取消
显示结果 
搜索替代 
您的意思是: 
cancel
7987
查看次数
34
有帮助
10
评论
xiaocqu
Beginner
Beginner
本帖最后由 xiaocqu 于 2018-10-12 01:24 编辑
1/ 故障描述:
在ASA上配置2条ISE认证服务器,协议使用RADIUS,配置如下:
ciscoasa# sho run aaa-server
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.1.1.1
key cisco
aaa-server RADIUS (inside) host 10.1.1.2
key cisco
用户登录anyconnect认证时,查看中"Server",用户认证始终选择第2条认证服务器,通过测试第1条认证服务器运行正常。测试过程和结果如下:
ciscoasa# test aaa-server authentication RADIUS host 10.1.1.1 username test password: *****
INFO: Attempting Authentication test to IP address <10.1.1.1> (timeout: 12 seconds)
INFO: Authentication Successful
ciscoasa#
问题:
1)为什么不优先选择第一条认证服务器?
2)如何确保认证服务器选择顺序(或优先级)?
要求如下:
1)认证顺序始终优先选择第一条认证服务器(10.1.1.1),其次第二条认证服务器(10.1.1.2);
2)当第一条认证服务器(10.1.1.1)down,才开始使用第二条认证服务器(10.1.1.2);
3)当第一条认证服务器(10.1.1.1)recovery,优先选择第一条认证服务器(10.1.1.1)
2/ 解决方案:
添加如下命令:
aaa-server RADIUS protocol radius
reactivation-mode timed //“reactivation-mode”,属于默认隐藏命令,默认值“reactivation-mode depletion deadtime 10”,可以通过“show run all aaa-server”查看
3/ 实验环境:
1)Topo:
Client---ASA---AUTH SERVER(ACS or ISE)
2)说明:
A. 配置ASA接口地址(本次使用inside/100.1.1.1/24);
B. 客户端(Client)使用地址100.1.1.2/24;AUTH SERVER(ACS or ISE)使用10.1.1.1-2/24
C. 确保与ASA与认证服务器(ACS or ISE)路由可达;
D. 确保AAA服务器(ACS or ISE)已经添加ASA IP地址、AAA用户名等;
E. 若以上配置存在疑问,建议查看对应的configuration guide,此处不再赘述。
3)aaa和aaa-server配置(本次以配置RADIUS为例,TACACS+同理)
ciscoasa# show run aaa
aaa authentication telnet console RADIUS LOCAL //为了利用telnet测试aaa和aaa-server使用以及线下保护
----------------------------------------------
ciscoasa# show run aaa-server
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.1.1.1
key cisco
aaa-server RADIUS (inside) host 10.1.1.2
key cisco
----------------------------------------------
4) log 配置
ciscoasa# show run logging
logging enable
logging timestamp
logging buffer-size 1000000
logging buffered informational
----------------------------------------------
5)当ASA的aaa与aaa-sever配置完成,并且可以完成aaa账户认证(本次采用用户名和密码:test/cisco)。
A. 查看aaa-server状态
ciscoasa# show aaa-server
Server Group: LOCAL //首先查看到LOCAL aaa-server状态
Server Protocol: Local database
Server Address: None
Server port: None
Server status: ACTIVE, Last transaction at 04:03:10 UTC Thu Sep 13 2018
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 23
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 19
Number of rejects 4
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
Server Group: RADIUS //然后查看到名字为RADIUS的服务器组aaa-server状态。注意,如果同时还配置TACACS+, TACACS+比RADIUS优先显示
Server Protocol: radius
Server Address: 10.1.1.1 //查看到名字为RADIUS的服务器组的第一条认证服务器aaa-server状态,此处显示先后顺序与IP地址大小无关,与哪一条认证服务器优先配置有关
Server port: 1645(authentication), 1646(accounting)
Server status: ACTIVE, Last transaction at unknown //服务器状态为active,即可用状态
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 0
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
