AAA故障与调试
在路由器的AAA配置中,是否认证,认证、授权及记账情况如何,在配置阶段少不了调试,在出现故障时,借助调试信息能很好地定位故障点。
1.Debug AAA Authentication命令
使用Debug AAA Authentication命令来调试一个EXEC登录过程,采用的Rongxin的认证方法列表,使用TACACS+认证协议,系统通过发送GETUSER和GETPASS来提示输入用户名和密码,最优通过认证(PASS)的过程。
Router# debug aaa authentication
AAA Authentication debugging is on
Router#
*Mar 1 01:34:40.819: AAA/BIND(00000015): Bind i/f
*Mar 1 01:34:40.827: AAA/AUTHEN/LOGIN (00000015): Pick method list 'rongxin'
*Mar 1 01:34:52.903: AAA: parse name=tty130 idb type=-1 tty=-1
*Mar 1 01:34:52.903: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=130 channel=0
*Mar 1 01:34:52.907: AAA/MEMORY: create_user (0x64DE58AC) user='user1' ruser='NULL' ds0=0 port='tty130'
rem_addr='192.168.1.102' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Mar 1 01:34:52.911: AAA/AUTHEN/START (1579679647): port='tty130' list='rongxin' action=LOGIN service=ENABLE
*Mar 1 01:34:52.915: AAA/AUTHEN/START (1579679647): non-console enable - default to enable password
*Mar 1 01:34:52.919: AAA/AUTHEN/START (1579679647): Method=ENABLE
*Mar 1 01:34:52.919: AAA/AUTHEN(1579679647): Status=GETPASS
*Mar 1 01:34:54.627: AAA/AUTHEN/CONT (1579679647): continue_login (user='(undef)')
*Mar 1 01:34:54.631: AAA/AUTHEN(1579679647): Status=GETPASS
*Mar 1 01:34:54.631: AAA/AUTHEN/CONT (1579679647): Method=ENABLE
*Mar 1 01:34:54.703: AAA/AUTHEN(1579679647): Status=PASS
*Mar 1 01:34:54.703: AAA/MEMORY: free_user (0x64DE58AC) user='NULL' ruser='NULL' port='tty130'
rem_addr='192.168.1.102' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
2.Debug AAA Authorization命令
使用Debug AAA Authentication命令来调试认证信息,用户名为“user1”属性值被授权,最后端口授权通过。
Router# debug aaa authentication r
AAA Authorization debugging is on
Router#
*Mar 1 01:35:18.427: AAA/BIND(00000016): Bind i/f
*Mar 1 01:35:25.463: AAA/AUTHOR (0x16): Pick method list 'rongxin'
*Mar 1 01:35:25.939: AAA/AUTHOR/EXEC(00000016): processing AV cmd=
*Mar 1 01:35:25.939: AAA/AUTHOR/EXEC(00000016): Authorization successful
*Mar 1 01:35:30.567: AAA: parse name=tty130 idb type=-1 tty=-1
*Mar 1 01:35:30.571: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=130 channel=0
*Mar 1 01:35:30.575: AAA/MEMORY: create_user (0x644CD260) user='user1' ruser='NULL' ds0=0 port='tty130'
rem_addr='192.168.1.102' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Mar 1 01:35:32.279: AAA/MEMORY: free_user (0x644CD260) user='NULL' ruser='NULL' port='tty130'
rem_addr='192.168.1.102' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
3.Debug AAA Accounting命令
使用Debug AAA Accounting命令来调试记账信息,通过CALL START和CALL STOP 来按时计费,使用Debug Tacacs 和Debug RADIUS可得到基于协议级别的更多信息,也可以使用Show accounting来查看记账的记录。
Router# debug aaa accounting
AAA Accounting debugging is on
Router#
*Mar 1 01:36:18.267: AAA/ACCT/EVENT/(00000017): CALL START
*Mar 1 01:36:18.267: Getting session id for NET(00000017) : db=64E2D51C
*Mar 1 01:36:18.271: AAA/ACCT(00000000): add node, session 20
