BAS三层用户业务部署的几个关键配置【Problem Summary】业务割接后NE40E三层用户无法上线.
【Problem Details】业务割接后NE40E三层用户无法上线，且该接口的直连地址无法ping通设备.
处理过程
三层用户的配置有特殊要求，参考解决方案部分。
解决方案
1，三层BAS用户，除了接口上配置layer3-subcriber外，也需要在系统视图下配置指定三层用户的IP配置，方式类似静态用户的配置。
举例如下：
（1）BAS接口配置
[HUAWEI-GigabitEthernet1/0/6] mode user-termination
[HUAWEI-GigabitEthernet1/0/6] interface GigabitEthernet 1/0/6.1
[HUAWEI-GigabitEthernet1/0/6.1] control-vid 1 dot1q-termination
[HUAWEI-GigabitEthernet1/0/6.1] dot1q termination vid 3
配置IP地址
[HUAWEI-GigabitEthernet1/0/6.1] ip address 192.168.1.1 255.255.255.0
配置BAS接口
[HUAWEI-GigabitEthernet1/0/6.1] bas
[HUAWEI-GigabitEthernet1/0/6.1-bas] access-type layer3-subscriber
（2）指定三层用户的IP地址段，也即三层用户使用这个地址段的IP地址
[HUAWEI] layer3-subscriber 192.168.1.2 192.168.1.2 domain-name huawei
如果不配置，则该地址不能作为BAS用户上线，直连地址无法ping通BRAS设备，所有流量以user-mac miss丢弃了。

2，对于非直连地址的三层用户，还需要配置到这些地址的静态路由，不然只能用户主动触发上线，无法通过外部流量触发用户上线。
比如用户地址池如下：
ip pool layer3-pool bas local
gateway 6.6.6.1 255.255.255.0
section 0 6.6.6.2 6.6.6.254

则需要配置静态路由指向直连下一跳：
ip route-static 6.6.6.0 24 192.168.1.2
如果是二次层交换机作为用户网关，则还需要配置一个单独指向改网关地址的静态路由，不然外网流量无法触发用户上线，全部都在ME60上送了，因为设备上存在地址池网关的32位的unr路由。
ip route-static 6.6.6.1 32 192.168.1.2
3，对于ipoe用户，用户名构造方式也是可以根据实际需要调整的。现网需要的用户名构造方式是接口：MAC，则通过如下配置可以实现。
（1）接口配置信任用户的option82属性
[HUAWEI-GigabitEthernet1/0/6.1-bas]client-option82
（2）AAA视图下配置用户名的默认构造方式为用option82构造
[huawei-aaa]default-user-name include option82

在bas口下管理下面的设备
1、当bas接口为二层认证的情况下
配置管理网段地址池,并排除静态用户地址
[HUAWEI] ip pool pool1 bas local
[HUAWEI-ip-pool-pool1] gateway 172.192.0.1 255.255.255.0
[HUAWEI-ip-pool-pool1] section 0 172.192.0.2 172.192.0.200
[HUAWEI-ip-pool-pool1]excluded-ip-address 172.192.0.100 172.192.0.100
配置静态用户
[HUAWEI] static-user 172.192.0.100 gateway 172.192.0.1 interface GigabitEthernet 7/0/2.1000 vlan 1000 detect
2、当bas接口为三层认证的情况下
配置认证方案auth3为不认证不计费
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme auth3
[HUAWEI-aaa-authen-auth3] authentication-mode none
[HUAWEI-aaa-authen-auth3] quit
[HUAWEI-aaa] accounting-scheme acct3
[HUAWEI-aaa-accounting-acct3] accounting-mode none
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-b] authentication-scheme auth3
[HUAWEI-aaa-domain-b] accounting-scheme acct3
配置三层用户指定所在IP地址段以及相关联的认证域的域名,创建的huawei认证域为一个不认证不计费的认证域即可。
[ME60]layer3-subscriber 172.16.254.33 172.16.254.33 domain-name huawei

L2TP用户的网关地址不是地址池的网关地址
问题描述
设备类型：ME
设备版本：V600R006C00SPC300
在LNS上查看用户表项，发现用户网关地址不是地址池网关。
处理过程
LNS上查看用户信息如下，发现用户的网关地址不是地址池中的网关地址。
<DiShuiWangLuoFaPiao_1>display access-user username [email protected] verbose

Basic:
User access index : 42
State : Used
User name : [email protected]
Domain name : nxdstest.m
User backup state : No
User access interface : GigabitEthernet2/0/0
User access PeVlan/CeVlan : -/-
User access slot : 2
User MAC : -
User IP address : 10.95.0.215
User gateway address : 119.60.0.26
查看配置：
地址池配置：
ip pool 1 bas local
gateway 10.95.0.1 255.255.255.0 地址池网关
section 0 10.95.0.2 10.95.0.254
L2TP配置：
l2tp-group 1
mandatory-lcp
allow l2tp Virtual-Template 0 remote LAC
tunnel password simple nxdstest
tunnel name LNS
VT配置：
interface Virtual-Template0
ppp authentication-mode pap
mtu 600
ip address unnumbered interface GigabitEthernet2/0/0 —借用ge2/0/0的ip地址
remote address pool 1
接口配置：
interface GigabitEthernet2/0/0
undo shutdown
ip address 119.60.0.26 255.255.255.252
dcn
经确认，对于PPP/L2TP用户如果在VT接口下配置了IP地址，则用户的网关地址优先选择此IP地址。
根因
NA
解决方案
删除VT口下的ip address unnumbered命令后，用户的网关地址取地址池下的网关地址。
建议与总结
PPP/L2TP用户的网关地址VT口下配置的IP地址优先于地址池下配置的网关地址。

ME60认证接口下如何管理汇聚设备管理地址
问题描述
ME60 BAS子接口下接入汇聚交换机，如何管理汇聚设备设备管理地址使其能够与管理网络通信。
解决方案
ME60侧配置：
1.配置管理网段认证方案
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme local
[HUAWEI-aaa-authen-local] authentication-mode none
[HUAWEI-aaa-authen-local] quit
2.配置管理网段地址池
[HUAWEI] ip pool pool1 bas local
[HUAWEI-ip-pool-pool1] gateway 172.192.0.1 255.255.255.0
[HUAWEI-ip-pool-pool1] section 0 172.192.0.2 172.192.0.200
[HUAWEI-ip-pool-pool1] excluded-ip-address 172.192.0.8
[HUAWEI-ip-pool-pool1] quit
3.配置域
[HUAWEI] aaa
[HUAWEI-aaa] domain Net
[HUAWEI-aaa-domain-Net] authentication-scheme local
[HUAWEI-aaa-domain-Net] accounting-scheme default0
[HUAWEI-aaa-domain-Net] ip-pool pool1
[HUAWEI-aaa-domain-Net] quit
[HUAWEI-aaa] quit
4.配置BAS管理网段子接口
[HUAWEI-GigabitEthernet7/0/2] interface GigabitEthernet 7/0/2.1000
[HUAWEI-GigabitEthernet7/0/2.1000] user-vlan 1000
[HUAWEI-GigabitEthernet7/0/2.1000-vlan-1000-1000] quit
[HUAWEI-GigabitEthernet7/0/2.1000] bas
[HUAWEI-GigabitEthernet7/0/2.1000-bas] access-type layer2-subscriber
[HUAWEI-GigabitEthernet7/0/2.1000-bas] authentication-method bind
[HUAWEI-GigabitEthernet7/0/2.1000-bas] default-domain authentication isp1
[HUAWEI-GigabitEthernet7/0/2.1000-bas] ip-trigger
[HUAWEI-GigabitEthernet7/0/2.1000-bas] arp-trigger
[HUAWEI-GigabitEthernet7/0/2.1000-bas] quit
[HUAWEI-GigabitEthernet7/0/2.1000] quit
5.配置静态用户
[HUAWEI] static-user 172.192.0.100 gateway 172.192.0.1 interface GigabitEthernet 7/0/2.1000 vlan 1000 detect

汇聚交换机侧配置：

1.配置设备管理地址
[HUAWEI]interface Vlanif1000
[HUAWEI-Vlanif1000]ip address 172.192.0.100 255.255.255.0
[HUAWEI-Vlanif1000]quit
2.配置设备缺省路由
[HUAWEI]ip route-static 0.0.0.0 0.0.0.0 172.192.0.1

ME60路由器不认证不计费，PC获取不到IP地址
问题描述
ME60路由器作为dhcp server。配置不认证不计费，PC获取不到IP地址
配置如下：

ip pool portal_tushuguan_108 bas local
gateway 10.20.8.254 255.255.255.0
section 0 10.20.8.1 10.20.8.253
excluded-ip-address 10.20.8.240
excluded-ip-address 10.20.8.246 10.20.8.248
excluded-ip-address 10.20.8.250 10.20.8.253
dns-server 222.246.129.80 114.114.114.114

authentication-scheme none
authentication-mode none
accounting-scheme none
accounting-mode none
domain work
authentication-scheme none
accounting-scheme none
ip-pool portal_tushuguan_108

interface GigabitEthernet4/0/1.500
user-vlan 100
bas

access-type layer2-subscriber default-domain authentication work
authentication-method bind

告警信息
无
处理过程
1、首先确认ME60数据配置无问题
2、初步怀疑是二层网络不通，通过检查下层设备配置及ME60mac-address信息，用户MAC可以正常到达ME60（由于客户不会trace mac，所以无法在ME60上抓信息分析）
3、在PC侧抓包，只看到pc发送discovery报文，未收到任何回应包

4、查看产品手册上有一条命令dhcp-broadcast，将该命令在bas接口上添加上。

interface GigabitEthernet4/0/1.500
user-vlan 100
bas

access-type layer2-subscriber default-domain authentication work
authentication-method bind
dhcp-broadcast

5、用户测试，PC可以正常获取IP地址
根因
dhcp-broadcast
命令功能
dhcp-broadcast命令用来打开BAS接口下的DHCP报文广播发送开关。这里的广播是指二层广播。

备注：该命令仅当BAS接口的类型为二层接口时方可生效。
解决方案

在子接口bas下加上：dhcp-broadcast PC可以正常获取IP地址

interface GigabitEthernet4/0/1.500
user-vlan 100
bas

access-type layer2-subscriber default-domain authentication work
authentication-method bind
dhcp-broadcast

ME60如何部署用户免认证接入网络？
配置实现思路和脚本如下：
（1）配置免认证用户接入思路：
配置免认证方案；
配置免计费方案；
配置免认证用户接入的DHCP地址池；
创建1个免认证用户接入的域，绑定不认证模板和不计费的模板及地址池；
BAS口下配置用户接入。

（2）配置免认证用户接入脚本（其他配置脚本处不体现）。

ip pool leader&expert bas local //配置本地DHCP地址池
gateway 10.x.x.1 255.255.248.0
section 0 10.x.x.2 10.x.x.254
dns-server x.x.x.1 y.y.x.202
netbios-name-server x.15.0.x
lease 0 12 0

authentication-scheme none //配置免认证方案
accounting-scheme none

accounting-scheme none //配置免计费方案
accounting-mode none

domain free-user //配置免认证用户接入的域并绑定不认证模板和不计费的模板及地址池；
authentication-scheme none
accounting-scheme none
ip-pool leader&expert

interface Eth-Trunk1.901 //配置BAS接口。
description For-free
user-vlan 100 1000 qinq 48
bas

access-type layer2-subscriber authentication ruckus_ap_manage
authentication-method bind
ip-trigger
arp-trigger

