AAA 测试和故障排除
AAA 配置测试和故障排除
订阅者管理支持测试功能,使您能够检查订阅者的 AAA 配置。您可以使用测试功能验证订阅者的 AAA 设置,并帮助排除或隔离订阅者登录问题。AAA 测试进程会创建一个伪会话,用于验证订阅者,为订阅者分配地址,并发出计费开始数据包。然后,进程会发出计费停止请求,释放地址并终止伪会话。
AAA 测试结果提供有关订阅者管理在登录期间分配给订阅者的属性的详细信息。属性可能由 RADIUS、动态配置文件、静态接口配置分配,或者也可以静态分配。您可以为 DHCP、PPP 和精简版订阅者测试 AAA 配置。对于 L2TP 客户端,AAA 测试进程会显示所有隧道参数,但不会创建实际的隧道会话。
命令 test aaa
支持所有 RADIUS 源属性,包括 IETF 标准属性和瞻博网络 VSA。接收的属性显示在输出中。有关标准 RADIUS 属性的信息,请参阅 AAA 服务框架支持的 RADIUS IETF 属性。有关瞻博网络 VSA 的信息,请参阅 AAA 服务框架支持的瞻博网络 VSA。
命令 test aaa
不支持批量时间核算(瞻博网络 VSA 26-69,值 2)。如果为测试订阅者配置了量时间核算,命令将 test 统计信息替换为仅时间计费统计信息。
测试订阅者 AAA 配置
目的
显示订阅者管理在登录期间分配给订阅者的 AAA 属性。
以下示例测试 PPP 订阅者的 AAA 配置。您可以使用 test aaa dhcp user 命令对 DHCP 订阅者执行类似测试, test aaa authd-lite user 并使用命令测试精简版订阅者。
行动
user@host>test aaa ppp user user45@test.net password $ABC123 Authentication Grant ************User Attributes*********** User Name - user45@test.net Client IP Address - 192.168.1.1 Client IP Netmask - 255.255.0.0 Virtual Router Name - default Agent Remote Id - NULL Reply Message - NULL Primary DNS IP Address - 0.0.0.0 Secondary DNS IP Address - 0.0.0.0 Primary WINS IP Address - 0.0.0.0 Secondary WINS IP Address - 0.0.0.0 Primary DNS IPv6 Address - :: Secondary DNS IPv6 Address - :: Framed Pool - not set Class Attribute - TEST Service Type - 0 Client IPv6 Address - :: Client IPv6 Mask - null Framed IPv6 Prefix - ::/0 Framed IPv6 Pool - not-set NDRA IPv6 Prefix - not-set Login IPv6 Host - :: Framed Interface Id - 0:0:0:0 Delegated IPv6 Prefix - ::/0 Delegated IPv6 Pool - not-set User Password - $ABC123 CHAP Password - NULL Mac Address - 00:00:5E:00:53:ab Idle Timeout - 600 Session Timeout - 6000 Service Name (1) - cos-service(video_sch, nc_sch) Service Statistics (1) - 1 Service Acct Interim (1) - 600 Service Activation Type (1) - 1 Service Name (2) - filter-service(in_filter, out_filter) Service Statistics (2) - 2 Service Acct Interim (2) - 900 Service Activation Type (2) - 1 Cos shaping rate - 100m Filter Id - not set Framed MTU - (null) Framed Route - not set Ingress Policy Name - not set Egress Policy Name - not set IGMP - disabled Redirect VR Name - default Service Bundle - Null Framed Ip Route Tag - not set Ignore DF Bit - disabled IGMP Access Group Name - not set IGMP Access Source Group Name - not set MLD Access Group Name - not set MLD Access Source Group Name - not set IGMP Version - not set MLD Version - not set IGMP Immediate Leave - disabled MLD Immediate Leave - disabled IPv6 Ingress Policy Name - not set IPv6 Egress Policy Name - not set Acct Session ID - 1 Acct Interim Interval - 750 Acct Type - 1 Ingress Statistics - disabled Egress Statistics - disabled Chargeable user identity - 0 NAS Port Id - -0/0/0.0 NAS Port - 4095 NAS Port Type - 15 Framed Protocol - 1 IPv4 ADF Rule - 010100 IPv4 ADF Rule - 010101 IPv6 ADF Rule - 030100 IPv6 ADF Rule - 030101 ****Pausing 10 seconds before disconnecting the test user********* Logging out subscriber Terminate Id - not set Test complete. Exiting
您可以在支持 DSL 论坛代理远程 Id (VSA 26-2) 的网络中使用 agent-remote-id ari
选项 test aaa dhcp user
和 test aaa ppp user
命令来验证 DHCP 和 PPP 订阅者身份验证。
如果指定 DSL 论坛代理远程 ID,则输出将包含指定值。如果未指定 VSA,则代理远程 Id 值显示为 NULL
。
user@host>test aaa ppp user thomastank agent-remote-id “(202)555–1212” Authentication Grant ************User Attributes*********** User Name - thomastank Client IP Address - 192.168.1.1 Client IP Netmask - 255.255.0.0 ... NAS Ip Address - 0.0.0.0 Agent Remote Id - (202)555–1212 ...