Server Group: RADIUS
Server Protocol: radius
Server Address: 10.1.1.2
Server port: 1645(authentication), 1646(accounting)
Server status: ACTIVE, Last transaction at unknown
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 0
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
6)测试,使用客户端(Client)telnet ASA inside 接口,当成功后,可以查看log信息,即本次aaa认证服务器选择第一条aaa认证服务器-10.1.1.1
ciscoasa#show logging
Sep 14 2018 16:26:06: %ASA-6-302013: Built inbound TCP connection 2196 for inside:100.1.1.2/52914 100.1.1.2/52914) to identity:100.1.1.1/23 (100.1.1.1/23)
Sep 14 2018 16:26:12: %ASA-6-113004: AAA user authentication Successful : server = 10.1.1.1 : user = test
Sep 14 2018 16:26:12: %ASA-6-113008: AAA transaction status ACCEPT : user = test
Sep 14 2018 16:26:12: %ASA-6-611101: User authentication succeeded: IP address: 100.1.1.2, Uname: test
Sep 14 2018 16:26:12: %ASA-6-605005: Login permitted from 100.1.1.2/52914 to inside:100.1.1.1/telnet for user "test"
ciscoasa#
3/ 此时尝试让RADIUS server1(10.1.1.1)发生故障(比如在认证服务器端删除该地址、认证服务器挂掉……,本次采用在认证服务器上删除ASA host)。
1)再次发起aaa账号认证访问,此时会出现一个现象,认证可以通过,但是认证时间稍微长一些,需要等待30s。注意:这个现象只会发生一次,再次登录无此现象。具体原因可以通过查看aaa-server状态以及log信息来解释
2)再次查看aaa-server状态
ciscoasa# show aaa-server
Server Group: LOCAL
Server Protocol: Local database
Server Address: None
Server port: None
Server status: ACTIVE, Last transaction at 15:59:36 UTC Thu Sep 13 2018
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 39
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 20
Number of rejects 19
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
Server Group: RADIUS
Server Protocol: radius
Server Address: 10.1.1.1
Server port: 1645(authentication), 1646(accounting)
Server status: FAILED, Server disabled at 17:32:10 UTC Thu Sep 13 2018 //此时第一条认证服务器10.1.1.1状态标记为failed,即不可用状态;通过测试还发现一个小问题,虽然认证服务器端已经发生故障,但是如果客户端没有发起aaa账户访问,状态仍然是active,其实此时是假的active
Number of pending requests 0
Average round trip time 90ms
Number of authentication requests 20
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 5
Number of rejects 6
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 3
Number of timeouts 9
Number of unrecognized responses 0
Server Group: RADIUS
Server Protocol: radius
Server Address: 10.1.1.2
Server port: 1645(authentication), 1646(accounting)
Server status: ACTIVE, Last transaction at 17:32:10 UTC Thu Sep 13 2018
Number of pending requests 0
Average round trip time 170ms
Number of authentication requests 5
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 2
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 3
Number of timeouts 3
Number of unrecognized responses 0
ciscoasa#
3)通过查看log,可以发现客户端(Client)尝试寻找第一条认证服务器,尝试了3次均失败,(之所以尝试了3次,也是默认隐藏配置,可以通过“show run all aaa-server”输出的“max-failed-attempts 3”确认),然后标记“AAA Marking RADIUS server 10.1.1.1 in aaa-server group RADIUS as FAILED”,此时开始寻找第二条认证服务器,由于第二条认证服务器运行正常,故可以认证通过。