FAQ-ME60上如何配置地址池分配方式
问题描述
客户网络中有一台ME60-X8设备,设备上面原有一个24位的地址池。由于客户预测过段时间后,用户的数量会激增。而目前ME60设备上的现有的24位地址池将不能满足用户需求。需要在ME60设备上扩容一个C的地址。
在设备上添加了一个C的地址后,客户希望测试新增的地址池能否正常使用。前提条件是ME60-X8设备上联路由器上已经把地址池路由正确发布出去。
测试步骤：
1、通过在ME60-X8设备上新创建一个domian测试域,配置好相关数据。
2、在ME60-X8设备上找一个空余端口作为测试端口,在端口下配置数据测试。
3、测试用户能够获取地址并正常上网。证明地址池配置和上联路由器的路由发布没有问题。
配置命令如下：
[BRAS]ip pool pool1 bas local
[BRAS-ip-pool-pool1] gateway 192.168.1.1 255.255.255.0
[BRAS-ip-pool-pool1] section 0 192.168.1.2 192.168.1.254
[BRAS-ip-pool-pool1] dns-server 1.1.1.1 2.2.2.2
[BRAS-ip-pool-pool1]quit
[BRAS]
[BRAS]aaa
[BRAS-aaa]domaim ceshi
[BRAS-aaa-ceshi] authentication-scheme radius_auth
[BRAS-aaa-ceshi] accounting-scheme radius_acct
[BRAS-aaa-ceshi] ip-pool pool1
[BRAS-aaa-ceshi] radius-server group bjyd-3
[BRAS-aaa-ceshi] ip-warning-threshold 80
[BRAS-aaa-ceshi]quit
[BRAS-aaa]quit
[BRAS]quit
[BRAS]interface GigabitEthernet1/1/1.82
[BRAS-GigabitEthernet1/1/1.82] pppoe-server bind Virtual-Template 1
[BRAS-GigabitEthernet1/1/1.82] description TO_CeShi
[BRAS-GigabitEthernet1/1/1.82] user-vlan 82
[BRAS-GigabitEthernet1/1/1.82] bas
[BRAS-GigabitEthernet1/1/1.82-bas] access-type layer2-subscriber default-domain authentication ceshi
[BRAS-GigabitEthernet1/1/1.82-bas]quit
[BRAS-GigabitEthernet1/1/1.82]display this

interface GigabitEthernet1/1/1.82
pppoe-server bind Virtual-Template 1
description TO_CeShi
user-vlan 82
bas

access-type layer2-subscriber default-domain authentication ceshi
同时客户希望将新增地址池添加到现网设备数据后,能够让两个地址池负载分配地址。由于BRAS上的地址分配默认是按照地址池的配置先后顺序分配的。新增的地址池暂时还轮不上,无法满足客户要求。
配置命令如下：
[BRAS]ip pool pool1 bas local
[BRAS-ip-pool-pool1] gateway 192.168.1.1 255.255.255.0
[BRAS-ip-pool-pool1] section 0 192.168.1.2 192.168.1.254
[BRAS-ip-pool-pool1] dns-server 1.1.1.1 2.2.2.2
[BRAS-ip-pool-pool1]quit
[BRAS]
[BRAS]aaa
[BRAS-aaa]domaim china
[BRAS-aaa-ceshi] authentication-scheme radius_auth
[BRAS-aaa-ceshi] accounting-scheme radius_acct
[BRAS-aaa-ceshi] ip-pool pool1
[BRAS-aaa-ceshi] radius-server group bjyd-3
[BRAS-aaa-ceshi] ip-warning-threshold 80
[BRAS-aaa-ceshi]quit
[BRAS-aaa]quit
[BRAS]quit
新增地址池配置：
[BRAS]ip pool pool2 bas local
[BRAS-ip-pool-pool2] gateway 192.168.2.1 255.255.255.0
[BRAS-ip-pool-pool2] section 0 192.168.2.2 192.168.2.254
[BRAS-ip-pool-pool2] dns-server 1.1.1.1 2.2.2.2
[BRAS-ip-pool-pool2]quit
[BRAS]
[BRAS]aaa
[BRAS-aaa]domaim china
[BRAS-aaa-ceshi]ip-pool pool2
[BRAS-aaa-ceshi]di this

domain china
authentication-scheme radius_auth
accounting-scheme radius_acct
ip-pool pool1
ip-pool pool2
radius-server group bjyd-3
ip-warning-threshold 80
解决方案
1、通过跟华为400咨询了解到。ME60设备的地址池分配方式默认情况下是按顺序分配地址的，没有轮循。所以新增的地址池在之前原有的地址池里的地址没有用完之前，是不会用到新增的地址池里的地址的。
2、跟华为400确认后，如果想要使用新增地址池里的地址可以通过命令配置ME60设备上的地址池轮询方式，更改用户从不同的地址池里获取地址。
命令如下：
system-view
[BRAS]ip-pool algorithm round-robin local
ip-pool algorithm round-robin命令用来配置IPv4本地或远端地址池按交替算法来分配地址。
undo ip-pool algorithm round-robin命令用来指定IPv4本地或远端地址池按默认的顺序方式选择地址池。
缺省情况下，IPv4本地或远端地址池按顺序分配地址。

FAQ-ME60如何实现根据不同的认证失败原因重定向到不同的portal服务器
问题描述
Q:
在Raidus服务器认证的情况下，ME60中V6R2C06SPC100版本如何实现根据不同的认证失败原因重定向到不同的portal服务器
告警信息
无
处理过程
A：
在Raidus认证的情况下，根据不同的认证失败原因重定向到不同的portal服务器上，这个功能在ME60上V6R2C06SPC100版本是可以实现的，其中的一种建议方案是，需要Radius服务器可以根据不同原因认证失败的用户，下发不同的域名，并且能够让用户上线，然后发送给ME60，最后再根据ME60上的配置重定向到不同的portal服务器。
1、radius给ME60下发HW-Domain-Name(属性号：26-138)，并且保持正常用户上线的配置，然后增加如下配置；
2、定义三个用户组：
user-group normaluser -->正常用户
user-group nomoney -->欠费用户
user-group authfail -->账号密码错的用户
3、定义acl，根据不同的acl规则，来实现不同的域只能访问不同的权限；
acl 6000
rule 5 permit ip source user-group normaluser
rule 10 permit ip source user-group nomoney destination ip-address 182.190.0.136 0
rule 10 permit ip source user-group wrongpassword destination ip-address 182.190.0.136 0
acl 6001
rule 5 permit tcp source user-group nomoney destination-port eq www
rule 10 permit tcp source user-group nomoney destination-port eq 8080
rule 15 permit ip source user-group nomoney
acl 6002
rule 5 permit tcp source user-group wrongpassword destination-port eq www
rule 10 permit tcp source user-group wrongpasswrod destination-port eq 8080
rule 15 permit ip source user-group wrongpassword
traffic classifier normaluser
if match acl 6000
traffic behavior normaluser
permit
traffic classifier nomoney
if match acl 6001
traffic behavior nomoney
http-redirect
traffic classifier authfail
if match acl 6002
traffic behavior authfail
http-redirect
traffic policy action
classifier nomoney behavior nomoney
classifier wrongpassword behavior wrongpassword
classifier normaluser behavior normaluser
4、全局下应用该策略：
traffic-policy action inbound
traffic-policy action outbound
5、如果想让认证失败的用户得到其他网段的地址的话，只需要在这里创建新的地址段，并且在域下引用这个地址池就可以了；
ip pool huawei bas local
gateway 192.168.150.1
section 0 192.168.150.2 192.168.150.254
dns-server 182.190.0.136
ip pool cisco bas local
gateway 172.16.160.1 255.255.254.0
section 0 172.16.160.2 172.16.160.254
dns-server 182.190.0.136
5、创建不同的域：
domain nomoney
authentication-scheme default0
accounting-scheme default0
ip-pool huawei
radius-server group huawei
user-group wrongpassword
web-server 1.1.1.1
web-server url http://huawei.com
domain wrongpassword
authentication-scheme default0
accounting-scheme default0t
ip-pool cisco
radius-server group huawei
user-group nomoney
web-server 2.2.2.2
web-server url http://cisco.com
6、全局下使能重定向的功能：
aaa
http-redirect enable
根因
无
建议与总结
实现机制：
1、ME60上面一共要定义三个域：（注意这些用户组也都是要在系统视图下先定义的）
域A：正常用户上线的域 ----- —>域下配置user-group huawei
域B：用户名密码错用户的域 ---->域下配置user-group wrongpassword和web-server-url (portal-b地址)
域C：欠费用备的域 ----------->域下配置user-group nomoney和web-server-url (portal-c地址)
2、然后radius认证用户时，对三种用户都回应认证通过；
3、对正常用户不下发域名属性，这样用户就会在A域上线，应用上user-group huawei，能够访问所有的internet资源；
4、对用户名密码错用户下发域名B，这样用户就会在B域上线，应用上域下配置的user-group wrongpassword，ACL限制这种用户只能访问portal-b地址，并被强推到portal-b
5、对没钱用户下发域名C，用户在C域上线，应用上域下配置的user-group nomoney，ACL限制这种用户只能访问portal-c，并被强推到portal-c。

ME60下挂用户PPPOE认证不成功
发布时间: 2018-03-19 浏览次数: 362 下载次数: 23
问题描述
用户在接口bas接口上配置认证方式为PPP，终端拨号错误代码619.
处理过程
1 查看设备配置信息，用户的接入方式选择的ppp和web认证方式。

interface GigabitEthernet1/0/1.48
pppoe-server bind Virtual-Template 1
description zmyr-yfl
user-vlan 31
remote-backup-profile rpb1
bas

access-type layer2-subscriber default-domain pre-authentication zmyrzqy-yfl authentication zmyrzhy-yfl
authentication-method ppp web

2 在ME设备上test账号密码，成功。

test-aaa test3 123 radius-group wx-radius

Info: Account test succeed!
3 终端拨号时，在ME60上trace终端mac地址，重复打印如下信息,可以看到针对这个mac地址，已经有IP地址10.1.159.254.
[QH-JZXY-ME60-2]trace access-user object 1 mac-address 3C97-0EFA-271C
[QH-JZXY-ME60-2]
Mar 11 2018 11:25:36.990.2 QH-JZXY-ME60-2 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=1][SRVCFG][user info:
MAC Address : 3C97-0EFA-271C
IP Address : 10.1.159.254
Interface : GigabitEthernet1/0/1.2]
[trace info:
[BRAS DEBUG] BAS_Transmit Out : RUI Configed!]

