AAA 测试和故障排除
AAA 配置测试和故障排除
订阅者管理支持测试功能,该功能允许您检查订阅者的 AAA 配置。您可以使用测试功能来验证订阅者的 AAA 设置,并帮助排除或隔离订阅者的登录问题。AAA 测试过程创建一个伪会话,用于对订阅者进行身份验证,为订阅者分配地址,并发出计费起始数据包。然后,该进程发出计费停止请求,释放地址并终止伪会话。
AAA 测试结果提供有关订阅者管理在登录期间分配给订阅者属性的详细信息。属性可以由 RADIUS、动态配置文件、静态接口配置分配,也可以是静态分配。您可以测试 DHCP、PPP 和 authd-lite 订阅者的 AAA 配置。对于 L2TP 客户端,AAA 测试过程会显示所有隧道参数,但不会创建实际的隧道会话。
命令 test aaa
支持所有源自 RADIUS 的属性,包括 IETF 标准属性和瞻博网络 VSA。收到的属性将显示在输出中。有关标准 RADIUS 属性的信息,请参阅 AAA 服务框架支持的 RADIUS IETF 属性。有关瞻博网络 VSA 的信息,请参阅 AAA 服务框架支持的瞻博网络 VSA。
命令 test aaa
不支持卷时间计费(瞻博网络 VSA 26-69,值为 2)。如果为测试订阅方配置了卷时间计费,则 test 命令会将统计信息替换为仅时间计费统计信息。
测试订阅者 AAA 配置
目的
显示订阅者管理在登录期间分配给订阅者的 AAA 属性。
以下示例测试 PPP 订阅者的 AAA 配置。 test aaa dhcp user 您可以使用命令对 DHCP 订阅者执行类似的测试, test aaa authd-lite user 并使用命令来测试 authd-lite 订阅者。
行动
user@host>test aaa ppp user user45@test.net password $ABC123 Authentication Grant ************User Attributes*********** User Name - user45@test.net Client IP Address - 192.168.1.1 Client IP Netmask - 255.255.0.0 Virtual Router Name - default Agent Remote Id - NULL Reply Message - NULL Primary DNS IP Address - 0.0.0.0 Secondary DNS IP Address - 0.0.0.0 Primary WINS IP Address - 0.0.0.0 Secondary WINS IP Address - 0.0.0.0 Primary DNS IPv6 Address - :: Secondary DNS IPv6 Address - :: Framed Pool - not set Class Attribute - TEST Service Type - 0 Client IPv6 Address - :: Client IPv6 Mask - null Framed IPv6 Prefix - ::/0 Framed IPv6 Pool - not-set NDRA IPv6 Prefix - not-set Login IPv6 Host - :: Framed Interface Id - 0:0:0:0 Delegated IPv6 Prefix - ::/0 Delegated IPv6 Pool - not-set User Password - $ABC123 CHAP Password - NULL Mac Address - 00:00:5E:00:53:ab Idle Timeout - 600 Session Timeout - 6000 Service Name (1) - cos-service(video_sch, nc_sch) Service Statistics (1) - 1 Service Acct Interim (1) - 600 Service Activation Type (1) - 1 Service Name (2) - filter-service(in_filter, out_filter) Service Statistics (2) - 2 Service Acct Interim (2) - 900 Service Activation Type (2) - 1 Cos shaping rate - 100m Filter Id - not set Framed MTU - (null) Framed Route - not set Ingress Policy Name - not set Egress Policy Name - not set IGMP - disabled Redirect VR Name - default Service Bundle - Null Framed Ip Route Tag - not set Ignore DF Bit - disabled IGMP Access Group Name - not set IGMP Access Source Group Name - not set MLD Access Group Name - not set MLD Access Source Group Name - not set IGMP Version - not set MLD Version - not set IGMP Immediate Leave - disabled MLD Immediate Leave - disabled IPv6 Ingress Policy Name - not set IPv6 Egress Policy Name - not set Acct Session ID - 1 Acct Interim Interval - 750 Acct Type - 1 Ingress Statistics - disabled Egress Statistics - disabled Chargeable user identity - 0 NAS Port Id - -0/0/0.0 NAS Port - 4095 NAS Port Type - 15 Framed Protocol - 1 IPv4 ADF Rule - 010100 IPv4 ADF Rule - 010101 IPv6 ADF Rule - 030100 IPv6 ADF Rule - 030101 ****Pausing 10 seconds before disconnecting the test user********* Logging out subscriber Terminate Id - not set Test complete. Exiting
可以将选项与和 test aaa dhcp user
test aaa ppp user
命令一起使用agent-remote-id ari
,以验证支持 DSL 论坛 Agent-Remote-ID (VSA 26-2) 的网络中的 DHCP 和 PPP 订阅者身份验证。
如果指定 DSL 论坛 Agent-Remote-ID,则输出将包含指定的值。如果未指定 VSA,则 Agent-Remote-Id 值显示为 NULL
。
user@host>test aaa ppp user thomastank agent-remote-id “(202)555–1212” Authentication Grant ************User Attributes*********** User Name - thomastank Client IP Address - 192.168.1.1 Client IP Netmask - 255.255.0.0 ... NAS Ip Address - 0.0.0.0 Agent Remote Id - (202)555–1212 ...
