default domain.
*Apr 27 10:11:19:814 2000 H3C AAA/7/Event: UserID=0x1f,Service-type=0x6009 Authen-req preprocess successfully. (AccessID = 1)
*Apr 27 10:11:20:048 2000 H3C AAA/7/Event: UserID=0x1f,Service-type=0x6009 Send message to Tacacs
*Apr 27 10:11:20:169 2000 H3C AAA/7/Event: UserID=0x1f,Service-type=0x6009 Authen-req: Dispatched message successfully.
*Apr 27 10:11:20:319 2000 H3C AAA/7/Event: UserID=0x1f,Service-type=0x6009
Access-Handle=    1, Access-UserID=    1
Cur-AAA-Req  =    1, Cur-AAA-State=    1
If-Replied  =    1, Cur-Req-ID =    14
*Apr 27 10:11:20:590 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*Apr 27 10:11:20:681 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=31  PacketType=3  AuthenType=1
AuthenService=2  PrivLevel=3  Version=c0  TemplateNum=0
UserName=test  PortName=  RemAddress=async
UserMsg=  DataMsg=

*Apr 27 10:11:20:972 2000 H3C TAC/7/Event: Successfully found the FIB information for the server (Server IP: 172.38.0.219, VPN index: 0).
*Apr 27 10:11:21:143 2000 H3C TAC/7/Event: Got nas-ip 172.38.0.218 and VPN 0 of server 172.38.0.219.
*Apr 27 10:11:21:264 2000 H3C TAC/7/Event: Successfully set socket VPN attribute (VPN index: 0).
*Apr 27 10:11:21:385 2000 H3C TAC/7/Event:
hwtacacs create new session :
session id: 19081, user id: 31, server ip: 172.38.0.219
*Apr 27 10:11:21:566 2000 H3C TAC/7/Event:
version:c0  type:AUTHEN_REQUEST
seq_no:1  flag:ENCRYPTED_FLAG
session_id:4a89  length:17
action:AUTHEN_LOGIN  priv_lvl:MANAGE  authen_type:AUTHEN_TYPE_ASCII
service:AUTHEN_SVC_ENABLE
user len:4    port len:0    rem_addr len:5  data len:0
user name:test  port:  rem_addr:async  data:

*Apr 27 10:11:22:019 2000 H3C TAC/7/Event: statistic: transmit flag:1, server flag: 0,packet flag:0xff
*Apr 27 10:11:22:244 2000 H3C TAC/7/Event:
hwtacacs packet sending success!
version:c0 type:01 sequence:01 flag:00 session id:19081 length:17
*Apr 27 10:11:22:435 2000 H3C TAC/7/Event: Authentication sending(Result = 0)
*Apr 27 10:11:22:526 2000 H3C TAC/7/Event:
version:c0  type:AUTHEN_REPLY
seq_no:2  flag:ENCRYPTED_FLAG
session_id:4a89  length:16
status:AUTHEN_STATUS_GETPASS  flag:REPLY_FLAG_NOECHO
server_msg len:10  data len:0
server_msg:password: data:

*Apr 27 10:11:22:837 2000 H3C TAC/7/Event: statistic: transmit flag:2, server flag: 0,packet flag:0x5
*Apr 27 10:11:23:028 2000 H3C TAC/7/Event:
version:c0  type:AUTHEN_CONTINUE
seq_no:3  flag:ENCRYPTED_FLAG
session_id:4a89  length:11
user_msg len:******  data len:0 flag:0
user_msg:******
data:

*Apr 27 10:11:23:281 2000 H3C TAC/7/Event:
hwtacacs packet sending success!
version:c0 type:01 sequence:03 flag:00 session id:19081 length:11
*Apr 27 10:11:23:472 2000 H3C TAC/7/Event: statistic: transmit flag:1, server flag: 0,packet flag:0xff
*Apr 27 10:11:23:603 2000 H3C TAC/7/Event: Authentication sending(Result = 0)
*Apr 27 10:11:23:696 2000 H3C TAC/7/Event:
version:c0  type:AUTHEN_REPLY
seq_no:4  flag:ENCRYPTED_FLAG
session_id:4a89  length:6
status:AUTHEN_STATUS_FAIL  flag:REPLY_FLAG_ECHO
server_msg len:0  data len:0
server_msg:  data:

*Apr 27 10:11:23:987 2000 H3C TAC/7/Event:
TAC_MESSAGE for TAC->AAA:
*Apr 27 10:11:24:078 2000 H3C TAC/7/Event:
TAC_MESSAGE for TAC->AAA:
ulUserID=31
ucTACTemplateNO=0
ucflag=2
Echo=0
ServerMsg=

*Apr 27 10:11:24:249 2000 H3C AAA/7/Event: UserID=0x1f,Service-type=0x6009 Authen-resp (ReqID = 14, AAAMsgType = 5).
*Apr 27 10:11:24:438 2000 H3C AAA/7/Event:
[AAA_NoEcho                   ,  68,                            bool_false]
[AAA_AAAUserID                ,  78,                                     31]
[AAA_FailCode                ,  86,                                     10]
*Apr 27 10:11:24:789 2000 H3C AAA/7/Event: UserID=0x1f,Service-type=0x6009
Access-Handle=    1, Access-UserID=    1
Cur-AAA-Req  =    1, Cur-AAA-State=    1
If-Replied  =    1, Cur-Req-ID =    14
*Apr 27 10:11:25:060 2000 H3C AAA/7/Event: UserID=0x1f,Service-type=0x6009 Authen-resp: Send message to access.
*Apr 27 10:11:25:201 2000 H3C TAC/7/Event: statistic: transmit flag:2, server flag: 0,packet flag:0x2
*Apr 27 10:11:25:322 2000 H3C TAC/7/Event:
hwtacacs session is deleted due to finishing session:
session id: 19081, user id: 31, server ip: 172.38.0.219
*Apr 27 10:11:25:542 2000 H3C TAC/7/Event: Tac receive 6 message, but cannot find according session.
*Apr 27 10:11:25:663 2000 H3C AAA/7/Event: UserID=0x1f,Service-type=0x6009 Release-Req.
*Apr 27 10:11:25:774 2000 H3C AAA/7/Event: UserID=0x1f,Service-type=0x6009
Access-Handle=    1, Access-UserID=    1
Cur-AAA-Req  =    1, Cur-AAA-State=    2
If-Replied  =    0, Cur-Req-ID =    14

gaodi2002 · 发表于 2016-10-21 11:36:48

应该是radius授权有问题

liprose · 发表于 2016-11-28 18:03:03

gaodi2002 发表于 2016-10-21 11:36
应该是radius授权有问题

有没有解决方案？

账号		自动登录	找回密码
密码			论坛注册

H3C 设备与ACS5.2 telnet 登录认证，请高手帮忙！

相关帖子

客服中心

投诉建议