背景:h3cadmin想要通过hwtacacs认证登陆192.168.0.1 ,hwtacacs服务器地址是192.168.0.254
在登陆过程中在这台设备的vty0开启debugging hwtacacs all ,让vty 1作为h3cadmin的入口 以下可以直观地看到登陆过程中的报文交互过程。
组网情况如下:
PC-192.168.0.1--------------------H3C SW--192.168.0.10--------------------HWTACACS服务器(cisco ACS) 192.168.0.253
在整个过程中的基本消息交互流程如下(手册上是这样的,但是实际好像有点不同,具体请看如下的报文交互过程):
(1) h3cadmin用户请求登录设备。
(2) HWTACACS客户端收到请求之后,向HWTACACS服务器发送认证开始报文。
(3) HWTACACS服务器发送认证回应报文,请求用户名。
(4) HWTACACS客户端收到回应报文后,向用户询问用户名。
(5) 用户输入用户名。
(6) HWTACACS客户端收到用户名后,向HWTACACS服务器发送认证持续报文,其中包括了用户名。
(7) HWTACACS服务器发送认证回应报文,请求登录密码。
(8) HWTACACS客户端收到回应报文,向用户询问登录密码。
(9) 用户输入密码。
(10) HWTACACS客户端收到登录密码后,向HWTACACS服务器发送认证持续报文,其中包括了登录密码。
(11) HWTACACS服务器发送认证回应报文,指示用户通过认证。
(12) HWTACACS客户端向HWTACACS服务器发送授权请求报文。
(13) HWTACACS服务器发送授权回应报文,指示用户通过授权。
(14) HWTACACS客户端收到授权回应成功报文,向用户输出设备的配置界面。
(15) HWTACACS客户端向HWTACACS服务器发送计费开始报文。
(16) HWTACACS服务器发送计费回应报文,指示计费开始报文已经收到。
(17) 用户请求断开连接。
(18) HWTACACS客户端向HWTACACS服务器发送计费结束报文。
(19) HWTACACS服务器发送计费结束报文,指示计费结束报文已经收到。
*Feb 30 02:12:53:653 2000 H3C TAC/7/Event: Create HWTACACS authentication request packet success //生成认证请求报文成功
*Feb 30 02:12:53:655 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC: //设备向 tacacs 服务器发送认证报文 AAA->TAC 是交换机向ACS发包。
*Feb 30 02:12:53:656 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=42 PacketType=3 AuthenType=1
AuthenService=1 PrivLevel=0 Version=c0 TemplateNum=0
UserName=h3cadmin PortName=vty1 RemAddress=192.168.0.1 //登陆设备的IP
UserMsg= DataMsg=
*Feb 30 02:12:53:669 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*Feb 30 02:12:53:671 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=42 PacketType=3 AuthenType=1
AuthenService=1 PrivLevel=0 Version=c0 TemplateNum=0
UserName=h3cadmin PortName=vty1 RemAddress=192.168.0.1 //登陆设备的IP
UserMsg= DataMsg=
*Feb 30 02:12:53:672 2000 H3C TAC/7/Event: Successfully found the FIB information for the server (Server IP: 192.168.0.253, ××× index: 0).
*Feb 30 02:12:53:673 2000 H3C TAC/7/Event: Got nas-ip 192.168.0.10 and ××× 0 of server 192.168.0.253.
*Feb 30 02:12:53:675 2000 H3C TAC/7/Event: Successfully set socket ××× attribute (××× index: 0).