[QH-JZXY-ME60-2]
Mar 11 2018 11:25:36.990.3 QH-JZXY-ME60-2 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=1][SRVCFG][user info:
MAC Address : 3C97-0EFA-271C
IP Address : 10.1.159.254
Interface : GigabitEthernet1/0/1.2]
[trace info:BAS_Transmit Out: TS_Send OK!]
4 查询10.1.159.254地址，可以看出实际上这个地址为web认证地址池分配的地址。

ip pool youxian-yifulourenzhengqian bas local rui-slave
gateway 10.1.152.1 255.255.248.0

LOCAL

section 0 10.1.152.2 10.1.159.254
excluded-ip-address 10.1.152.2 10.1.152.100

REMOTE

dns-server 202.100.138.68 202.100.128.68

domain zmyrzqy-yfl
authentication-scheme noauth
accounting-scheme noacc
ip-pool zmyrzq-yfl
radius-server group pppoe-radius
user-group youxian
web-server 10.3.3.1
web-server url http://10.3.3.1:8080/Self
portal-server 10.3.3.1
5 查看相关文档，有如下描述：
接口上配置的认证方式是ppp web，故用户在pppoe申请地址的时候，ipoe的报文已经给该mac分配了一个地址，此时pppoe业务根据mac检查时该mac已经拥有ip地址，故申请地址失败。
在AAA视图下配置mac-user ppp-preferred命令，该命令特意为该场景设计，支持PPPOE用户优先上线，将IPOE用户踢下线。
根因
同时配置ppp和web认证的时候，web认证会优先拿到地址，PPP认证在获取IP地址的阶段，由于设备检测到终端mac地址已经分配了IP地址，不会再次分配，导致PPP认证失败。
解决方案
在AAA视图下配置mac-user ppp-preferred命令，该命令特意为该场景设计，支持PPPOE用户优先上线，将IPOE用户踢下线。

ME60与认证系统配置无感知失败
移动终端访问互联网需要经过web认证才可正常使用，但是经过观察，大量用户反应无线每次访问互联网都需要认证，非常不方便，因此考虑启用无感知认证，但是按照正常步骤配置ME60并于radius服务器上打开无感知认证后发现其功能并未生效，用户每次连接无线网络还是需要认证。
解决方案
按照正常流程进行配置：1、建radius组；2、指定radius服务器；3、建bas地址池；4、建域；5、借口启用BAS 后发现无感知并未生效，配置信息如下：
1、建radius 组：
radius-server group srun
radius-server authentication 10.10.101.5 1812 weight 0
radius-server accounting 10.10.101.5 1813 weight 0
radius-server shared-key srunsoft
radius-server source interface GigabitEthernet4/0/0
undo radius-server user-name domain-included
2、指定radius服务器：
radius-server authorization 10.10.101.5 shared-key huawei123
3、配置地址池：
ip pool wlan-yewu bas local
gateway 172.18.30.254 255.255.255.0
section 0 172.18.30.1 172.18.30.253
dns-server 211.67.96.1 211.67.96.155
4、aaa模式下添加认证策略及计费策略
aaa
http-redirect enable
authentication-scheme auth_mac
authening authen-fail online authen-domain web-auth
authentication-scheme radius-auth
authentication-mode radius
accouting-scheme radius-acct
accounting-mode radius
domain web-auth
authentication-scheme default0
accounting-scheme default0
ip-pool test
user-group web-before
idle-cut 30 zero-rate
web-server 10.10.101.6
web-server url http://10.10.101.6/index_1.html
domain mac-auth
radius-server group dr.com
authentication scheme mac-auth
accounting-scheme radius-acct
ip-pool wlan-yewu
mac-authentication enable
domain after-auth
authentication-scheme radius-auth
accounting-scheme radius-acct
radius-server group dr.com
qui
配置web服务器：
web-auth-server 10.10.101.6 key huawei123
acl:略
打开bas接口：
interface g4/0/1.1011
user-vlan 1011
bas
access-type layer2-subscriber default-domain pre-authentication mac-auth authentication after-auth
authentication-method web

以上为常规的mac认证配置，但是针对无感知的话是不生效的，因为我们通过抓包可以发现，bras发给认证系统的请求并不是客户端的mac地址，而是带ME60表示的一串代码，因此我们需要执行一条很重要的命令：
aaa
default-user-name include mac-address noseparator （即携带MAC地址去请求认证）。
经过测试，可以完成与认证系统针对无感知的对接配置。

web认证页面输入用户名密码后认证失败之一
背景配置
#bas接口配置
interface GigabitEthernet4/0/1.1
user-vlan 3000
bas

access-type layer2-subscriber default-domain pre-authentication web_pre authentication web
authentication-method web

环回接口配置
interface LoopBack0
ip address 1.1.1.1 255.255.255.255

用户组配置
user-group web

与radius服务器通信配置

radius-server source interface LoopBack0
radius-server group radius
radius-server authentication 172.X.X.100 1812
radius-server accounting 172.X.X.100 1813
radius-server shared-key testing1234
radius-server source interface LoopBack0
undo radius-server user-name domain-included

radius-server authorization 172.X.X.100 shared-key testing1234 server-group radius

本地地址池配置
ip pool web bas local
gateway 10.x.x.1 255.255.255.0
section 0 10.x.x.2 10.x.x.254
dns-server 172.X.X.200

前域及认证域配置
domain web
authentication-scheme radius
accounting-scheme radius
radius-server group radius
domain web_pre
authentication-scheme default0
accounting-scheme default0
ip-pool web
user-group web
web-server 172.X.X.100
web-server url http://172.X.X.100 /portal/index.jsp

qos配置
acl number 6000
step 10
rule 10 permit ip source user-group web destination ip-address 127.0.0.1 0
rule 20 permit ip source ip-address 127.0.0.1 0 destination user-group web
rule 30 permit ip source user-group web destination ip-address 172.X.X.100 0
rule 40 permit ip source ip-address 172.X.X.100 0 destination user-group web
rule 50 permit ip source user-group web destination ip-address 172.X.X.200 0
rule 60 permit ip source ip-address 172.X.X.200 0 destination user-group web

acl number 6001
rule 10 permit tcp source user-group web destination-port eq www
rule 20 permit tcp source user-group web destination-port eq 8080
rule 30 permit ip source user-group web

traffic classifier web_deny operator or
if-match acl 6001
traffic classifier web_permit operator or
if-match acl 6000

traffic behavior permit
traffic behavior redirect
http-redirect

traffic policy global
share-mode
classifier web_permit behavior permit
classifier web_deny behavior redirect

traffic-policy global inbound

web服务器通信配置
web-auth-server source interface LoopBack0
web-auth-server version v2
web-auth-server 172.X.X.100 port 50100 key simple testing1234

故障现象：
PC能够直接打开认证页面，也能通过访问www.baidu.com弹出认证页面，但是输入用户名密码后无反应，后域认证失败
处理过程
分析及排障
检查用户认证的流程信息，判定流程中的故障点
trace PC mac地址并debug web 发现仅打印出一条信息，如下
[ME60]
Dec x 2014 14:xx:xx.430.1 ME60 WEB/7/DEBUG:
Received packet from socket (length = 44 Vrf = 0):
Version : 2
Type : authentication request
Method : pap
SerialNo : 19
RequestID : 0
UserIP : 10.0.0.254
ErrorCode : 0
AttributeNumber : 2 //此信息为bas收到的web弹回的用户认证请求，下一步就是bas与web之间进行携带共享秘钥的认证挑战了

于是查询了web认证的统计信息，发现每一次认证 Authenticator Error就会增加一次 ,如下：25次认证请求，25次验证错误,25次挑战丢弃，可确认共享密码验证失败
disp web statistics packet

Received Packets Accept Drop

Received from Server
  Challenge Request                    :0              25      
  Authentication Request             :25             0       
  Authenticator Error                      :25      
  Drop Packet Total                        :25

根因
共享秘钥与web服务器不一致
解决方案
共享秘钥配置一致

ME60无感知认证业务方案
3 配置思路：
3.1 采用如下的思路配置的基本功能：

```
  配置用户组 
```

  配置AAA方案 （mac认证方案模板、用户认证模板、计费模板）

```
  配置RADIUS服务器组 
```
```
  配置地址池
```
```
  配置认证前域 
```
```
  配置重定向域 
```
```
  配置用户认证域 
```
```
  配置ACL 
```
```
  配置接口
```

3.2 数据准备
为完成本例配置，需要准备的数据是:
• 认证模板的名称和认证方式
• 计费模板的名称和计费方式
• RADIUS服务器组名称，RADIUS认证服务器和RADIUS计费服务器的IP地址、端口号
• 地址池名称、网关地址、DNS服务器地址
• 域的名称
• BAS接口参数

4 配置脚本

user-group web
user-group daa
user-group nomoney
user-group pppoe
user-group ipoe
user-group intranet
user-group mac-domain

radius-server group radius1
radius-server authentication 202.113.18.110 1812 weight 0
radius-server accounting 202.113.18.110 1813 weight 0
radius-server shared-key drcom
radius-server class-as-car
radius-server source interface GigabitEthernet2/0/0
radius-server attribute translate
undo radius-server user-name domain-included

acl number 6000
rule 1 permit ip source user-group web destination ip-address 10.2.0.0 0.0.255.255
rule 2 permit ip source user-group web destination ip-address 192.168.18.15 0
rule 3 permit ip source user-group web destination ip-address 202.113.16.20 0
rule 4 permit ip source user-group web destination ip-address 10.0.0.0 0.63.255.255
rule 10 permit ip source user-group web destination ip-address 202.113.16.10 0
rule 20 permit ip source user-group web destination ip-address 10.101.0.0 0.0.255.255
rule 25 permit ip source user-group web destination ip-address 202.113.18.210 0
rule 100 permit ip source user-group web destination ip-address 10.0.0.0 0.255.255.255
rule 101 permit ip source user-group web destination ip-address 192.168.0.0 0.0.255.255

acl number 6005
description To_mac-domain
rule 5 permit ip source user-group mac-domain destination ip-address 202.113.18.110 0
rule 10 permit ip source ip-address 202.113.18.110 0 destination user-group mac-domain
rule 25 permit ip source user-group mac-domain destination ip-address 202.113.16.10 0
rule 30 permit ip source ip-address 202.113.16.10 0 destination user-group mac-domain
rule 35 permit ip source user-group mac-domain destination ip-address 202.113.16.20 0
rule 40 permit ip source ip-address 202.113.16.20 0 destination user-group mac-domain

acl number 6006
description To_mac-domain-redirect
rule 5 permit tcp source user-group mac-domain destination-port eq www
rule 10 permit tcp source user-group mac-domain destination-port eq 8080
rule 15 permit ip source user-group mac-domain

acl number 6007
description To_mac-domain-permit
rule 5 permit ip source user-group mac-domain

traffic classifier mac-c1 operator or
if-match acl 6005
traffic classifier mac-re operator or
if-match acl 6006
traffic classifier 6007 operator or
if-match acl 6007

traffic behavior perm1
traffic behavior redirect
http-redirect
traffic behavior deny1
deny

traffic policy ipoe
share-mode
classifier mac-c1 behavior perm1
classifier mac-re behavior redirect
classifier 6007 behavior deny1

ip pool huawei bas local
gateway 10.1.230.1 255.255.255.0
section 0 10.1.230.2 10.1.230.254
dns-server 202.113.16.10 202.113.16.20
lease 0 6 0

aaa
authentication-scheme mac-auth
authening authen-fail online authen-domain test-redirect

accounting-scheme accth1
accounting interim interval 3
accounting interim-fail max-times 10 online

domain test-redirect
authentication-scheme default0
accounting-scheme default0
ip-pool huawei
user-group mac-domain
idle-cut 30 zero-rate
web-server 202.113.18.110
web-server url http://202.113.18.110/a72.htm
web-server url-parameter
domain test-houyu
authentication-scheme auth1
accounting-scheme accth1
ip-pool xsword-test
value-added-service account-type radius radius1
radius-server group radius1
domain mac-domain
authentication-scheme mac-auth
accounting-scheme mac-acc
ip-pool huawei
mac-authentication enable
radius-server group radius1
user-group web
web-server 202.113.18.110
web-server url http://202.113.18.110/a70.htm
web-server url-parameter

interface Eth-Trunk0.4000
pppoe-server bind Virtual-Template 1
user-vlan 4000
bas

access-type layer2-subscriber default-domain pre-authentication mac-domain authentication test-houyu
authentication-method ppp web
ip-trigger
arp-trigger

ME60三层web中继方式用户无法获取IP地址
发布时间: 2015-12-08 浏览次数: 1015 下载次数: 0
问题描述
三层WEB认证，在配置完成之后，发现用户无法获取到IP地址。通过抓包发现用户发动的DHCP DISCOVER报文已经通过中继S12700交换机到了ME60,在CPU级别也能够Trace到DHCP SERVER回应了OFFER报文，但是在下行交换机入方向并没有抓到ME60回应的OFFER报文。