以下示例显示由于密码无效而身份验证授予失败时的输出:
user@host>test aaa ppp user user45@test.net password 55N33%%56 Authentication Deny Reason : Access Denied Received Attributes : User Name - user45@test.net Client IP Address - 0.0.0.0 Client IP Netmask - 0.0.0.0 Virtual Router Name - default Agent Remote Id - NULL Reply Message - NULL Primary DNS IP Address - 0.0.0.0 Secondary DNS IP Address - 0.0.0.0 Primary WINS IP Address - 0.0.0.0 Secondary WINS IP Address - 0.0.0.0 Primary DNS IPv6 Address - :: Secondary DNS IPv6 Address - :: Framed Pool - not set Class Attribute - not set Service Type - 0 Client IPv6 Address - :: Client IPv6 Mask - null Framed IPv6 Prefix - ::/0 Framed IPv6 Pool - not-set NDRA IPv6 Prefix - not-set Login IPv6 Host - :: Framed Interface Id - 0:0:0:0 Delegated IPv6 Prefix - ::/0 Delegated IPv6 Pool - not-set User Password - 55N33%%56 CHAP Password - NULL Mac Address - 00:00:5E:00:53:ab Filter Id - not set Framed MTU - (null) Framed Route - not set Ingress Policy Name - not set Egress Policy Name - not set IGMP - disabled Redirect VR Name - default Service Bundle - Null Framed Ip Route Tag - not set Ignore DF Bit - disabled IGMP Access Group Name - not set IGMP Access Source Group Name - not set MLD Access Group Name - not set MLD Access Source Group Name - not set IGMP Version - not set MLD Version - not set IGMP Immediate Leave - disabled MLD Immediate Leave - disabled IPv6 Ingress Policy Name - not set IPv6 Egress Policy Name - not set Acct Session ID - 12 Acct Interim Interval - 0 Acct Type - 0 Ingress Statistics - disabled Egress Statistics - disabled Chargeable user identity - 0 NAS Port Id - -0/0/0.0 NAS Port - 4095 NAS Port Type - 15 Framed Protocol - 0 Test complete. Exiting
对于某些网络,例如具有 VLAN-OOB 订阅者的第 2 层网络,RADIUS 配置为在具有客户端配置文件名称 VSA (26-174) 的客户端配置文件中提供订阅者地址。在默认配置中,如果测试未直接从 RADIUS 收到订阅者地址,则测试将失败。要成功测试这些订阅者,必须包含选项 no-address-request
。命令输出在动态配置文件字段中显示客户端配置文件名称,以及由虚拟路由器 VSA (26-1) 在路由实例字段中传输的路由实例名称。
user@host>test aaa ppp user thomastank no-address-request Authentication Grant ************User Attributes*********** User Name - thomastank Client IP Address - 0.0.0.0 Client IP Netmask - 0.0.0.0 ... IPv6 Egress Policy Name - not set Dynamic Profile- filter-service Routing Instance - VR27fin ...
从 Junos OS 19.3R1 版开始,XML 输出格式已发生变化。每个 RADIUS 服务器属性名称都有一个关联的属性值。现在,其中每个对都由 <radius-server-data> 标记括起来。借助新标记,可以更轻松地识别操作员和 API 客户端的名称/值对。
您可能需要更改使用 XML 输出的任何脚本才能正确使用新格式。
以下示例显示了旧格式的示例 XML 输出摘录:
user@host>test aaa ppp user user45@test.net password $ABC123 | display xml <rpc-reply xmlns:junos="namespace-URL"> <aaa-test-result> <aaa-test-status>Authentication Grant</aaa-test-status> <aaa-test-status>************User Attributes***********</aaa-test-status> <radius-server-attribute-name>User Name -</radius-server-attribute-name> <radius-server-attribute-value>user45@test.net</radius-server-attribute-value> <radius-server-attribute-name>Virtual Router Name (LS:RI) -</radius-server-attribute-name> <radius-server-attribute-value>default:default</radius-server-attribute-value> <radius-server-attribute-name>Service Type -</radius-server-attribute-name> <radius-server-attribute-value>Framed</radius-server-attribute-value> <radius-server-attribute-name>Agent Remote Id -</radius-server-attribute-name> <radius-server-attribute-value><not set></radius-server-attribute-value> ... <aaa-test-status>Test complete. Exiting</aaa-test-status> </aaa-test-result> <cli> <banner></banner> </cli> </rpc-reply>
以下示例显示了新格式的示例 XML 输出摘录:
user@host>test aaa ppp user user45@test.net password $ABC123 | display xml <rpc-reply xmlns:junos="namespace-URL"> <aaa-test-result> <aaa-test-status>Authentication Grant</aaa-test-status> <aaa-test-status>************User Attributes***********</aaa-test-status> <radius-server-data> <radius-server-attribute-name>User Name -</radius-server-attribute-name> <radius-server-attribute-value>user45@test.net</radius-server-attribute-value> </radius-server-data> <radius-server-data> <radius-server-attribute-name>Virtual Router Name (LS:RI) -</radius-server-attribute-name> <radius-server-attribute-value>default:default</radius-server-attribute-value> </radius-server-data> <radius-server-data> <radius-server-attribute-name>Service Type -</radius-server-attribute-name> <radius-server-attribute-value>Framed</radius-server-attribute-value> </radius-server-data> <radius-server-data> <radius-server-attribute-name>Agent Remote Id -</radius-server-attribute-name> <radius-server-attribute-value><not set></radius-server-attribute-value> </radius-server-data> ... <aaa-test-status>Test complete. Exiting</aaa-test-status> </aaa-test-result> <cli> <banner></banner> </cli> </rpc-reply>