*Feb 30 02:12:53:676 2000 H3C TAC/7/Event:
hwtacacs create new session :
session id: 197458, user id: 42, server ip: 192.168.0.253 //建立一个会话 会话 id: 197458, 用户ID: 42, 服务器IP: 192.168.0.253
*Feb 30 02:12:53:678 2000 H3C TAC/7/Event:
version:c0 type:AUTHEN_REQUEST //向HWTACACS服务器发送认证开始报文 (发第一个包)
seq_no:1 flag:ENCRYPTED_FLAG
session_id:30352 length:32
action:AUTHEN_LOGIN priv_lvl:VISIT authen_type:AUTHEN_TYPE_ASCII
service:AUTHEN_SVC_LOGIN
user len:7 port len:4 rem_addr len:13 data len:0
user name:h3cadmin port:vty1 rem_addr:192.168.0.1 data: //第一包中就包括了用记名
*Feb 30 02:12:53:679 2000 H3C TAC/7/Event: statistic: transmit flag:1, server flag: 0,packet flag:0xff
*Feb 30 02:12:53:770 2000 H3C TAC/7/Event:
hwtacacs packet sending success! //数据包发送成功
version:c0 type:01 sequence:01 flag:00 session id:197458 length:32
*Feb 30 02:12:53:772 2000 H3C TAC/7/Event: Authentication sending(Result = 0)
*Feb 30 02:12:53:873 2000 H3C TAC/7/Event:
version:c0 type:AUTHEN_REPLY //将要发送认证回应包
seq_no:2 flag:ENCRYPTED_FLAG
session_id:30352 length:16
status:AUTHEN_STATUS_GETPASS flag:REPLY_FLAG_NOECHO
server_msg len:10 data len:0
server_msg:Password: data: 服务器来的请求消息:密码是多少?
*Feb 30 02:12:53:874 2000 H3C TAC/7/Event: statistic: transmit flag:2, server flag: 0,packet flag:0x5
*Feb 30 02:12:53:876 2000 H3C TAC/7/Event:
version:c0 type:AUTHEN_CONTINUE //向HWTACACS服务器发送认证持续报文,其中包括了密码 (发第二个包)
seq_no:3 flag:ENCRYPTED_FLAG
session_id:30352 length:11
user_msg len:****** data len:0 flag:0
user_msg:******
data:
*Feb 30 02:12:53:877 2000 H3C TAC/7/Event:
hwtacacs packet sending success! //数据包发送成功
version:c0 type:01 sequence:03 flag:00 session id:197458 length:11
*Feb 30 02:12:53:879 2000 H3C TAC/7/Event: statistic: transmit flag:1, server flag: 0,packet flag:0xff
*Feb 30 02:12:53:880 2000 H3C TAC/7/Event: Authentication sending(Result = 0)
*Feb 30 02:12:53:976 2000 H3C TAC/7/Event:
version:c0 type:AUTHEN_REPLY // 授权请求报文
seq_no:4 flag:ENCRYPTED_FLAG
session_id:30352 length:6
status:AUTHEN_STATUS_PASS flag:REPLY_FLAG_ECHO
server_msg len:0 data len:0
server_msg: data:
*Feb 30 02:12:53:978 2000 H3C TAC/7/Event:
TAC_MESSAGE for TAC->AAA: TAC->AAA ACS服务器向交换机发包
*Feb 30 02:12:53:979 2000 H3C TAC/7/Event:
TAC_MESSAGE for TAC->AAA: TAC->AAA ACS服务器向交换机发包
ulUserID=42
ucTACTemplateNO=0
ucflag=1
Echo=0
ServerMsg=
*Feb 30 02:12:53:980 2000 H3C TAC/7/Event: statistic: transmit flag:2, server flag: 0,packet flag:0x1
*Feb 30 02:12:53:982 2000 H3C TAC/7/Event:
hwtacacs session is deleted due to finishing session:
session id: 197458, user id: 42, server ip: 192.168.0.253
*Feb 30 02:12:53:992 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*Feb 30 02:12:53:994 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=42 AuthorType=4 AuthenMethod=6 AuthenType=1 AuthenService=1
PrivLevel=0 TemplateNum=0 ArgNum=2
UserName=h3cadmin PortName=vty1
Service=shell Protocol=cmd* RemAddress=192.168.0.1
*Feb 30 02:12:54:079 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC: //发请求授权报文
*Feb 30 02:12:54:080 2000 H3C TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=42 AuthorType=4 AuthenMethod=6 AuthenType=1 AuthenService=1
PrivLevel=0 TemplateNum=0 ArgNum=2
UserName=h3cadmin PortName=vty1
Service=shell Protocol=cmd* RemAddress=192.168.0.1 //用户名是h3cadmin 申请的服务是shell,使用的协议是cmd* 客户端的地址是192.168.0.1
*Feb 30 02:12:54:082 2000 H3C TAC/7/Event: Successfully found the FIB information for the server (Server IP: 192.168.0.253, ××× index: 0).