以下示例显示了由于密码无效而导致身份验证授予失败时的输出:
user@host>test aaa ppp user user45@test.net password 55N33%%56 Authentication Deny Reason : Access Denied Received Attributes : User Name - user45@test.net Client IP Address - 0.0.0.0 Client IP Netmask - 0.0.0.0 Virtual Router Name - default Agent Remote Id - NULL Reply Message - NULL Primary DNS IP Address - 0.0.0.0 Secondary DNS IP Address - 0.0.0.0 Primary WINS IP Address - 0.0.0.0 Secondary WINS IP Address - 0.0.0.0 Primary DNS IPv6 Address - :: Secondary DNS IPv6 Address - :: Framed Pool - not set Class Attribute - not set Service Type - 0 Client IPv6 Address - :: Client IPv6 Mask - null Framed IPv6 Prefix - ::/0 Framed IPv6 Pool - not-set NDRA IPv6 Prefix - not-set Login IPv6 Host - :: Framed Interface Id - 0:0:0:0 Delegated IPv6 Prefix - ::/0 Delegated IPv6 Pool - not-set User Password - 55N33%%56 CHAP Password - NULL Mac Address - 00:00:5E:00:53:ab Filter Id - not set Framed MTU - (null) Framed Route - not set Ingress Policy Name - not set Egress Policy Name - not set IGMP - disabled Redirect VR Name - default Service Bundle - Null Framed Ip Route Tag - not set Ignore DF Bit - disabled IGMP Access Group Name - not set IGMP Access Source Group Name - not set MLD Access Group Name - not set MLD Access Source Group Name - not set IGMP Version - not set MLD Version - not set IGMP Immediate Leave - disabled MLD Immediate Leave - disabled IPv6 Ingress Policy Name - not set IPv6 Egress Policy Name - not set Acct Session ID - 12 Acct Interim Interval - 0 Acct Type - 0 Ingress Statistics - disabled Egress Statistics - disabled Chargeable user identity - 0 NAS Port Id - -0/0/0.0 NAS Port - 4095 NAS Port Type - 15 Framed Protocol - 0 Test complete. Exiting
对于某些网络(例如具有 VLAN-OOB 订阅者的第 2 层网络),RADIUS 配置为在客户端配置文件中提供具有客户端配置文件名称 VSA (26–174) 的用户地址。在默认配置中,当测试未直接从 RADIUS 接收订阅者地址时,测试将失败。若要成功测试这些订阅者,必须包含该 no-address-request
选项。命令输出在“动态配置文件”字段中显示客户端配置文件名称,在“路由实例”字段中显示虚拟路由器 VSA (26-1) 传输的路由实例名称。
user@host>test aaa ppp user thomastank no-address-request Authentication Grant ************User Attributes*********** User Name - thomastank Client IP Address - 0.0.0.0 Client IP Netmask - 0.0.0.0 ... IPv6 Egress Policy Name - not set Dynamic Profile- filter-service Routing Instance - VR27fin ...
从 Junos OS 19.3R1 版开始,XML 输出格式已更改。每个 RADIUS 服务器属性名称都有一个关联的属性值。这些对中的每一个现在都由 <radius-server-data> 标记括起来。新标签可以更轻松地识别名称/值对,无论是对于运算符还是 API 客户端。
您可能需要更改使用 XML 输出的任何脚本才能正常使用新格式。
以下示例显示了旧格式示例 XML 输出的摘录:
user@host>test aaa ppp user user45@test.net password $ABC123 | display xml <rpc-reply xmlns:junos="namespace-URL"> <aaa-test-result> <aaa-test-status>Authentication Grant</aaa-test-status> <aaa-test-status>************User Attributes***********</aaa-test-status> <radius-server-attribute-name>User Name -</radius-server-attribute-name> <radius-server-attribute-value>user45@test.net</radius-server-attribute-value> <radius-server-attribute-name>Virtual Router Name (LS:RI) -</radius-server-attribute-name> <radius-server-attribute-value>default:default</radius-server-attribute-value> <radius-server-attribute-name>Service Type -</radius-server-attribute-name> <radius-server-attribute-value>Framed</radius-server-attribute-value> <radius-server-attribute-name>Agent Remote Id -</radius-server-attribute-name> <radius-server-attribute-value><not set></radius-server-attribute-value> ... <aaa-test-status>Test complete. Exiting</aaa-test-status> </aaa-test-result> <cli> <banner></banner> </cli> </rpc-reply>
以下示例以新格式显示了示例 XML 输出的摘录:
user@host>test aaa ppp user user45@test.net password $ABC123 | display xml <rpc-reply xmlns:junos="namespace-URL"> <aaa-test-result> <aaa-test-status>Authentication Grant</aaa-test-status> <aaa-test-status>************User Attributes***********</aaa-test-status> <radius-server-data> <radius-server-attribute-name>User Name -</radius-server-attribute-name> <radius-server-attribute-value>user45@test.net</radius-server-attribute-value> </radius-server-data> <radius-server-data> <radius-server-attribute-name>Virtual Router Name (LS:RI) -</radius-server-attribute-name> <radius-server-attribute-value>default:default</radius-server-attribute-value> </radius-server-data> <radius-server-data> <radius-server-attribute-name>Service Type -</radius-server-attribute-name> <radius-server-attribute-value>Framed</radius-server-attribute-value> </radius-server-data> <radius-server-data> <radius-server-attribute-name>Agent Remote Id -</radius-server-attribute-name> <radius-server-attribute-value><not set></radius-server-attribute-value> </radius-server-data> ... <aaa-test-status>Test complete. Exiting</aaa-test-status> </aaa-test-result> <cli> <banner></banner> </cli> </rpc-reply>
变更历史表
是否支持某项功能取决于您使用的平台和版本。使用 功能浏览器 查看您使用的平台是否支持某项功能。