组网拓扑如下：

ME60-----------S12700--------接入SW--------PC
(DHCP server) （DHCP中继）

ME60关键配置：

ip pool huawei bas local
gateway 192.169.254.254 255.255.255.0
section 0 192.169.254.10 192.169.254.20
dns-server 210.140.13.188

interface GigabitEthernet5/0/2.10
vlan-type dot1q 10
ip address 192.168.10.1 255.255.255.0
bas

access-type layer3-subscriber default-domain authentication isp2

ip route-static 192.169.254.0 255.255.255.0 192.168.10.2

S12700关键配置：

interface Vlanif10
ip address 192.168.10.2 255.255.255.0

interface Vlanif169
ip address 192.169.254.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.10.1

处理过程
（1）首先通过Trace信息来查看

DHCPACC receive a packet. //收到用户的DHCP DISCOVER报文，并回应给relay设备一个offer报文
DHCPACC proc a DISCOVER pkt
Giaddr:C0A9FEFE
DhcpaccIndex:187, DhcpaIndex:4294967295, cib:187, state:4(DHCPACC_DIS_WAIT_CLIENT_REQ), DownReason:255]
[ME60_X8]
Aug 14 2015 12:16:47.20.4 ZJSRU_Me60_X8 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][DHCPACC][user info:
MAC Address : xxxx-xxxx-xxxx
IP Address : 192.169.254.14 //分配给用户的IP地址；
Interface : GigabitEthernet5/0/2.10
PE VLAN ID : 10
Access Mode : IPoE
Circuit ID : 0502-0010-GE
Remote ID : Me60_X8-0502-0010-GE ]
[trace info:
45 00 01 48 1a 48 00 00 10 11 96 0b c0 a9 fe fe
c0 a8 0a 01 00 43 00 43 01 34 1b 36 01 01 06 01
c7 d9 92 4f 1d 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 c0 a9 fe fe 3c 97 0e 37 58 d7 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 0

（2）在S12700连接ME60的口子镜像抓包，发现根本就没有收到ME60回复的OFFER报文；在此接口就只能看到发给ME60的DISCOVER报文；

（3）在ME60上查看互联接口的发包情况，发现ME60与S12700的互联子接口只有input方向的报文，output方向报文为0；

<ME60_X8>display interface gig 5/0/2
Input:
Unicast: 8 packets, Multicast: 0 packets
Broadcast: 0 packets, JumboOctets: 0 packets
CRC: 0 packets, Symbol: 0 packets
Overrun: 0 packets, InRangeLength: 0 packets
LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
Fragment: 0 packets, Undersized Frame: 0 packets
RxPause: 0 packets
Output:
Unicast: 0 packets, Multicast: 0 packets
Broadcast: 0 packets, JumboOctets: 0 packets
Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets
System: 0 packets, Overrun: 0 packets
TxPause: 0 packets
Unknown Vlan: 0 packets

说明报文根本就没有发出去，可能就和路由有关了；

（4）在设备上查看去往用户回程路由和用户网关的回程路由；

[ME60_X8]dis ip routing-table 192.169.254.0
Route Flags: R - relay, D - download to fib

Routing Tables: Public
Destinations : 1 Routes : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.169.254.0/24 Static 60 0 RD 192.168.10.2 GigabitEthernet5/0/2.10

[ME60_X8]dis ip routing-table 192.169.254.254
Route Flags: R - relay, D - download to fib

Routing Tables: Public
Destinations : 1 Routes : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.169.254.254/32 Unr 61 0 D 127.0.0.1 InLoopBack0

去往用户网关的路由被送往本地环回口，被丢弃。
根因
在创建好用户地址池ip pool之后就会默认生成两条路由；

（1）去往用户网段/24的路由，指向NULL 0

（2）去往用户网关的/32路由，指向InLoopBack0

即便配置了 ip route-static 192.169.254.0 255.255.255.0 192.168.10.2 去往用户段的路由，但是也仅仅只能够覆盖到用户段的路由，无法覆盖最长/32掩码匹配的主机网关路由，因而导致了DHCP OFFER报文被丢弃在InLoopBack0这个接口。
解决方案
手工强制将到用户网关的/32主机路由：

[ME60_X8] ip route-static 192.169.254.254 32 192.168.10.2

建议与总结
采用中继方式一定要注意ME60上的UNR特殊路由。

ME60因与portal服务器对接端口配置错误，导致的认证失败
问题描述
ME60作为BAS设备,同时配置了IPOE业务和WiFi认证业务,IPOE业务测试正常,WiFi业务可以在认证前域弹出portal认证,无法完成认证后域的认证。
处理过程
(1)因同时配置了IPOE业务WiFi业务,故先将2个不同的业务进行配置对比。
IPOE业务配置如下:
interface LoopBack1
description pppoe
ip binding vpn-instance CCN-ZG-L3-BRAS
ip address 10.102.137.216 255.255.255.255

domain CCN
authentication-scheme radius
authorization-scheme radius
accounting-scheme radius
radius-server group CCN-zg-radius-server-guangdian
ip-pool sccn_1
vpn-instance CCN-ZG-L3-CMTS-Internet

ip pool wifi bas local
vpn-instance CCN-ZG-L3-CMTS-Internet
gateway 10.141.96.1 255.255.252.0
section 0 10.141.96.2 10.141.99.254
dns-server 60.255.80.18 60.255.80.19
lease 0 23 59

radius-server group CCN-zg-radius-server-guangdian
radius-server shared-key-cipher %^{%#03v5Rs,D#"A!`P0Jy#!gu6L42O`VLNYuC!<KR!~%}%#
radius-server authentication 10.102.129.35 vpn-instance CCN-ZG-L3-BRAS 1812 weight 0
radius-server accounting 10.102.129.35 vpn-instance CCN-ZG-L3-BRAS 1813 weight 0
radius-server class-as-car
radius-server source interface LoopBack1
radius-server attribute translate
undo radius-server user-name domain-included
radius-server traffic-unit kbyte

WiFi业务配置如下:
radius-server group sccn_wifi
radius-server shared-key-cipher %^{%#M>T/T,p\cX<2;tFL-t-@a9`NLKu3e(yjo&O`Eie~%}%#
radius-server authentication 10.215.33.210 vpn-instance CCN-ZG-L3-SCCNWIFI source LoopBack2 1812 weight 0
radius-server authentication 10.215.33.211 vpn-instance CCN-ZG-L3-SCCNWIFI source LoopBack2 1812 weight 0
radius-server accounting 10.215.33.210 vpn-instance CCN-ZG-L3-SCCNWIFI source LoopBack2 1813 weight 0
radius-server accounting 10.215.33.211 vpn-instance CCN-ZG-L3-SCCNWIFI source LoopBack2 1813 weight 0
radius-server source interface LoopBack2
undo radius-server user-name domain-included

interface LoopBack2
description wifi
ip binding vpn-instance CCN-ZG-L3-SCCNWIFI
ip address 10.102.137.216 255.255.255.255

前域:
domain pre-wifi
authentication-scheme wifi_none
accounting-scheme wifi_none
ip-pool wifi
vpn-instance CCN-ZG-L3-CMTS-Internet
user-group pre-wifi
web-server url http://wlanportal.sc96655.com:7777/sctvportal/
web-server url-parameter
web-server redirect-key user-mac-address usermac
web-server redirect-key mscg-ip wlanacip
web-server redirect-key user-ip-address wlanuserip
web-server redirect-key mscg-name wlanacname
http-hostcar enable

后域:
domain sccnwifi
authentication-scheme wifi
accounting-scheme wifi
radius-server group sccn_wifi
ip-pool wifi
vpn-instance CCN-ZG-L3-CMTS-Internet

(2)通过对比2个业务的配置,发现2个业务的认证域的配置基本类似,WiFi业务无法完成后域认证,需测试网络可达性。

(3)通过测试发现,loopback2到radius服务器网络可达,排查网络问题,进行test测试。

(4)通过test认证服务器,发现测试可以正常通过,排查认证这块的问题,进行trace测试。

[~CCN-ZG-Core-TDP-ME60] trace access-user object 1 mac-address e05f-4557-cb40
Dec 06 2018 11:01:26 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_ARP][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:[EthArpBras]Success to update etharpbas aging timer(id: 399) for user 20484, ArpDetectTime:30]
Dec 06 2018 11:01:26 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_ARP][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:[DetectTimer] not send user arp scan , user(20484), Trunk ifIndex(250), Isworkslot (0)]
Dec 06 2018 11:01:30 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_PORTAL][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:User 20484 recived a packet.]
Dec 06 2018 11:01:30 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_PORTAL][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:Process packet get user item success.]
Dec 06 2018 11:01:30 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_PORTAL][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:User 20484 recived unknow(flag: 4) TCP packet.]
Dec 06 2018 11:01:35 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_PORTAL][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:User 20484 recived a packet.]
Dec 06 2018 11:01:35 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_PORTAL][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:Process packet get user item success.]
Dec 06 2018 11:01:35 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_PORTAL][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:User 20484 recived http-get packet.]
Dec 06 2018 11:01:35 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_PORTAL][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:User 20484 respond redirect packet.]
Dec 06 2018 11:01:35 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_PORTAL][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:User 20484 respond packet encap ip head OK.]
Dec 06 2018 11:01:35 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_PORTAL][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:User 20484 respond packet encap tcp head OK.]
Dec 06 2018 11:01:35 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_PORTAL][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:User 20484 respond packet encap web http 0.]
Dec 06 2018 11:01:37 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_PORTAL][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:User 20484 recived a packet.]
Dec 06 2018 11:01:37 CCN-ZG-Core-TDP-ME60 BTRC/7/BTRC_DebugInfo:
[objectID=1][slotID=3][VFP_PORTAL][user info:
MAC Address : E05F-4557-CB40
IP Address : 10.141.99.207
Interface : Eth-Trunk11.1700
PE VLAN ID : 1700
CE VLAN ID : 3500
User Name : CCN-ZG-Core-TDP–02211170003500@pre-wifi]
[trace info:Process packet get user item success.]