*Feb 30 02:12:54:083 2000 H3C TAC/7/Event: Got nas-ip 192.168.0.10 and ××× 0 of server 192.168.0.253.
*Feb 30 02:12:54:085 2000 H3C TAC/7/Event: Successfully set socket ××× attribute (××× index: 0).
*Feb 30 02:12:54:086 2000 H3C TAC/7/Event:
hwtacacs create new session : 创建新的会话
session id: 214297, user id: 42, server ip: 192.168.0.253
*Feb 30 02:12:54:087 2000 H3C TAC/7/Event:
version:c0 type:AUTHOR_REQUEST
seq_no:1 flag:ENCRYPTED_FLAG
session_id:34519 length:51
authen_method:AUTHEN_METH_PLUS priv_lvl:VISIT
authen_type:AUTHEN_TYPE_ASCII authen_service:AUTHEN_SVC_LOGIN
user len:7 port len:4 rem_addr len:13
arg_cnt:2
arg1 len:13 arg2 len:4
user:h3cadmin port:vty1 rem_addr:192.168.0.1
arg1 :service=shell arg2 :cmd*
*Feb 30 02:12:54:089 2000 H3C TAC/7/Event: statistic: transmit flag:1, server flag: 1,packet flag:0xff
*Feb 30 02:12:54:180 2000 H3C TAC/7/Event:
hwtacacs packet sending success! //数据包发送成功
version:c0 type:02 sequence:01 flag:00 session id:214297 length:51
*Feb 30 02:12:54:181 2000 H3C TAC/7/Event: Authorization sending(Result = 0)
*Feb 30 02:12:54:282 2000 H3C TAC/7/Event:
version:c0 type:AUTHOR_REPLY
seq_no:2 flag:ENCRYPTED_FLAG
session_id:34519 length:18
status:AUTHOR_STATUS_PASS_ADD
server_msg len:0 data len:0
arg_cnt:1
arg1 len:11
server_msg:
data:
arg1 :priv-lvl=15
*Feb 30 02:12:54:284 2000 H3C TAC/7/Event:
TAC_MESSAGE for TAC->AAA: TAC->AAA ACS服务器向交换机发包
*Feb 30 02:12:54:285 2000 H3C TAC/7/Event:
TAC_MESSAGE for TAC->AAA: TAC->AAA ACS服务器向交换机发包
AuthorType=4 DataMsg=
Acl=0 Timeout=0 PrivLevel=3 NoHangup=0 //这里授权的级别是3
AutoExec= ServerMsg=
*Feb 30 02:12:54:286 2000 H3C TAC/7/Event: statistic: transmit flag:2, server flag: 1,packet flag:0x1
*Feb 30 02:12:54:288 2000 H3C TAC/7/Event:
hwtacacs session is deleted due to finishing session:
session id: 214297, user id: 42, server ip: 192.168.0.253
#Sep 30 02:12:54:306 2000 H3C SHELL/4/LOGIN:
Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1:h3cadmin login from VTY
%Feb 30 02:12:54:309 2000 H3C SHELL/5/SHELL_LOGIN: h3cadmin logged in from 192.168.0.1. 登陆成功