*Mar 1 01:36:18.271: AAA/ACCT/NET(00000017): add, count 1
*Mar 1 01:36:18.275: Getting session id for NONE(00000017) : db=64E2D51C
*Mar 1 01:36:24.903: AAA/ACCT/EXEC(00000017): Pick method list 'rongxin'
*Mar 1 01:36:24.907: AAA/ACCT/SETMLIST(00000017): Handle 29000006, mlist 642D96E0, Name rongxin
*Mar 1 01:36:24.911: Getting session id for EXEC(00000017) : db=64E2D51C
*Mar 1 01:36:24.911: AAA/ACCT(00000017): add common node to avl failed
*Mar 1 01:36:24.915: AAA/ACCT/EXEC(00000017): add, count 2
*Mar 1 01:36:24.919: AAA/ACCT/EVENT/(00000017): EXEC UP
*Mar 1 01:36:24.919: AAA/ACCT/EXEC(00000017): Queueing record is START
*Mar 1 01:36:24.931: AAA/ACCT(00000017): Accouting method=tacacs+ (TACACS+)
*Mar 1 01:36:25.299: AAA/ACCT/EXEC(00000017): START protocol reply PASS
*Mar 1 01:36:25.299: AAA/ACCT(00000017): Send START accounting notification to EM successfully
*Mar 1 01:36:31.363: AAA: parse name=tty130 idb type=-1 tty=-1
*Mar 1 01:36:31.363: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=130 channel=0
*Mar 1 01:36:31.367: AAA/MEMORY: create_user (0x644CD260) user='user1' ruser='NULL' ds0=0 port='tty130'
rem_addr='192.168.1.102' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Mar 1 01:36:34.211: AAA/MEMORY: free_user (0x644CD260) user='NULL' ruser='NULL' port='tty130'
rem_addr='192.168.1.102' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
*Mar 1 01:36:44.431: unknown AAA/DISC: 1/"User Request"
*Mar 1 01:36:44.431: unknown AAA/DISC/EXT: 1020/"User Request"
*Mar 1 01:36:44.435: AAA/ACCT/EXEC(00000017): Pick method list 'rongxin'
*Mar 1 01:36:44.435: AAA/ACCT/SETMLIST(00000017): Handle 29000006, mlist 642D96E0, Name rongxin
*Mar 1 01:36:44.451: AAA/ACCT/EVENT/(00000017): CALL STOP
*Mar 1 01:36:44.451: AAA/ACCT/CALL STOP(00000017): Sending stop requests
*Mar 1 01:36:44.451: AAA/ACCT(00000017): Send all stops
*Mar 1 01:36:44.455: AAA/ACCT/EXEC(00000017): STOP
*Mar 1 01:36:44.459: AAA/ACCT/EXEC(00000017): Queueing record is STOP osr 1
*Mar 1 01:36:44.459: AAA/ACCT/NET(00000017): STOP
*Mar 1 01:36:44.463: AAA/ACCT/NET(00000017): Method list not found
*Mar 1 01:36:44.463: AAA/ACCT/NET(00000017): free_rec, count 1
*Mar 1 01:36:44.467: AAA/ACCT/NET(00000017) reccnt 1, csr TRUE, osr 1
*Mar 1 01:36:44.471: AAA/ACCT(00000017): Accouting method=tacacs+ (TACACS+)
*Mar 1 01:36:44.859: AAA/ACCT/EXEC(00000017): STOP protocol reply PASS
*Mar 1 01:36:44.863: AAA/ACCT(00000017): Send STOP accounting notification to EM successfully
*Mar 1 01:36:44.867: AAA/ACCT/EXEC(00000017): Cleaning up from Callback osr 0
*Mar 1 01:36:44.867: AAA/ACCT(00000017): del node, session 20
*Mar 1 01:36:44.871: AAA/ACCT/EXEC(00000017): free_rec, count 0
*Mar 1 01:36:44.871: AAA/ACCT/EXEC(00000017) reccnt 0, csr TRUE, osr 0
*Mar 1 01:36:44.875: AAA/ACCT/EXEC(00000017): Last rec in db, intf not enqueued