(5)通过trace信息,可以看出有正常的报文交互,下一步排查终端上线失败原因
display aaa online-fail-record mac-address e05f-4557-cb40

User name : 18608134971@SCCNWIFI
Domain name :
User MAC : e05f-4557-cb40
User access type : IPoE
User interface : Eth-Trunk11.1700
User access PeVlan/CeVlan : 1700/3500
User IP address : 10.141.99.207
User ID : 0
User authen state : Authened
User acct state : AcctReady
User author state : AuthorIdle
User login time : 2018-12-06 10:50:47
Online fail reason : Packet Authenticator Error
(6)通过分析终端上线失败原因,发现终端是因为Web用户认证时,校验失败导致的上线失败,定位故障原因为终端还未到认证后域认证阶段,问题还是出在认证前域这块,需重新核实认证前域及portal这块的配置。

根因
通过再次分析配置文件,发现在portal认证阶段,2台认证服务器的端口不一样,一台为50100,1台为2000,再次核实服务器端口为2000,将端口修改为2000后,可以正常完成后域的认证,定位故障原因为portal认证端口不一致导致。
web-auth-server source interface LoopBack2
web-auth-server 10.215.33.212 vpn-instance CCN-ZG-L3-SCCNWIFI port 50100 key cipher %^{%#|y"`"L9$[Xo,N50_k0A-|]C$0#9WPA>,lN/8HT;6%}%#
web-auth-server 60.255.48.137 vpn-instance CCN-ZG-L3-SCCNWIFI port 2000 key cipher %^{%#u/NHCD’1$/@UCm}oCG9Y6Z1/%Bo/8k0E>@k},H%^%#
END

ME60 PPP拨号本地用户认证失败，报691错误
问题描述
ME60 PPP拨号本地用户认证失败，报691错误，根据报错信息怀疑是认证出现问题。
处理过程
1、查看ME60上面本地认证配置，如下：

disp cu interface GigabitEthernet 4/1/3.3

interface GigabitEthernet4/1/3.3 //拨号用户上线接口
user-vlan 333
bas

access-type layer2-subscriber default-domain authentication ceshi
authentication-method ppp web

return
sys
[ME60-05]aaa
[ME60-05-aaa]dis th //认证模板和计费模板配置

authentication-scheme default
authentication-mode local radius
accounting-scheme default0

[ME60-05-aaa-domain-ceshi]dis this //ceshi域配置

domain ceshi
authentication-scheme default
accounting-scheme default0
ip-pool gwbnqd15
user-group gwbnqd

return
[ME60-05-aaa-domain-ceshi]q
[ME60-05]local-aaa-server
[ME60-05-local-aaa-server]dis this //本地用户配置

local-aaa-server
user test123 password irreversible-cipher $1a$ s9[l(T8_;5 $KaTeX parse error: Expected 'EOF', got '#' at position 19: \dotsx-Phrm+:wrQ(HzJ#̲3`^M.Ofr6u!UxGb\dots$ authentication-type A block fail-times 3 interval 5

return
根据以上信息来看本地用户的认证类型有问题，其他配置没有什么问题，将认证类型更改为authentication-type P后再拨号测试，配置如下：
[ME60-05-local-aaa-server]user test123 password irreversible-cipher $1a$ s9[l(T8_;5 $KaTeX parse error: Expected 'EOF', got '#' at position 19: \dotsx-Phrm+:wrQ(HzJ#̲3`^M.Ofr6u!UxGb\dots$ authentication-type P
2、根据以上命令修改认证类型后还是拨号失败，同样报691错误，问题还是出在认证上面，下面通过trace跟踪拨号终端MAC地址，看看拨号上线过程：
Dec 5 2017 15:41:56.230.8 QDHX-WK-BAS-ME60-05 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][LAM][user info:
MAC Address : 80C1-6EE4-5789
IP Address : 255.255.255.255
Interface : GigabitEthernet4/1/3.3
PE VLAN ID : 333
User Name : test123@ceshi]
[trace info:Authen fail: password not match] //认证失败，报密码不匹配，把用户名改为cba123@ceshi 进行测试
命令如下：
[ME60-05-local-aaa-server]user test123@ceshi password irreversible-cipher $1a$ s9[l(T8_;5 $KaTeX parse error: Expected 'EOF', got '#' at position 19: \dotsx-Phrm+:wrQ(HzJ#̲3`^M.Ofr6u!UxGb\dots$ authentication-type P
3、按照以上命令更改后依旧拨号失败，报错相同，还是691错误，其他也看不出什么问题，下面查产品文档，确认user 配置本地账号说明里面，有如下一项：
PPP用户进行本地chap认证时，则不能使用irreversible-cipher方式配置，否则认证不通过。
根据配置，账号配置都是用的 irreversible-cipher 加密方式，需要更改。
根因
本地账号配置的加密方式不匹配导致拨号失败
解决方案
更改用户的加密方式，如下：
[ME60-05-local-aaa-server]user test123@ceshi password cipher $1a$ s9[l(T8_;5 $KaTeX parse error: Expected 'EOF', got '#' at position 19: \dotsx-Phrm+:wrQ(HzJ#̲3`^M.Ofr6u!UxGb\dots$ authentication-type P

ME60(V600R009C20)双栈接入，ipv4下线后，ipv6用户依然在线
问题描述
现网部署ME60做bas接入。ME60 双栈ipv6接入，终端现在是通过me60双栈接入，成功获取了ipv4和ipv6的地址；进行如下测试，把PC的网线拔掉，在me60上看到ipv4是释放下线了，但是ipv6还是在线的，所以导致用户无法重新在IPV4里上线。
处理过程
1、查看对应在线用户
[XZDX-ME60X3-IPV6]dis access-user domain xzdx-after

UserID Username Interface IP address MAC
Vlan IPv6 address Access type

105 ceshi GE1/0/4.1113 210.x.x.180 507b-9d0f-a705
1113/- 2001:250:2E00:2010::23 IPOE

Normal users : 1
RUI Local users : 0
RUI Remote users : 0
Total users : 1

拔掉网线之后，可以看到ipv6依然在线

[XZDX-ME60X3-IPV6]dis access-user domain xzdx-after

UserID Username Interface IP address MAC
Vlan IPv6 address Access type

106 ceshi GE1/0/4.1113 - 507b-9d0f-a705
1113/- 2001:250❌x::23 IPOE

Normal users : 1
RUI Local users : 0
RUI Remote users : 0
Total users : 1

根因
IPOE用户缺省情况下，允许探测用户失败的次数是5，探测用户的间隔时长是30秒，双栈独立探测。IPoE用户默认有流量时不发送探测报文。
共享地址池场景，按照前缀的粒度去感知用户是否有流量，因此会出现一个IPOE用户双栈流量完全断开，仍然发现IPv6栈在线的情况。

解决方案
IPOE改成有流量也探测，bas接口user detect no-datacheck，修改后问题处理

FAQ-ME60 在接口下是否能同时配置ppp web认证方式？
问题描述
ME60 在接口下是否能同时配置ppp web认证方式
解决方案
ME60 在接口下同时配置ppp web认证方式，如下
interface GigabitEthernet6/0/8.200
user-vlan 200
bas

access-type layer2-subscriber default-domain pre-authentication pre_sino authentication sino
authentication-method ppp web

根据以上配置，IPoE用户会进pre_sino域，这个域配置成web认证的类型，进行重定向；ppp用户会进sino域，直接进行认证。
这样一个接口下就有两个用户，mac地址一致，如下：
[R1]display access-user interface gig 6/0/8.200

UserID Username Interface IP address MAC
IPv6 address

3 user@sino GE6/0/8.200 6.6.6.5 0001-0101-0102 //ppp用户
-
4 R1-06008020000000@p… GE6/0/8.200 6.6.6.6 0001-0101-0102 //WEB用户
-

Normal users : 2
RUI Local users : 0
RUI Remote users : 0
Total users : 2

ME60 IPOE认证radius剔除用户后，终端无法再次上线
问题描述
ME60 V6R8
IPOE认证，用户被radius剔除用户后，终端无法再次上线，也无任何访问权限
关键配置如下：

interface Eth-Trunk0.2000
pppoe-server bind Virtual-Template 1
user-vlan 1211 1218 qinq 1061
bas

access-type layer2-subscriber default-domain pre-authentication mac-jq-bg-test authentication jq-bg-test
nas-port-type 802.11
authentication-method ppp web dot1x
arp-trigger
ip-trigger

处理过程
查看用户被radius踢下线后，无法上网时的接入信息，disp access-user mac-add --****无任何记录，说明用户被从前域剔除；
radius踢老用户的过程，最终是Session time out，时间配额用尽。radius删除MAC简化认证记录。这种下线原因ME是不保留用户的备份信息，因此无法触发上线

[ME60]display aaa offline-record mac-address 000e-c6d7-b2c1

User name : 000e-c6d7-b2c1@mac-jq-jg-4
Domain name : mac-jq-jg-4
User MAC : 000e-c6d7-b2c1
User access type : IPoE
User access interface: Eth-Trunk0.1000
User access PeVlan/CeVlan : 2031/2010
User IP address : 172.16.27.249
User ID : 1372
User authen state : Authened
User acct state : AcctStopWait
User author state : AuthorIdle
User login time : 2018-09-20 18:11:57
User offline time : 2018-09-20 18:15:28
User offline reason: Session time out

Are you sure to display some information?(Y/N)[Y]:y

User name : 000e-c6d7-b2c1@mac-jq-jg-4
Domain name : mac-jq-jg-4
User MAC : 000e-c6d7-b2c1
User access type : IPoE
User access interface: Eth-Trunk0.1000
User access PeVlan/CeVlan : 2031/2010
User IP address : 172.16.27.249
User ID : 1371
User authen state : Authened
User acct state : AcctStopWait
User author state : AuthorIdle
User login time : 2018-09-20 18:06:43
User offline time : 2018-09-20 18:11:56
User offline reason: AAA with radius server cut command
系统视图配置local-backup offline-reason quota-out，配置后问题解决
根因
时间配额用尽的用户，这种下线原因ME是不保留用户的备份信息，因此无法触发上线
解决方案
配置local-backup offline-reason quota-out
建议与总结
ip-trigger和arp-trigger是ip或arp报文触发用户上线，但某些特殊场景是无法满足用户上线要求的。
local-backup offline-reason quota-out命令用来使能因时长耗尽或者流量耗尽而下线的用户的信息备份功能。

FAQ-ME60-X3V600R008C10SPC300 MAC优先的PORTAL认证用户认证成功后再次接入依旧在认证前域
问题描述
ME60-X3V600R008C10SPC300 MAC优先的PORTAL认证用户认证成功后二次接入成功依旧在认证前域
BRAS接口配置如下:

interface Eth-Trunk1.1411
user-vlan 1411
remote-backup-profile p1
bas

access-type layer2-subscriber default-domain pre-authentication premac1411 authentication campus
dhcp session-mismatch action offline
authentication-method web

认证成功后二次接入用户信息:
[ME60-1]dis access-user ip-address 10.7.128.25

User access index : 171858
State : Used
User name : 1111-1111-1111@premac1411
Domain name : premac1411 //终端1111-1111-1111认证成功后属于认证前域premac1411
Backup from(IPv4) : Local
RUI user state : Master
User access interface : Eth-Trunk1.1411
User access physical interface: GigabitEthernet4/0/0
User access PeVlan/CeVlan : 1411/-
User access slot : 4
User MAC : 1111-1111-1111
User IP address : 10.7.128.25
User IP netmask : 255.255.255.255
User gateway address : 10.7.128.1
User Primary-DNS : 8.8.8.8
User Authen IP Type : ipv4/-/-
User Basic IP Type : -/-/-
Server IP : 172.20.2.2
User MSIDSN name : -
EAP user : No
MD5 end : No
MTU : 1500
Vpn-Instance : -
MAC Address : 1111-1111-1111
IP Address : 10.7.128.25
Interface : Eth-Trunk1.1411
PE VLAN ID : 1411
Access Mode : IPoE ]
User access type : IPOE
User authentication type : No authentication
RADIUS-server-template : drcom-mac
Server-template of second acct: -
Agent-Circuit-Id : -
Agent-Remote-Id : -
Access-line-id Information(dhcpv4 option82): -
Current authen method : RADIUS authentication
Authen result : Success
Current author method : Idle
Author result : Success
Action flag : Idle
Authen state : Authed
Author state : Idle
Configured accounting method : RADIUS accounting
Quota-out : Offline
Current accounting method : RADIUS accounting

解决方案
用户二次接入MAC认证成功后在MAC认证域premac1411为正常状态;
Domain premac1411不是普通认证前域、premac1411为MAC认证域。

Me60做Bras，同一子接口下 web认证通过，pppoe认证不通过。
问题描述
dhcp地址池在远端,Me60做Bras,同一子接口下单独使用web认证通过,单独使用pppoe认证通过;
但是同时进行web认证和pppoe认证时,web认证终端可以正常获取IP地址,认证通过,但pppoe认证不通过,获取不到IP地址。
告警信息
无
处理过程
1、硬件问题
通过命令display device检查ME60设备硬件运行情况,板卡都注册正常。
display device
MultiserviceEngine 60-X3’s Device status:
Slot # Type Online Register Status Primary

