小编 ME60radius属性严格检查导致无法将用户踢下线
ME60radius属性严格检查导致无法将用户踢下线
问题描述
处理过程
debug radius all发现:
<XZ-DX-BAS-1.MAN.ME60>disp access-user username 35091128265
------------------------------------------------------------------------------
UserID Username Interface IP address MAC
Vlan IPv6 address Access type
------------------------------------------------------------------------------
65549 35091128265 GE1/0/1.20 - a857-4e48-8fcf
202/- - PPPoE
------------------------------------------------------------------------------
Normal users : 1
RUI Local users : 0
RUI Remote users : 0
Total users : 1
<XZ-DX-BAS-1.MAN.ME60>
Jul 28 2015 11:28:39.140.1+08:00 XZ-DX-BAS-1.MAN.ME60 RDS/7/DEBUG:
Radius Received a Packet
Server Template: 0
Server IP : 219.149.150.9
NAS IP : 59.48.70.30
Vpn-Instance: -
Server Port : 1812
NAS Port : 3799
Protocol: Standard
Code : disconnect request
Len : 74
ID : 248
[User-Name(1) ] [13] [35091128265]
[Framed-IP-Address(8) ] [6 ] [255.255.255.255]
[Acct-Session-Id(44) ] [35] [XZ-DX-B010010202000004dff9a065549]
<XZ-DX-BAS-1.MAN.ME60>
Jul 28 2015 11:28:39.140.2+08:00 XZ-DX-BAS-1.MAN.ME60 RDS/7/DEBUG:
Radius Sent a Packet
Server IP : 219.149.150.9
NAS IP : 59.48.70.30
Vpn-Instance: -
Server Port : 1812
NAS Port : 3799
Protocol: Standard
Code : disconnect nak
Len : 80
ID : 248
[User-Name(1) ] [13] [35091128265]
[Framed-IP-Address(8) ] [6 ] [255.255.255.255]
[Acct-Session-Id(44) ] [35] [XZ-DX-B010010202000004dff9a065549]
[Error-Cause(101) ] [6 ] [404] [Invalid Request]
可以正常踢下线成功的用户:
<XZ-DX-BAS-1.MAN.ME60>
Jul 28 2015 11:41:20.310.1+08:00 XZ-DX-BAS-1.MAN.ME60 RDS/7/DEBUG:
Radius Received a Packet
Server Template: 0
Server IP : 219.149.150.9
NAS IP : 59.48.70.30
Vpn-Instance: -
Server Port : 1812
NAS Port : 3799
Protocol: Standard
Code : disconnect request
Len : 77
ID : 108
[User-Name(1) ] [16] [n03503322000lb]
[Framed-IP-Address(8) ] [6 ] [10.1.19.116]
[Acct-Session-Id(44) ] [35] [XZ-DX-B02201227401119945c04000310]
<XZ-DX-BAS-1.MAN.ME60>
Jul 28 2015 11:41:20.310.2+08:00 XZ-DX-BAS-1.MAN.ME60 RDS/7/DEBUG:
Radius Sent a Packet
Server IP : 219.149.150.9
NAS IP : 59.48.70.30
Vpn-Instance: -
Server Port : 1812
NAS Port : 3799
Protocol: Standard
Code : disconnect ack
Len : 99
ID : 108
[User-Name(1) ] [16] [n03503322000lb]
[Framed-IP-Address(8) ] [6 ] [10.1.19.116]
[Acct-Session-Id(44) ] [35] [XZ-DX-B02201227401119945c04000310]
[NAS-Identifier(32) ] [22] [XZ-DX-BAS-1.MAN.ME60
通过如上对比分析:ME60收到disconnect request报文后,发送了disconnect nak,而不是正常的disconnect ack。进一步对比发现:ME60收到用户的IP (Framed-IP-Address)为255.255.255.255,而不是正常的用户IP。
根因
由于ME60添加了严格检查,如果DM消息中携带的IP地址和本地不一致,就会认为DM消息不合法,回复404错误。
解决方案
在添加新的radius服务器组,禁掉framed-ip-address属性,然后把该服务器组绑定到授权服务器下:
radius-server group fo
radius-server attribute translate
radius-attribute disable Framed-IP-Address IP 255.255.255.255 receive
radius-server authorization x.x.x.x shared-key xxxxxx server-group fo -----授权服务器关联下server-group
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » ME60radius属性严格检查导致无法将用户踢下线
作者: 小编
| 手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm