本页内容
AAA 测试和故障排除
AAA 配置测试和故障排除
订阅者管理支持测试功能,可让您检查订阅者的 AAA 配置。您可以使用测试功能验证用户的 AAA 设置,并帮助排除故障或隔离用户登录问题。AAA 测试过程创建一个伪会话,用于对订阅者进行身份验证,为订阅者分配地址,并发出记账起始数据包。然后,该进程发出会计停止请求,释放地址并终止伪会话。
AAA 测试结果提供了有关订阅者管理在登录期间分配给订阅者的属性的详细信息。这些属性可能由 RADIUS、动态配置文件、静态接口配置分配,也可以静态分配。您可以测试 DHCP、PPP 和 authd-lite 用户的 AAA 配置。对于 L2TP 客户端,AAA 测试过程会显示所有隧道参数,但不会创建实际的隧道会话。
注意:
这些 test aaa 命令支持所有源自 RADIUS 的属性,包括 IETF 标准属性和瞻博网络 VSA。收到的属性将显示在输出中。有关标准 RADIUS 属性的信息,请参阅 AAA 服务框架支持的 RADIUS IETF 属性。有关瞻博网络 VSA 的信息,请参阅 AAA 服务框架支持的瞻博网络 VSA。
注意:
这些 test aaa 命令不支持卷时计费(瞻博网络 VSA 26-69,值为 2)。如果为测试用户配置了卷时间计费, test 则命令会将统计信息替换为仅时间计费统计信息。
测试用户 AAA 配置
目的
显示订阅者管理在登录期间分配给订阅者的 AAA 属性。
以下示例测试 PPP 用户的 AAA 配置。您可以使用该 test aaa dhcp user 命令对 DHCP 订阅者执行类似的测试,也可以使用该 test aaa authd-lite user 命令测试 authd-lite 订阅者。
行动
user@host>test aaa ppp user user45@test.net password $ABC123
Authentication Grant
************User Attributes***********
User Name - user45@test.net
Client IP Address - 192.168.1.1
Client IP Netmask - 255.255.0.0
Virtual Router Name - default
Agent Remote Id - NULL
Reply Message - NULL
Primary DNS IP Address - 0.0.0.0
Secondary DNS IP Address - 0.0.0.0
Primary WINS IP Address - 0.0.0.0
Secondary WINS IP Address - 0.0.0.0
Primary DNS IPv6 Address - ::
Secondary DNS IPv6 Address - ::
Framed Pool - not set
Class Attribute - TEST
Service Type - 0
Client IPv6 Address - ::
Client IPv6 Mask - null
Framed IPv6 Prefix - ::/0
Framed IPv6 Pool - not-set
NDRA IPv6 Prefix - not-set
Login IPv6 Host - ::
Framed Interface Id - 0:0:0:0
Delegated IPv6 Prefix - ::/0
Delegated IPv6 Pool - not-set
User Password - $ABC123
CHAP Password - NULL
Mac Address - 00:00:5E:00:53:ab
Idle Timeout - 600
Session Timeout - 6000
Service Name (1) - cos-service(video_sch, nc_sch)
Service Statistics (1) - 1
Service Acct Interim (1) - 600
Service Activation Type (1) - 1
Service Name (2) - filter-service(in_filter, out_filter)
Service Statistics (2) - 2
Service Acct Interim (2) - 900
Service Activation Type (2) - 1
Cos shaping rate - 100m
Filter Id - not set
Framed MTU - (null)
Framed Route - not set
Ingress Policy Name - not set
Egress Policy Name - not set
IGMP - disabled
Redirect VR Name - default
Service Bundle - Null
Framed Ip Route Tag - not set
Ignore DF Bit - disabled
IGMP Access Group Name - not set
IGMP Access Source Group Name - not set
MLD Access Group Name - not set
MLD Access Source Group Name - not set
IGMP Version - not set
MLD Version - not set
IGMP Immediate Leave - disabled
MLD Immediate Leave - disabled
IPv6 Ingress Policy Name - not set
IPv6 Egress Policy Name - not set
Acct Session ID - 1
Acct Interim Interval - 750
Acct Type - 1
Ingress Statistics - disabled
Egress Statistics - disabled
Chargeable user identity - 0
NAS Port Id - -0/0/0.0
NAS Port - 4095
NAS Port Type - 15
Framed Protocol - 1
IPv4 ADF Rule - 010100
IPv4 ADF Rule - 010101
IPv6 ADF Rule - 030100
IPv6 ADF Rule - 030101
****Pausing 10 seconds before disconnecting the test user*********
Logging out subscriber
Terminate Id - not set
Test complete. Exiting
在支持 DSL 论坛代理远程 ID (VSA 26-2) 的网络中,您可以将该agent-remote-id ari选项与 和 命令一起使用test aaa dhcp usertest aaa ppp user以验证 DHCP 和 PPP 用户身份验证。
如果指定 DSL 论坛 Agent-Remote-Id,则输出将包含指定的值。如果未指定 VSA,则 Agent-Remote-Id 值显示为 NULL。
user@host>test aaa ppp user thomastank agent-remote-id “(202)555–1212”
Authentication Grant
************User Attributes***********
User Name - thomastank
Client IP Address - 192.168.1.1
Client IP Netmask - 255.255.0.0
...
NAS Ip Address - 0.0.0.0
Agent Remote Id - (202)555–1212
...
以下示例显示了由于密码无效而导致身份验证授予失败时的输出:
user@host>test aaa ppp user user45@test.net password 55N33%%56
Authentication Deny
Reason : Access Denied
Received Attributes :
User Name - user45@test.net
Client IP Address - 0.0.0.0
Client IP Netmask - 0.0.0.0
Virtual Router Name - default
Agent Remote Id - NULL
Reply Message - NULL
Primary DNS IP Address - 0.0.0.0
Secondary DNS IP Address - 0.0.0.0
Primary WINS IP Address - 0.0.0.0
Secondary WINS IP Address - 0.0.0.0
Primary DNS IPv6 Address - ::
Secondary DNS IPv6 Address - ::
Framed Pool - not set
Class Attribute - not set
Service Type - 0
Client IPv6 Address - ::
Client IPv6 Mask - null
Framed IPv6 Prefix - ::/0
Framed IPv6 Pool - not-set
NDRA IPv6 Prefix - not-set
Login IPv6 Host - ::
Framed Interface Id - 0:0:0:0
Delegated IPv6 Prefix - ::/0
Delegated IPv6 Pool - not-set
User Password - 55N33%%56
CHAP Password - NULL
Mac Address - 00:00:5E:00:53:ab
Filter Id - not set
Framed MTU - (null)
Framed Route - not set
Ingress Policy Name - not set
Egress Policy Name - not set
IGMP - disabled
Redirect VR Name - default
Service Bundle - Null
Framed Ip Route Tag - not set
Ignore DF Bit - disabled
IGMP Access Group Name - not set
IGMP Access Source Group Name - not set
MLD Access Group Name - not set
MLD Access Source Group Name - not set
IGMP Version - not set
MLD Version - not set
IGMP Immediate Leave - disabled
MLD Immediate Leave - disabled
IPv6 Ingress Policy Name - not set
IPv6 Egress Policy Name - not set
Acct Session ID - 12
Acct Interim Interval - 0
Acct Type - 0
Ingress Statistics - disabled
Egress Statistics - disabled
Chargeable user identity - 0
NAS Port Id - -0/0/0.0
NAS Port - 4095
NAS Port Type - 15
Framed Protocol - 0
Test complete. Exiting
对于某些网络(例如,具有 VLAN-OOB 订阅者的第 2 层网络),RADIUS 配置为在客户端配置文件中使用客户端配置文件名称 VSA (26–174) 提供订阅者地址。在默认配置中,如果未直接从 RADIUS 接收用户地址,则测试将失败。要成功测试这些订阅者,必须包含该 no-address-request 选项。命令输出在动态配置文件字段中显示客户端配置文件名称,在路由实例字段中显示虚拟路由器 VSA (26-1) 传送的路由实例的名称。
user@host>test aaa ppp user thomastank no-address-request
Authentication Grant
************User Attributes***********
User Name - thomastank
Client IP Address - 0.0.0.0
Client IP Netmask - 0.0.0.0
...
IPv6 Egress Policy Name - not set
Dynamic Profile- filter-service
Routing Instance - VR27fin
...
从 Junos OS 19.3R1 版开始,XML 输出格式已更改。每个 RADIUS 服务器属性名称都有一个关联的属性值。现在,每个对都由 <radius-server-data> 标记括起来。新标记可以更轻松地识别运算符和 API 客户端的名称/值对。
注意:
您可能需要更改任何使用 XML 输出的脚本才能使用新格式正常工作。
以下示例显示了旧格式示例 XML 输出的摘录:
user@host>test aaa ppp user user45@test.net password $ABC123 | display xml
<rpc-reply xmlns:junos="namespace-URL">
<aaa-test-result>
<aaa-test-status>Authentication Grant</aaa-test-status>
<aaa-test-status>************User Attributes***********</aaa-test-status>
<radius-server-attribute-name>User Name -</radius-server-attribute-name>
<radius-server-attribute-value>user45@test.net</radius-server-attribute-value>
<radius-server-attribute-name>Virtual Router Name (LS:RI) -</radius-server-attribute-name>
<radius-server-attribute-value>default:default</radius-server-attribute-value>
<radius-server-attribute-name>Service Type -</radius-server-attribute-name>
<radius-server-attribute-value>Framed</radius-server-attribute-value>
<radius-server-attribute-name>Agent Remote Id -</radius-server-attribute-name>
<radius-server-attribute-value><not set></radius-server-attribute-value>
...
<aaa-test-status>Test complete. Exiting</aaa-test-status>
</aaa-test-result>
<cli>
<banner></banner>
</cli>
</rpc-reply>
以下示例显示了新格式的示例 XML 输出的摘录:
user@host>test aaa ppp user user45@test.net password $ABC123 | display xml
<rpc-reply xmlns:junos="namespace-URL">
<aaa-test-result>
<aaa-test-status>Authentication Grant</aaa-test-status>
<aaa-test-status>************User Attributes***********</aaa-test-status>
<radius-server-data>
<radius-server-attribute-name>User Name -</radius-server-attribute-name>
<radius-server-attribute-value>user45@test.net</radius-server-attribute-value>
</radius-server-data>
<radius-server-data>
<radius-server-attribute-name>Virtual Router Name (LS:RI) -</radius-server-attribute-name>
<radius-server-attribute-value>default:default</radius-server-attribute-value>
</radius-server-data>
<radius-server-data>
<radius-server-attribute-name>Service Type -</radius-server-attribute-name>
<radius-server-attribute-value>Framed</radius-server-attribute-value>
</radius-server-data>
<radius-server-data>
<radius-server-attribute-name>Agent Remote Id -</radius-server-attribute-name>
<radius-server-attribute-value><not set></radius-server-attribute-value>
</radius-server-data>
...
<aaa-test-status>Test complete. Exiting</aaa-test-status>
</aaa-test-result>
<cli>
<banner></banner>
</cli>
</rpc-reply>
变更历史表
是否支持某项功能取决于您使用的平台和版本。使用 功能资源管理器 确定您的平台是否支持某个功能。
发布
描述
19.3R1
从 Junos OS 19.3R1 版开始,XML 输出格式已更改。