1 BSU Present Registered Normal NA
4 MPU Present NA Normal Master
5 MPU Present Registered Normal Slave
6 CLK Present Registered Normal Master
7 CLK Present Registered Normal Slave
8 PWR Present Registered Normal NA
9 PWR Present Registered Normal NA
10 FAN Present Registered Normal NA

涉及到的其它物理设备运行正常。
2、检查全局配置信息
(1) 在全局下面检查配置,交换机、ME60配置均正常。
设备连接信息描述:

一台usg9560防火墙上联ISP,下联一台S12712。
一台S12712旁挂一台me60和一台dhcp server服务器,下联接入楼层交换机。
楼层交换机接入无线路由器及PC终端。

（2） ME60配置检查，检查后正常。
dis version
Huawei Versatile Routing Platform Software
VRP ® software, Version 5.160 (ME60 V600R008C10SPC300)
Copyright © 2000-2014 Huawei Technologies Co., Ltd.
HUAWEI MultiserviceEngine 60-X3 uptime is 80 days, 1 hour, 28 minutes
Patch version : V600R008SPC009
MultiserviceEngine 60-X3 version information:

其它略.
dis cur

sysname JXCD-ME60X3

user-group 1
user-group isp

value-added-service enable
value-added-service quota-out offline

qos-profile internet
car cir 100000 cbs 18700000 green pass red discard inbound
car cir 100000 cbs 18700000 green pass red discard outbound
qos-profile neiwang
car cir 100000 cbs 18700000 green pass red discard inbound
car cir 100000 cbs 18700000 green pass red discard outbound

radius-server group hwradius
radius-server authentication 172.x.x.80 1812 weight 80
radius-server accounting 172.x.x.80 1813 weight 80
radius-server shared-key-cipher % $%$ ^FxLTvz)sM-PC8sDo $26S|h%$ %$
undo radius-server user-name domain-included

radius-server group macjxcd
radius-server authentication 172.x.x.80 1812 weight 80
radius-server accounting 172.x.x.80 1813 weight 80
radius-server shared-key-cipher %$% $KaTeX parse error: Can't use function '\=' in math mode at position 3: 1V\̲=̲-Kr'qGz_:d)Y|8'…$ %$
radius-server attribute translate
undo radius-server user-name domain-included
radius-attribute include HW-Auth-Type
radius-attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-request account

radius-server authorization 172.x.x.80 shared-key huawei server-group hwradius

acl number 6000
rule 10 permit ip source user-group 1 destination ip-address 127.0.0.1 0
rule 15 permit ip source ip-address 127.0.0.1 0 destination user-group 1
rule 20 permit ip source user-group 1 destination ip-address 172. x.x.80 0
rule 25 permit ip source ip-address 172.x.x.80 0 destination user-group 1
其它略…

acl number 6001
rule 10 permit tcp source user-group 1 destination-port eq www
rule 15 permit tcp source user-group 1 destination-port eq 8080
rule 20 permit ip source user-group 1

acl number 6010
rule 10 permit ip source user-group isp destination ip-address 210. x.x.0 0.0.15.255
rule 15 permit ip source ip-address 210. x.x.0 0.0.15.255 destination user-group isp
其它略…

acl number 6011
rule 10 permit ip source user-group isp
rule 15 permit ip destination user-group isp

traffic classifier web_deny operator or
if-match acl 6001
traffic classifier web_permit operator or
if-match acl 6000
traffic classifier tc2 operator or
if-match acl 6011
traffic classifier tc1 operator or
if-match acl 6010

traffic behavior web_deny
http-redirect
traffic behavior web_permit
traffic behavior tb1
tariff-level 1
car
traffic-statistic
traffic behavior tb2
tariff-level 2
car
traffic-statistic

traffic policy traffic_policy_daa1
share-mode
classifier tc1 behavior tb1
classifier tc2 behavior tb2
traffic policy web
share-mode
classifier web_permit behavior web_permit
classifier web_deny behavior web_deny

dhcp-server group group1
dhcp-server 210. x.x.8

dhcp-server group wlandhcpserver
dhcp-server 172. x.x.57

ip pool ceshi168 bas remote
gateway 172. x.x.254 255.255.248.0
dhcp-server group group1

ip pool wlandhcp bas remote
gateway 10. x.x.254 255.255.255.0
dhcp-server group wlandhcpserver

dot1x-template 1

aaa
mac-user ppp-preferred
nas-serial JXCD-ME60X3
default-user-name include mac-address -
local-user hwadmin password irreversible-cipher $1a$ $XtsO/XQZE$ o{UGDY,=}&MDK6P#@4B.S/& $~-f7!V|s_-((M92!$
local-user hwadmin service-type terminal telnet ssh
local-user hwadmin level 15
local-user hwadmin state block fail-times 3 interval 5
authentication-scheme default0
authentication-scheme default1
authentication-scheme default
authentication-mode local radius
authentication-scheme noneauth1
authentication-mode none
authentication-scheme jxcd
authentication-scheme macyouxian
authening authen-fail online authen-domain none-youxian
authentication-scheme macwlan
authening authen-fail online authen-domain none-wlan

authorization-scheme default

accounting-scheme default0
accounting-scheme default1
accounting-scheme noneacct1
accounting-mode none
accounting-scheme jxcd
accounting interim interval 1
accounting-scheme macjxcd
accounting interim interval 3

domain default0
domain none-youxian
authentication-scheme default0
accounting-scheme default0
ip-pool ceshi168
user-group 1
web-server 172. x.x.80
web-server url http://172. x.x.80/a79.htm
web-server url-parameter
web-server user-first-url-key default-name
http-hostcar enable
domain youxian
authentication-scheme jxcd
accounting-scheme jxcd
ip-pool ceshi168
value-added-service account-type radius hwradius
value-added-service policy vp-daa
radius-server group hwradius
user-group isp
web-server url-parameter
domain none-wlan
authentication-scheme default0
accounting-scheme default0
ip-pool wlandhcp
user-group 1
web-server 172. x.x.80
web-server url http://172. x.x.80/a79.htm
web-server url-parameter
web-server user-first-url-key default-name
http-hostcar enable
domain wlan
authentication-scheme jxcd
accounting-scheme jxcd
radius-server group hwradius
web-server url-parameter
domain mac-youxian
authentication-scheme macyouxian
accounting-scheme macjxcd
ip-pool ceshi168
mac-authentication enable
radius-server group macjxcd
domain youxianhouyu
authentication-scheme jxcd
accounting-scheme jxcd
radius-server group hwradius
web-server url-parameter
domain mac-wlan
authentication-scheme macwlan
accounting-scheme macjxcd
ip-pool wlandhcp
mac-authentication enable
radius-server group macjxcd

value-added-service policy vp-daa daa
accounting-scheme jxcd
user-group isp
traffic-separate enable
tariff-level 1 qos-profile neiwang
tariff-level 1 flow-queue-shaping inbound 100000 outbound 100000
tariff-level-cfg 1 accounting off
tariff-level 2 qos-profile internet
tariff-level 2 flow-queue-shaping inbound 100000 outbound 100000

multicastbandwidth

interface Virtual-Template1
ppp authentication-mode auto

interface GigabitEthernet1/0/0
description To S12712 G4/0/1
undo shutdown

interface GigabitEthernet1/0/0.1
pppoe-server bind Virtual-Template 1
user-vlan 100 200 qinq 1268
bas

access-type layer2-subscriber default-domain pre-authentication none-youxian authentication youxian
authentication-method ppp web
arp-proxy
ip-trigger
arp-trigger

interface GigabitEthernet1/0/0.10
pppoe-server bind Virtual-Template 1
user-vlan 201 300 qinq 1268
bas

access-type layer2-subscriber default-domain pre-authentication mac-youxian authentication youxianhouyu
authentication-method ppp web

interface GigabitEthernet1/0/1
description To S12712 G4/0/4 TO internet
undo shutdown
ip address 172.x.x.11 255.255.255.0

interface GigabitEthernet1/0/2
description To S12712 G4/0/5 WLANUSER
undo shutdown

interface GigabitEthernet1/0/2.1
user-vlan 1269
bas

access-type layer2-subscriber default-domain pre-authentication mac-wlan authentication wlan
authentication-method web

其它接口略

ip route-static 0.0.0.0 0.0.0.0 172.x.x.1

accounting-service-policy traffic_policy_daa1

traffic-policy web inbound
traffic-policy web outbound

web-auth-server source interface GigabitEthernet1/0/1
web-auth-server version v2
web-auth-server 172.x.x.80 port 2000 key simple webvlan nas-ip-address

# 部分配置省略. 通过display interface brief命令查看端口状态，端口状态正常。 dis interface brief Interface PHY Protocol InUti OutUti inErrors outErrors GigabitEthernet1/0/0 up down 0% 0% 0 0 GigabitEthernet1/0/0.1 up up 0% 0% 0 0 GigabitEthernet1/0/0.10 up up 0% 0% 0 0 GigabitEthernet1/0/1 up up 0% 0% 0 0 GigabitEthernet1/0/2 up down 0% 0% 0 0 GigabitEthernet1/0/2.1 up up 0% 0% 0 0 通过display ip routing-table 查看路由表正常： display ip routing-table Destination/Mask Proto Pre Cost Flags NextHop Interface

    0.0.0.0/0   Static  60   0          RD   172.31.201.1

通过ping命令，测试设备与dhcp服务器与aaa服务器及dns地址可达性正常。
ping 172. x.x.57
Reply from 172.x.x.57: bytes=56 Sequence=1 ttl=126 time=1 ms
其它略.
ping 172. x.x.80
Reply from 172. x.x.80: bytes=56 Sequence=1 ttl=63 time=1 ms
其它略.
ping 210. x.x.8
Reply from 210. x.x.8: bytes=56 Sequence=1 ttl=63 time=1 ms
其它略.

通过上述命令查看，BRAS配置未发现问题。

3、接口单独进行pppoe认证配置，测试认证是否正常。
在接口单独进行pppoe认证通过，终端可正常获取ip地址，业务测试正常。
4、接口单独进行web认证配置
在接口单独进行web认证，终端可正常获取ip地址，认证成功，业务测试正常。
5、同一子接口下同时使用web认证和pppoe认证。
终端先获取ip地址，web认证能通过，pppoe认证不通过。
经抓包分析，pppoe认证获取不到ip地址。
根因
当具有相同MAC地址的DHCP、PPP用户同时上线时,使用RUI远端地址池只能为其中一位用户分配IP地址
解决方案
按照客户要求的地址池不能设在本地,要设在远端的情况下,在me60的aaa 视图下,增加mac-user ppp-preferred 命令。
mac-user ppp-preferred命令用来配置相同MAC地址的DHCP、PPP用户上线,PPP用户优先。
system-view
[HUAWEI] aaa
[HUAWEI-aaa] mac-user ppp-preferred
此时web认证成功后,pppoe拨号也认证成功。
建议与总结

当具有相同MAC地址的DHCP、PPP用户同时上线时,使用RUI远端地址池只能为其中一位用户分配IP地址。可以配置此命令行,使具有相同MAC地址的用户上线,PPP用户优先。
配置影响:当PPP用户拨入时,如果已有相同MAC地址的DHCP用户在线,DHCP用户将被强制下线,从而释放地址使PPP用户能正常上线。

