IOS每VRF RADIUS故障排除
简介
RADIUS被大量用作身份验证协议来对用户进行网络访问身份验证。更多管理员正在使用VPN路由和转发(VRF)分离其管理流量。 默认情况下,IOS®上的身份验证、授权和记帐(AAA)使用默认路由表来发送数据包。本指南介绍当RADIUS服务器在VRF中时如何配置RADIUS并排除故障。
先决条件
要求
Cisco 建议您了解以下主题:
-
RADIUS
-
VRF
-
AAA
使用的组件
本文档不限于特定的软件和硬件版本。
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
规则
有关文档规则的详细信息,请参阅 Cisco 技术提示规则。
功能信息
本质上,VRF是设备上的虚拟路由表。当IOS做出路由决策时,如果功能或接口使用VRF,则根据该VRF路由表做出路由决策。否则,该功能将使用全局路由表。考虑到这一点,以下是如何将RADIUS配置为使用VRF:
version 15.2 service config service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname vrfAAA ! boot-start-marker boot-end-marker ! aaa new-model ! aaa group server radius management server-private 192.0.2.4 key cisco server-private 192.0.2.5 key cisco ip vrf forwarding blue ip radius source-interface GigabitEthernet0/0 ! aaa authentication login default group management local aaa authorization exec default group management if-authenticated aaa accounting exec default start-stop group management ! aaa session-id common ! no ipv6 cef ! ip vrf blue ! no ip domain lookup ip cef ! interface GigabitEthernet0/0 ip vrf forwarding blue ip address 203.0.113.2 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route vrf blue 0.0.0.0 0.0.0.0 203.0.113.1 ! line con 0 line aux 0 line vty 0 4 transport input all
如您所见,没有全局定义的RADIUS服务器。如果将服务器迁移到VRF,则可以安全地删除全局配置的RADIUS服务器。
故障排除方法
请完成以下步骤:
-
确保您在AAA组服务器下具有正确的IPVRF转发定义以及RADIUS流量的源接口。
-
检查您的VRF路由表,确保有到RADIUS服务器的路由。我们将使用上面的示例来显示VRF路由表:
vrfAAA#show ip route vrf blue Routing Table: blue Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 203.0.113.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 203.0.113.1 203.0.113.0/8 is variably subnetted, 2 subnets, 2 masks C 203.0.113.0/24 is directly connected, GigabitEthernet0/0 L 203.0.113.2/32 is directly connected, GigabitEthernet0/0 -
您能ping通RADIUS服务器吗?回想一下,这也需要特定于VRF:
vrfAAA#ping vrf blue 192.0.2.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.0.2.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
-
您可以使用test aaa命令来验证连接(必须在末尾使用new-code选项;旧版将不起作用):
vrfAAA#test aaa group management cisco Cisco123 new-code User successfully authenticated USER ATTRIBUTES username "cisco"
如果路由已就位,并且您在RADIUS服务器上没有看到任何命中,请确保ACL允许udp端口1645/1646或udp端口1812/1813从路由器或交换机到达服务器。如果身份验证失败,请照常排除RADIUS故障。VRF功能仅用于数据包的路由。
数据分析
如果一切看起来都正确,aaa和radius debug命令可以启用,以便对问题进行故障排除。从以下debug命令开始:
-
debug radius
-
debug aaa authentication
以下是调试的示例,其中某项配置不正确,例如但不限于:
-
缺少RADIUS源接口
-
源接口或AAA组服务器下缺少IP VRF转发命令
-
在VRF路由表中没有到RADIUS服务器的路由
Aug 1 13:39:28.571: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' Aug 1 13:39:28.571: RADIUS/ENCODE(00000000):Orig. component type = Invalid Aug 1 13:39:28.571: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off Aug 1 13:39:28.571: RADIUS(00000000): Config NAS IP: 203.0.113.2 Aug 1 13:39:28.571: RADIUS(00000000): Config NAS IPv6: :: Aug 1 13:39:28.571: RADIUS(00000000): sending Aug 1 13:39:28.575: RADIUS(00000000): Send Access-Request to 192.0.2.4:1645 id 1645/2, len 51 Aug 1 13:39:28.575: RADIUS: authenticator 12 C8 65 2A C5 48 B8 1F - 33 FA 38 59 9C 5F D3 3A Aug 1 13:39:28.575: RADIUS: User-Password [2] 18 * Aug 1 13:39:28.575: RADIUS: User-Name [1] 7 "cisco" Aug 1 13:39:28.575: RADIUS: NAS-IP-Address [4] 6 203.0.113.2 Aug 1 13:39:28.575: RADIUS(00000000): Sending a IPv4 Radius Packet Aug 1 13:39:28.575: RADIUS(00000000): Started 5 sec timeout Aug 1 13:39:32.959: RADIUS(00000000): Request timed out Aug 1 13:39:32.959: RADIUS: Retransmit to (192.0.2.4:1645,1646) for id 1645/2 Aug 1 13:39:32.959: RADIUS(00000000): Started 5 sec timeout Aug 1 13:39:37.823: RADIUS(00000000): Request timed out Aug 1 13:39:37.823: RADIUS: Retransmit to (192.0.2.4:1645,1646) for id 1645/2 Aug 1 13:39:37.823: RADIUS(00000000): Started 5 sec timeout Aug 1 13:39:42.199: RADIUS(00000000): Request timed out Aug 1 13:39:42.199: RADIUS: Retransmit to (192.0.2.4:1645,1646) for id 1645/2 Aug 1 13:39:42.199: RADIUS(00000000): Started 5 sec timeout Aug 1 13:39:47.127: RADIUS(00000000): Request timed out Aug 1 13:39:47.127: RADIUS: Fail-over to (192.0.2.5:1645,1646) for id 1645/2 Aug 1 13:39:47.127: RADIUS(00000000): Started 5 sec timeout Aug 1 13:39:51.927: RADIUS(00000000): Request timed out Aug 1 13:39:51.927: RADIUS: Retransmit to (192.0.2.5:1645,1646) for id 1645/2 Aug 1 13:39:51.927: RADIUS(00000000): Started 5 sec timeout Aug 1 13:39:56.663: RADIUS(00000000): Request timed out Aug 1 13:39:56.663: RADIUS: Retransmit to (192.0.2.5:1645,1646) for id 1645/2 Aug 1 13:39:56.663: RADIUS(00000000): Started 5 sec timeout Aug 1 13:40:01.527: RADIUS(00000000): Request timed out Aug 1 13:40:01.527: RADIUS: Retransmit to (192.0.2.5:1645,1646) for id 1645/2 Aug 1 13:40:01.527: RADIUS(00000000): Started 5 sec timeoutUser rejected
遗憾的是,使用RADIUS时,超时和缺少的路由之间没有区别。
以下是成功身份验证的示例:
Aug 1 13:35:51.791: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' Aug 1 13:35:51.791: RADIUS/ENCODE(00000000):Orig. component type = Invalid Aug 1 13:35:51.791: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off Aug 1 13:35:51.791: RADIUS(00000000): Config NAS IP: 203.0.113.2 Aug 1 13:35:51.791: RADIUS(00000000): Config NAS IPv6: :: Aug 1 13:35:51.791: RADIUS(00000000): sending Aug 1 13:35:51.791: RADIUS(00000000): Send Access-Request to 192.0.2.4:1645 id 1645/1, len 51 Aug 1 13:35:51.791: RADIUS: authenticator F4 E3 00 93 3F B7 79 A9 - 2B DC 89 18 8D B9 FF 16 Aug 1 13:35:51.791: RADIUS: User-Password [2] 18 * Aug 1 13:35:51.791: RADIUS: User-Name [1] 7 "cisco" Aug 1 13:35:51.791: RADIUS: NAS-IP-Address [4] 6 203.0.113.2 Aug 1 13:35:51.791: RADIUS(00000000): Sending a IPv4 Radius Packet Aug 1 13:35:51.791: RADIUS(00000000): Started 5 sec timeout Aug 1 13:35:51.799: RADIUS: Received from id 1645/1 14.36.142.31:1645, Access-Accept, len 62 Aug 1 13:35:51.799: RADIUS: authenticator B0 0B AA FF B1 27 17 BD - 3F AD 22 30 C6 03 5C 2D Aug 1 13:35:51.799: RADIUS: User-Name [1] 7 "cisco" Aug 1 13:35:51.799: RADIUS: Class [25] 35 Aug 1 13:35:51.799: RADIUS: 43 41 43 53 3A 6A 65 64 75 62 6F 69 73 2D 61 63 [CACS:ACS1] Aug 1 13:35:51.799: RADIUS: 73 2D 35 33 2F 31 33 32 34 35 33 37 33 35 2F 33 [s-53/132453735/3] Aug 1 13:35:51.799: RADIUS: 38 [ 8] Aug 1 13:35:51.799: RADIUS(00000000): Received from id 1645/1.
常见问题
-
最常见的问题是配置问题。许多情况下,管理员将放入aaa组服务器,但不更新aaa行以指向服务器组。不是这样:
aaa authentication login default group management local aaa authorization exec default group management if-authenticated aaa accounting exec default start-stop group management
管理员将输入以下内容:
aaa authentication login default grout radius local aaa authorization exec default group radius if-authenticated aaa accounting exec default start-stop group radius
只需使用正确的服务器组更新配置。
-
第二个常见问题是,当用户尝试在服务器组下添加IP VRF转发时,会看到以下错误:
% Unknown command or computer name, or unable to find computer address
这表示找不到该命令。如果您看到此错误,请确保每个VRF RADIUS支持IOS版本。
相关信息
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
1.0 |
24-Aug-2012 |
初始版本 |
反馈