ciscoasa#show logging
Sep 13 2018 17:31:34: %ASA-6-302013: Built inbound TCP connection 1265 for inside:100.1.1.2/54788 (100.1.1.2/54788) to identity:100.1.1.1/23 (100.1.1.1/23)
Sep 13 2018 17:31:39: %ASA-6-302015: Built outbound UDP connection 1266 for inside:10.1.1.1/1645 (10.1.1.1/1645) to identity:100.1.1.1/57147 (100.1.1.1/57147)
Sep 13 2018 17:31:50: %ASA-6-113014: AAA authentication server not accessible : server = 10.1.1.1 : user = *****
Sep 13 2018 17:32:00: %ASA-6-113014: AAA authentication server not accessible : server = 10.1.1.1 : user = *****
Sep 13 2018 17:32:10: %ASA-6-113014: AAA authentication server not accessible : server = 10.1.1.1 : user = *****
Sep 13 2018 17:32:10: %ASA-2-113022: AAA Marking RADIUS server 10.1.1.1 in aaa-server group RADIUS as FAILED
Sep 13 2018 17:32:10: %ASA-6-302015: Built outbound UDP connection 1267 for inside:10.1.1.2/1645 (10.1.1.2/1645) to identity:100.1.1.1/57147 (100.1.1.1/57147)
Sep 13 2018 17:32:10: %ASA-6-113004: AAA user authentication Successful : server = 10.1.1.2 : user = test
Sep 13 2018 17:32:10: %ASA-6-113008: AAA transaction status ACCEPT : user = test
Sep 13 2018 17:32:10: %ASA-6-611101: User authentication succeeded: IP address: 100.1.1.2, Uname: test
Sep 13 2018 17:32:10: %ASA-6-605005: Login permitted from 100.1.1.2/54788 to inside:100.1.1.1/telnet for user "test"
Sep 13 2018 17:34:00: %ASA-6-302016: Teardown UDP connection 1266 for inside:10.1.1.1/1645 to identity:100.1.1.1/57147 duration 0:02:20 bytes 393
ciscoasa#
C. 再次发起aaa账号认证访问,通过查看log,可以发现客户端(Client)直接跳过第一条认证服务器,直接找到第二条认证服务器。
ciscoasa#show logging
---------------------
Sep 13 2018 18:03:41: %ASA-6-302013: Built inbound TCP connection 1273 for inside:100.1.1.2/54905 (100.1.1.2/54905) to identity:100.1.1.1/23
(100.1.1.1/23)
Sep 13 2018 18:03:47: %ASA-6-113004: AAA user authentication Successful : server = 10.1.1.2 : user = test
Sep 13 2018 18:03:47: %ASA-6-113008: AAA transaction status ACCEPT : user = test
Sep 13 2018 18:03:47: %ASA-6-611101: User authentication succeeded: IP address: 100.1.1.2, Uname: test
Sep 13 2018 18:03:47: %ASA-6-605005: Login permitted from 100.1.1.2/54905 to inside:100.1.1.1/telnet for user "test"
ciscoasa#
这就是为什么认证可以通过,但是认证时间稍微长一些(目测30s),并且只发生一次,同时也再现用户提到的问题。
4/ 此时添加本文开头提到的解决方案
aaa-server RADIUS protocol radius
reactivation-mode timed
注意:
1)此时,如果没有发起aaa账号访问,只是单纯地“show aaa-server”查看aaa-server状态,第一条认证服务器的状态始终是failed;
2)当发起aaa账号访问,第一条认证服务器会标记为active状态,然后现象和步骤同上(尝试3次……/等待30s……),具体可以参考“show logging”
ciscoasa# show logging
Sep 14 2018 16:58:48: %ASA-2-113023: AAA Marking RADIUS server 10.1.1.1 in aaa-server group RADIUS as ACTIVE
Sep 14 2018 16:59:24: %ASA-6-302013: Built inbound TCP connection 2208 for inside:100.1.1.2/58398 (100.1.1.2/58398) to identity:100.1.1.1/23 (100.1.1.1/23)