NE40E-X8 配置pppoe-server认证方式先radius再none，none不生效
问题描述
RADIUS服务器----------NE40E-X8----------------PC
NE40E-X8配置bras功能，作为pppoe-server，验证方式为先radius在none，当radius服务器异常时，终端可以不认证直接上网，但是客户实际测试情况为：radius服务器正常时，能正常认证通过，radius服务器down后，仍然提示需要认证，不认证未生效
以下为大致配置：

radius-server group pppoe
radius-server authentication 172.20.0.36 1812 weight 0
radius-server authentication 172.20.0.37 1812 weight 0
radius-server accounting 172.20.0.36 1813 weight 0
radius-server accounting 172.20.0.37 1813 weight 0
radius-server shared-key amtium
radius-server nas-ip-address 172.254.251.1
undo radius-server user-name domain-included

aaa
local-user liushuling password cipher % $%$ ob}XO(o)0X,o’RUBcpS(@+4t% $%$
local-user liushuling service-type terminal telnet
local-user liushuling level 1
local-user liushuling state block fail-times 3 interval 5
authentication-scheme pppoe
authentication-mode radius none

authorization-scheme default

accounting-scheme default
accounting-scheme pppoe
accounting interim-fail max-times 1 online

domain pppoe-hh
authentication-scheme pppoe
accounting-scheme pppoe
ip-pool pppoe-pool-hh-01
dns primary-ip 112.100.100.100
radius-server group pppoe
user-group pppoe-hh

interface Virtual-Template1
ppp authentication-mode pap

interface GigabitEthernet3/0/23.1
pppoe-server bind Virtual-Template 1
user-vlan 903
bas

access-type layer2-subscriber default-domain authentication pppoe-hh
access-delay 50 even-mac

处理过程
1、查看配置，无法判断具体原因，指导采集trace信息，查看上线失败原因display aaa online-fail-record，发现为计费失败导致拒绝关联，但是radius服务器在测试的时候已经关闭了，不可能回应任何计费的请求：

Are you sure to display some information?(Y/N)[Y]:

User name : b
Domain name : pppoe-hh
User MAC : 0013-776a-a94f
User access type : PPPoE
User access interface: GigabitEthernet3/0/23.1
User access PeVlan/CeVlan : 903/-
User IP address : 10.158.3.241
User ID : 35
User authen state : Authened
User acct state : AcctReady
User author state : AuthorIdle
User login time : 2014-12-12 16:09:48
User offline time : 2014-12-12 16:10:48
User offline reason: AAA with start accounting fail
建议客户开启计费失败在线配置：
[R1-aaa]accounting-scheme pppoe
[R1-aaa-accounting- pppoe]accounting start-fail online
开启后故障依旧
2、指导trace认证终端，记录具体认证交互，发现终端每5秒钟发一次认证请求，向172.20.0.36服务器重传三次没有回应。然后开始向务器172.20.0.37发送，刚发送了第一个，还没有重传时，就已瘦到终端发送的LCP中断请求：
Dec 15 2014 16:20:33.920.17 HH-D-NE30E-X3-R1 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][RADIUS][user info:
MAC Address : D43D-7EA4-6813
IP Address : 255.255.255.255
Interface : GigabitEthernet3/0/23.1
PE VLAN ID : 903
User Name : kkkk@pppoe-hh]
[trace info:
Radius Sent a Packet
Server Template: 0
Server IP : 172.20.0.36
Vpn-Instance: -
NAS Port : 1812
Protocol: Standard
Code : Authentication request
Len : 293
ID : 27
Dec 15 2014 16:20:38.920.1 HH-D-NE30E-X3-R1 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][RADIUS][user info:
MAC Address : D43D-7EA4-6813
IP Address : 255.255.255.255
Interface : GigabitEthernet3/0/23.1
PE VLAN ID : 903
User Name : kkkk@pppoe-hh]
[trace info:
Radius Sent a Packet
Server Template: 0
Server IP : 172.20.0.36
Vpn-Instance: -
NAS Port : 1812
Protocol: Standard
Code : Authentication request
Len : 293
ID : 27
Dec 15 2014 16:20:43.920.1 HH-D-NE30E-X3-R1 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][RADIUS][user info:
MAC Address : D43D-7EA4-6813
IP Address : 255.255.255.255
Interface : GigabitEthernet3/0/23.1
PE VLAN ID : 903
User Name : kkkk@pppoe-hh]
[trace info:
Radius Sent a Packet
Server Template: 0
Server IP : 172.20.0.36
Vpn-Instance: -
NAS Port : 1812
Protocol: Standard
Code : Authentication request
Len : 293
ID : 27

Dec 15 2014 16:20:48.920.1 HH-D-NE30E-X3-R1 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][RADIUS][user info:
MAC Address : D43D-7EA4-6813
IP Address : 255.255.255.255
Interface : GigabitEthernet3/0/23.1
PE VLAN ID : 903
User Name : kkkk@pppoe-hh]
[trace info:
Radius Sent a Packet
Server Template: 0
Server IP : 172.20.0.37
Vpn-Instance: -
NAS Port : 1812
Protocol: Standard
Code : Authentication request
Len : 293
Dec 15 2014 16:20:52.960.2 HH-D-NE30E-X3-R1 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=3][PPP][user info:
建议将radius服务器的重传次数改少，超时时间改短。比如改为3秒钟，传重2次。加快与服务器间互通超时。命令行：radius-server retransmit 2 timeout 3
更改配置后问题解决
根因
NE40E默认计费服务器发送报文的次数为3，超时重传时间为5秒，一个计费重传总共就得耗时15s才能确认状态。但是在默认的重传时间内终端已经认为向radius服务器认证请求失败，发送LCP中断请求
解决方案
本次故障为发起认证请求的终端自身的认证请求时间小于我设备默认的重传时间导致，所以更改重传次数、时间即可解决问题
建议与总结
NE/ME设备处理用户上线流程，是先对用户进行认证，认证成功之后再发送计费开始报文。
如认证模板配置为先radius后none则为认证过程中先向radius所有服务器发送，radius服务器没有任何响应后才转本地认证。
部分radius服务器可能计费模板设置错误，或者不清楚计费服务器的设置，导致我们认证成功但是仍然被拒绝关联，认证失败AAA with start accounting fail，这种情况可以开启计费失败在线的功能进行规避accounting interim-fail max-times 1 online/accounting start-fail online

ME60主备用户认证信息不同步

架构两台ME60作为MSCG多业务网关设备，通过vrrp+rbs的热备份方式，ME60之间采用三层接口互联，vrrp建立通过下游汇聚trunk口。所有小汇聚和接入交换机均使用业务网段的前1~50个IP作为管理地址。ME60在全局网络中作为PE设备，负责将所有业务地址宣告进vpn-instance中。
相关配置如下
主ME60
interface GigabitEthernet2/1/2.1
vlan-type dot1q 1049
ip address 1.1.0.50 255.255.255.248
vrrp vrid 49 virtual-ip 1.1.0.49
admin-vrrp vrid 49
vrrp vrid 49 priority 120
vrrp vrid 49 preempt-mode timer delay 1200
vrrp vrid 49 track interface Eth-Trunk1 reduced 50
vrrp vrid 49 track bfd-session 1049 peer
interface GigabitEthernet2/1/2.52
description M11_2F_WEST
user-vlan 52
remote-backup-profile rbp49
bas

access-type layer2-subscriber default-domain pre-authentication pre52 authentication 52
roam-domain 52
authentication-method web
ip-trigger
arp-trigger
vpn-instance g-pc
备ME60
interface GigabitEthernet2/1/2.1
vlan-type dot1q 1049
ip address 1.1.0.51 255.255.255.248
vrrp vrid 49 virtual-ip 1.1.0.49
admin-vrrp vrid 49
vrrp vrid 49 track bfd-session 2049 peer
interface GigabitEthernet2/1/2.52
description M11_2F_WEST
user-vlan 52
remote-backup-profile rbp49
bas

access-type layer2-subscriber default-domain pre-authentication pre52 authentication 52
roam-domain 52
authentication-method web
ip-trigger
arp-trigger
vpn-instance g-pc
处理过程
下游交换机的管理地址无法ping通
在主ME60上检查交换机的状态，可以看到28台交换机的认证信息。
[dgd21amghw05]dis access-user domain st_predomain_production

UserID Username Interface IP address MAC
Vlan IPv6 address Access type

66639 dgd21amghw05-011020… GE1/1/2.54 10.105.54.7 049f-cace-50aa
54/- - VLAN-static
66640 dgd21amghw05-011020… GE1/1/2.38 10.105.38.8 ac61-758d-ff99
38/- - VLAN-static
66641 dgd21amghw05-011000… GE1/1/0.22 10.105.22.6 ac61-758e-0468
22/- - VLAN-static
66642 dgd21amghw05-021020… GE2/1/2.66 10.105.66.7 049f-cace-5127
66/- - VLAN-static
66643 dgd21amghw05-011010… GE1/1/1.30 10.105.30.7 ac61-758e-05e1
30/- - VLAN-static
66644 dgd21amghw05-021020… GE2/1/2.58 10.105.58.6 ac61-758e-084e
58/- - VLAN-static
66645 dgd21amghw05-011020… GE1/1/2.46 10.105.46.7 ac61-758e-07c2
46/- - VLAN-static
66646 dgd21amghw05-011020… GE1/1/2.62 10.105.62.6 049f-cace-50b3
62/- - VLAN-static
66647 dgd21amghw05-011020… GE1/1/2.54 10.105.54.6 ac61-758d-fdca
54/- - VLAN-static
66648 dgd21amghw05-021020… GE2/1/2.42 10.105.42.6 ac61-758e-027d
42/- - VLAN-static
66649 dgd21amghw05-011020… GE1/1/2.46 10.105.46.6 ac61-758d-fe82
46/- - VLAN-static
66650 dgd21amghw05-021010… GE2/1/1.34 10.105.34.7 ac61-758e-0045
34/- - VLAN-static
66652 dgd21amghw05-011020… GE1/1/2.38 10.105.38.7 ac61-758e-0149
38/- - VLAN-static
66653 dgd21amghw05-021020… GE2/1/2.50 10.105.50.6 ac61-758e-0476
50/- - VLAN-static
66654 dgd21amghw05-011000… GE1/1/0.22 10.105.22.7 ac61-758e-0508
22/- - VLAN-static
66655 dgd21amghw05-021010… GE2/1/1.34 10.105.34.6 049f-ca91-2525
34/- - VLAN-static
66658 dgd21amghw05-021020… GE2/1/2.66 10.105.66.6 ac61-758e-06f7
66/- - VLAN-static
66659 dgd21amghw05-011020… GE1/1/2.38 10.105.38.6 ac61-758e-0109
38/- - VLAN-static
66660 dgd21amghw05-011010… GE1/1/1.30 10.105.30.6 ac61-758e-0171
30/- - VLAN-static
66663 dgd21amghw05-011020… GE1/1/2.38 10.105.38.5 ac61-758d-fe29
38/- - VLAN-static
66666 dgd21amghw05-021010… GE2/1/1.34 10.105.34.5 ac61-758e-0125
34/- - VLAN-static
66692 dgd21amghw05-011010… GE1/1/1.30 10.105.30.5 049f-ca91-2621
30/- - VLAN-static
66696 dgd21amghw05-011000… GE1/1/0.22 10.105.22.5 049f-cace-50f8
22/- - VLAN-static
66698 dgd21amghw05-021020… GE2/1/2.42 10.105.42.5 049f-cace-50ed
42/- - VLAN-static
66710 dgd21amghw05-021000… GE2/1/0.26 10.105.26.8 ac61-758d-fe4c
26/- - VLAN-static
66711 dgd21amghw05-021000… GE2/1/0.26 10.105.26.7 ac61-758d-ff1c
26/- - VLAN-static
66712 dgd21amghw05-021000… GE2/1/0.26 10.105.26.5 049f-cace-50cc
26/- - VLAN-static
66713 dgd21amghw05-021000… GE2/1/0.26 10.105.26.6 ac61-758e-01cc
26/- - VLAN-static