Sep 14 2018 16:59:40: %ASA-6-113014: AAA authentication server not accessible : server = 10.1.1.1 : user = *****
Sep 14 2018 16:59:50: %ASA-6-113014: AAA authentication server not accessible : server = 10.1.1.1 : user = *****
Sep 14 2018 17:00:00: %ASA-6-113014: AAA authentication server not accessible : server = 10.1.1.1 : user = *****
Sep 14 2018 17:00:00: %ASA-2-113022: AAA Marking RADIUS server 10.1.1.1 in aaa-server group RADIUS as FAILED
Sep 14 2018 17:00:00: %ASA-6-113004: AAA user authentication Successful : server = 10.1.1.2 : user = test
Sep 14 2018 17:00:00: %ASA-6-113008: AAA transaction status ACCEPT : user = test
Sep 14 2018 17:00:00: %ASA-6-611101: User authentication succeeded: IP address: 100.1.1.2, Uname: test
Sep 14 2018 17:00:00: %ASA-6-605005: Login permitted from 100.1.1.2/58398 to inside:100.1.1.1/telnet for user "test"
ciscoasa#
至此,解决客户的需求,并解释过程。
总结:
1/ 不推荐使用命令“reactivation-mode timed”,该命令无非体现一种aaa-server priority feature,实际并无太大用途,但是却带来很多麻烦。因为如果第一条认证服务器始终down,客户端(Client)每次访问,设备都需要傻傻地尝试以及客户端(Client)痛苦地等待(尝试3次……/等待30s……),可以说是双输的局面。
2/ 推荐使用默认配置(reactivation-mode depletion deadtime 10)该命令,当第一条认证服务器failed,暂时放着不active,跳过,寻找第二条认证服务器,第三条……,只有当检测到最后一条认证服务器都failed,再开始尝试激活(active)第一条、第二条……
Reference link:
RADIUS Servers for AAA configuration guide:
https://www.cisco.com/c/en/us/td ... ml#ID-2113-00000920
评论
suzhouxiaoniu
Advocate
Advocate
感谢互访,支持一下:handshake
13nash
Collaborator
Collaborator
好文章,解决实际问题
bo chen
Beginner
Beginner
干活!{:2_31:}
one-time
Expert
Expert
感谢楼主分享,如您的分享为原创,请在标题添加【原创】标签。谢谢!
xiaocqu
Beginner
Beginner
管理员 发表于 2018-9-18 18:02
感谢楼主分享,如您的分享为原创,请在标题添加【原创】标签。谢谢!

版主,已经添加,谢谢提醒。
xiaocqu
Beginner
Beginner
suzhouxiaoniu 发表于 2018-9-15 15:21
感谢互访,支持一下

:handshake
xiaocqu
Beginner
Beginner
13nash 发表于 2018-9-17 09:01
好文章,解决实际问题

:handshake
xiaocqu
Beginner
Beginner
wuleihen
Advocate
Advocate
抱歉LZ,我看了一遍,没发现哪里有跟如何设置优先级的内容??我看走眼了??
xiaocqu
Beginner
Beginner
本帖最后由 xiaocqu 于 2018-9-21 06:27 编辑
wuleihen 发表于 2018-9-20 09:37
抱歉LZ,我看了一遍,没发现哪里有跟如何设置优先级的内容??我看走眼了??

谢谢您的提问。
首先我们先同步一下,什么是RADIUS/TACACS+优先级?
通读一遍ASA的radius configuration guide会发现,全文几乎也没有提到优先级(priority)的概念。常规的设置,就是先配置的aaa-server组中认证服务器条目,优先被选择做为认证服务器。
我的理解,此处的优先级就是为了设置执行顺序。由于优先级的概念通常给我们的印象是设置固定的数值,然后决定先后执行顺序的。但此处并没有出现具体数值,使用“优先级”这个词也不是十分准确,所以我可以理解您的疑问。
若使用默认隐藏配置(reactivation-mode depletion deadtime 10),当第一条认证服务器条目标记为failed后,会直接跳过寻找第二条,具体可以参考本文的【3/--3)--C部分】的log信息。而此时用户并不知道之前第一条认证服务器已经被标记failed,即使第一条认证服务器已经恢复正常,依然被标记failed。除非除该服务器以外所有认证服务器均被标记failed,才开始重新激活第一条认证服务器。此时给人的感觉,认证不是从第一条服务器条目开始,很像随机选择的。
如本文开头提到,用户希望时刻优选使用aaa-server组中认证服务器的条目中第一条。为了实现用户的需求,Cisco引进“ reactivation-mode timed” 当第一条认证服务器被标记failed,30s后,再次reactive。即每次认证优先从第一条检测,即体现优先级
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:







认可您的同行
快捷链接