Normal users : 0
RUI Local users : 28
RUI Remote users : 0
Total users : 28
在备ME60上检查交换机状态，没有任何交换机的信息。
[dgd21amghw06]dis access-user domain st_predomain_production

UserID Username Interface IP address MAC
Vlan IPv6 address Access type

Normal users : 0
RUI Local users : 0
RUI Remote users : 0
Total users : 0
主备ME60对于下游交换机的接入认证状态不同步。对比ME60的配置发现
在主ME60上交换机所在domain下较备ME60上多出vpn-instance g-pc这一条命令
domain st_predomain_production
authentication-scheme st-user
accounting-scheme st-user
ip-pool 22
ip-pool 24
ip-pool 26
ip-pool 28
ip-pool 30
ip-pool 36
ip-pool 38
ip-pool 40
ip-pool 42
ip-pool 44
ip-pool 46
ip-pool 48
ip-pool 50
ip-pool 52
ip-pool 54
ip-pool 56
ip-pool 58
ip-pool 60
ip-pool 62
ip-pool 64
ip-pool 66
ip-pool 68
vpn-instance g-pc
radius-server group st-user
user-group 1022
在备ME60上添加命令后，再检查交换机的认证状态得到了和主ME60一样的信息，并且此时下游交换机的管理地址可以全部ping通
[dgd21amghw06]dis access-user domain st_predomain_production

UserID Username Interface IP address MAC
Vlan IPv6 address Access type

9696 dgd21amghw05-021000… GE2/1/0.26 10.105.26.8 ac61-758d-fe4c
26/- - VLAN-static
9697 dgd21amghw05-011020… GE1/1/2.54 10.105.54.7 049f-cace-50aa
54/- - VLAN-static
9698 dgd21amghw05-011020… GE1/1/2.38 10.105.38.8 ac61-758d-ff99
38/- - VLAN-static
9699 dgd21amghw05-011000… GE1/1/0.22 10.105.22.6 ac61-758e-0468
22/- - VLAN-static
9700 dgd21amghw05-021020… GE2/1/2.66 10.105.66.7 049f-cace-5127
66/- - VLAN-static
9701 dgd21amghw05-011010… GE1/1/1.30 10.105.30.7 ac61-758e-05e1
30/- - VLAN-static
9702 dgd21amghw05-011010… GE1/1/1.30 10.105.30.5 049f-ca91-2621
30/- - VLAN-static
9703 dgd21amghw05-021000… GE2/1/0.26 10.105.26.7 ac61-758d-ff1c
26/- - VLAN-static
9704 dgd21amghw05-021020… GE2/1/2.58 10.105.58.6 ac61-758e-084e
58/- - VLAN-static
9705 dgd21amghw05-011020… GE1/1/2.46 10.105.46.7 ac61-758e-07c2
46/- - VLAN-static
9706 dgd21amghw05-011020… GE1/1/2.62 10.105.62.6 049f-cace-50b3
62/- - VLAN-static
9707 dgd21amghw05-011020… GE1/1/2.54 10.105.54.6 ac61-758d-fdca
54/- - VLAN-static
9708 dgd21amghw05-021020… GE2/1/2.42 10.105.42.6 ac61-758e-027d
42/- - VLAN-static
9709 dgd21amghw05-011020… GE1/1/2.46 10.105.46.6 ac61-758d-fe82
46/- - VLAN-static
9710 dgd21amghw05-011000… GE1/1/0.22 10.105.22.5 049f-cace-50f8
22/- - VLAN-static
9711 dgd21amghw05-021010… GE2/1/1.34 10.105.34.7 ac61-758e-0045
34/- - VLAN-static
9712 dgd21amghw05-011020… GE1/1/2.38 10.105.38.7 ac61-758e-0149
38/- - VLAN-static
9713 dgd21amghw05-021020… GE2/1/2.50 10.105.50.6 ac61-758e-0476
50/- - VLAN-static
9714 dgd21amghw05-011000… GE1/1/0.22 10.105.22.7 ac61-758e-0508
22/- - VLAN-static
9715 dgd21amghw05-021010… GE2/1/1.34 10.105.34.6 049f-ca91-2525
34/- - VLAN-static
9716 dgd21amghw05-021020… GE2/1/2.66 10.105.66.6 ac61-758e-06f7
66/- - VLAN-static
9717 dgd21amghw05-011020… GE1/1/2.38 10.105.38.6 ac61-758e-0109
38/- - VLAN-static
9718 dgd21amghw05-011010… GE1/1/1.30 10.105.30.6 ac61-758e-0171
30/- - VLAN-static
9719 dgd21amghw05-011020… GE1/1/2.38 10.105.38.5 ac61-758d-fe29
38/- - VLAN-static
9720 dgd21amghw05-021000… GE2/1/0.26 10.105.26.5 049f-cace-50cc
26/- - VLAN-static
9721 dgd21amghw05-021000… GE2/1/0.26 10.105.26.6 ac61-758e-01cc
26/- - VLAN-static
9722 dgd21amghw05-021020… GE2/1/2.42 10.105.42.5 049f-cace-50ed
42/- - VLAN-static
9723 dgd21amghw05-021010… GE2/1/1.34 10.105.34.5 ac61-758e-0125
34/- - VLAN-static

Normal users : 0
RUI Local users : 0
RUI Remote users : 28
Total users : 28
根因
由于主备ME60配置不一致导致，认证信息无法同步，导致网络不通
解决方案
主备ME60方式要确保两边配置策略的一致性，在作为PE角色时，vpn-instance的关联性也要完全一致。

关于bas的几例配置

LOCAL

REMOTE

于是查询了web认证的统计信息，发现每一次认证 Authenticator Error就会增加一次 ,如下：25次认证请求，25次验证错误,25次挑战丢弃，可确认共享密码验证失败
disp web statistics packet

Received Packets Accept Drop

[ME60_X8]dis ip routing-table 192.169.254.0
Route Flags: R - relay, D - download to fib

[ME60_X8]dis ip routing-table 192.169.254.254
Route Flags: R - relay, D - download to fib

(5)通过trace信息,可以看出有正常的报文交互,下一步排查终端上线失败原因
display aaa online-fail-record mac-address e05f-4557-cb40

UserID Username Interface IP address MAC
Vlan IPv6 address Access type

105 ceshi GE1/0/4.1113 210.x.x.180 507b-9d0f-a705
1113/- 2001:250:2E00:2010::23 IPOE

[XZDX-ME60X3-IPV6]dis access-user domain xzdx-after

UserID Username Interface IP address MAC
Vlan IPv6 address Access type

106 ceshi GE1/0/4.1113 - 507b-9d0f-a705
1113/- 2001:250❌x::23 IPOE

根据以上配置，IPoE用户会进pre_sino域，这个域配置成web认证的类型，进行重定向；ppp用户会进sino域，直接进行认证。
这样一个接口下就有两个用户，mac地址一致，如下：
[R1]display access-user interface gig 6/0/8.200

UserID Username Interface IP address MAC
IPv6 address

3 user@sino GE6/0/8.200 6.6.6.5 0001-0101-0102 //ppp用户
-
4 R1-06008020000000@p… GE6/0/8.200 6.6.6.6 0001-0101-0102 //WEB用户
-

[ME60]display aaa offline-record mac-address 000e-c6d7-b2c1

Are you sure to display some information?(Y/N)[Y]:y

认证成功后二次接入用户信息:
[ME60-1]dis access-user ip-address 10.7.128.25

处理过程
1、查看配置，无法判断具体原因，指导采集trace信息，查看上线失败原因display aaa online-fail-record，发现为计费失败导致拒绝关联，但是radius服务器在测试的时候已经关闭了，不可能回应任何计费的请求：

Are you sure to display some information?(Y/N)[Y]:

UserID Username Interface IP address MAC
Vlan IPv6 address Access type

Normal users : 0
RUI Local users : 28
RUI Remote users : 0
Total users : 28
在备ME60上检查交换机状态，没有任何交换机的信息。
[dgd21amghw06]dis access-user domain st_predomain_production

UserID Username Interface IP address MAC
Vlan IPv6 address Access type

UserID Username Interface IP address MAC
Vlan IPv6 address Access type

猜你喜欢

关于bas的几例配置

LOCAL

REMOTE

于是查询了web认证的统计信息，发现每一次认证 Authenticator Error就会增加一次 ,如下：25次认证请求，25次验证错误,25次挑战丢弃，可确认共享密码验证失败 disp web statistics packet

Received Packets Accept Drop

[ME60_X8]dis ip routing-table 192.169.254.0 Route Flags: R - relay, D - download to fib

[ME60_X8]dis ip routing-table 192.169.254.254 Route Flags: R - relay, D - download to fib

(5)通过trace信息,可以看出有正常的报文交互,下一步排查终端上线失败原因 display aaa online-fail-record mac-address e05f-4557-cb40

UserID Username Interface IP address MAC Vlan IPv6 address Access type

105 ceshi GE1/0/4.1113 210.x.x.180 507b-9d0f-a705 1113/- 2001:250:2E00:2010::23 IPOE

[XZDX-ME60X3-IPV6]dis access-user domain xzdx-after

UserID Username Interface IP address MAC Vlan IPv6 address Access type

106 ceshi GE1/0/4.1113 - 507b-9d0f-a705 1113/- 2001:250❌x::23 IPOE

根据以上配置，IPoE用户会进pre_sino域，这个域配置成web认证的类型，进行重定向；ppp用户会进sino域，直接进行认证。 这样一个接口下就有两个用户，mac地址一致，如下： [R1]display access-user interface gig 6/0/8.200

UserID Username Interface IP address MAC IPv6 address

3 user@sino GE6/0/8.200 6.6.6.5 0001-0101-0102 //ppp用户 - 4 R1-06008020000000@p… GE6/0/8.200 6.6.6.6 0001-0101-0102 //WEB用户 -

[ME60]display aaa offline-record mac-address 000e-c6d7-b2c1

Are you sure to display some information?(Y/N)[Y]:y

认证成功后二次接入用户信息: [ME60-1]dis access-user ip-address 10.7.128.25

于是查询了web认证的统计信息，发现每一次认证 Authenticator Error就会增加一次 ,如下：25次认证请求，25次验证错误,25次挑战丢弃，可确认共享密码验证失败
disp web statistics packet

[ME60_X8]dis ip routing-table 192.169.254.0
Route Flags: R - relay, D - download to fib

[ME60_X8]dis ip routing-table 192.169.254.254
Route Flags: R - relay, D - download to fib

(5)通过trace信息,可以看出有正常的报文交互,下一步排查终端上线失败原因
display aaa online-fail-record mac-address e05f-4557-cb40

UserID Username Interface IP address MAC
Vlan IPv6 address Access type

105 ceshi GE1/0/4.1113 210.x.x.180 507b-9d0f-a705
1113/- 2001:250:2E00:2010::23 IPOE

UserID Username Interface IP address MAC
Vlan IPv6 address Access type

106 ceshi GE1/0/4.1113 - 507b-9d0f-a705
1113/- 2001:250❌x::23 IPOE

根据以上配置，IPoE用户会进pre_sino域，这个域配置成web认证的类型，进行重定向；ppp用户会进sino域，直接进行认证。
这样一个接口下就有两个用户，mac地址一致，如下：
[R1]display access-user interface gig 6/0/8.200

UserID Username Interface IP address MAC
IPv6 address

3 user@sino GE6/0/8.200 6.6.6.5 0001-0101-0102 //ppp用户
-
4 R1-06008020000000@p… GE6/0/8.200 6.6.6.6 0001-0101-0102 //WEB用户
-

认证成功后二次接入用户信息:
[ME60-1]dis access-user ip-address 10.7.128.25