AAA故障与调试

在路由器的AAA配置中，是否认证，认证、授权及记账情况如何，在配置阶段少不了调试，在出现故障时，借助调试信息能很好地定位故障点。1．Debug AAA Authentication命令

使用Debug AAA Authentication命令来调试一个EXEC登录过程，采用的Rongxin的认证方法列表，使用TACACS+认证协议，系统通过发送GETUSER和GETPASS来提示输入用户名和密码，最优通过认证（PASS）的过程。

Router# debug aaa authentication

AAA Authentication debugging is on Router# *Mar  1 01:34:40.819: AAA/BIND（00000015）: Bind i/f   *Mar  1 01:34:40.827: AAA/AUTHEN/LOGIN （00000015）: Pick method list 'rongxin'  *Mar  1 01:34:52.903: AAA: parse name=tty130 idb type=-1 tty=-1 *Mar  1 01:34:52.903: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=130 channel=0 *Mar  1 01:34:52.907: AAA/MEMORY: create_user （0x64DE58AC） user='user1' ruser='NULL' ds0=0 port='tty130'  rem_addr='192.168.1.102' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= （id=0） *Mar  1 01:34:52.911: AAA/AUTHEN/START （1579679647）: port='tty130' list='rongxin' action=LOGIN service=ENABLE *Mar  1 01:34:52.915: AAA/AUTHEN/START （1579679647）: non-console enable - default to enable password *Mar  1 01:34:52.919: AAA/AUTHEN/START （1579679647）: Method=ENABLE *Mar  1 01:34:52.919: AAA/AUTHEN（1579679647）: Status=GETPASS *Mar  1 01:34:54.627: AAA/AUTHEN/CONT （1579679647）: continue_login （user='（undef）'） *Mar  1 01:34:54.631: AAA/AUTHEN（1579679647）: Status=GETPASS *Mar  1 01:34:54.631: AAA/AUTHEN/CONT （1579679647）: Method=ENABLE *Mar  1 01:34:54.703: AAA/AUTHEN（1579679647）: Status=PASS *Mar  1 01:34:54.703: AAA/MEMORY: free_user （0x64DE58AC） user='NULL' ruser='NULL' port='tty130'  rem_addr='192.168.1.102' authen_type=ASCII service=ENABLE priv=15 vrf= （id=0） 2．Debug AAA Authorization命令

使用Debug AAA Authentication命令来调试认证信息，用户名为“user1”属性值被授权，最后端口授权通过。 Router# debug aaa authentication r AAA Authorization debugging is on Router# *Mar  1 01:35:18.427: AAA/BIND（00000016）: Bind i/f   *Mar  1 01:35:25.463: AAA/AUTHOR （0x16）: Pick method list 'rongxin'  *Mar  1 01:35:25.939: AAA/AUTHOR/EXEC（00000016）: processing AV cmd= *Mar  1 01:35:25.939: AAA/AUTHOR/EXEC（00000016）: Authorization successful *Mar  1 01:35:30.567: AAA: parse name=tty130 idb type=-1 tty=-1 *Mar  1 01:35:30.571: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=130 channel=0 *Mar  1 01:35:30.575: AAA/MEMORY: create_user （0x644CD260） user='user1' ruser='NULL' ds0=0 port='tty130'  rem_addr='192.168.1.102' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= （id=0） *Mar  1 01:35:32.279: AAA/MEMORY: free_user （0x644CD260） user='NULL' ruser='NULL' port='tty130'  rem_addr='192.168.1.102' authen_type=ASCII service=ENABLE priv=15 vrf= （id=0） 3．Debug AAA Accounting命令 使用Debug AAA Accounting命令来调试记账信息，通过CALL START和CALL STOP 来按时计费，使用Debug Tacacs 和Debug RADIUS可得到基于协议级别的更多信息，也可以使用Show accounting来查看记账的记录。 Router# debug aaa accounting AAA Accounting debugging is on Router# *Mar  1 01:36:18.267: AAA/ACCT/EVENT/（00000017）: CALL START *Mar  1 01:36:18.267: Getting session id for NET（00000017） : db=64E2D51C *Mar  1 01:36:18.271: AAA/ACCT（00000000）: add node, session 20 *Mar  1 01:36:18.271: AAA/ACCT/NET（00000017）: add, count 1 *Mar  1 01:36:18.275: Getting session id for NONE（00000017） : db=64E2D51C *Mar  1 01:36:24.903: AAA/ACCT/EXEC（00000017）: Pick method list 'rongxin' *Mar  1 01:36:24.907: AAA/ACCT/SETMLIST（00000017）: Handle 29000006, mlist 642D96E0, Name rongxin *Mar  1 01:36:24.911: Getting session id for EXEC（00000017） : db=64E2D51C *Mar  1 01:36:24.911: AAA/ACCT（00000017）: add common node to avl failed *Mar  1 01:36:24.915: AAA/ACCT/EXEC（00000017）: add, count 2 *Mar  1 01:36:24.919: AAA/ACCT/EVENT/（00000017）: EXEC UP *Mar  1 01:36:24.919: AAA/ACCT/EXEC（00000017）: Queueing record is START *Mar  1 01:36:24.931: AAA/ACCT（00000017）: Accouting method=tacacs+ （TACACS+） *Mar  1 01:36:25.299: AAA/ACCT/EXEC（00000017）: START protocol reply PASS *Mar  1 01:36:25.299: AAA/ACCT（00000017）: Send START accounting notification to EM successfully *Mar  1 01:36:31.363: AAA: parse name=tty130 idb type=-1 tty=-1 *Mar  1 01:36:31.363: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=130 channel=0 *Mar  1 01:36:31.367: AAA/MEMORY: create_user （0x644CD260） user='user1' ruser='NULL' ds0=0 port='tty130'  rem_addr='192.168.1.102' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= （id=0） *Mar  1 01:36:34.211: AAA/MEMORY: free_user （0x644CD260） user='NULL' ruser='NULL' port='tty130'  rem_addr='192.168.1.102' authen_type=ASCII service=ENABLE priv=15 vrf= （id=0） *Mar  1 01:36:44.431: unknown AAA/DISC: 1/"User Request" *Mar  1 01:36:44.431: unknown AAA/DISC/EXT: 1020/"User Request" *Mar  1 01:36:44.435: AAA/ACCT/EXEC（00000017）: Pick method list 'rongxin' *Mar  1 01:36:44.435: AAA/ACCT/SETMLIST（00000017）: Handle 29000006, mlist 642D96E0, Name rongxin *Mar  1 01:36:44.451: AAA/ACCT/EVENT/（00000017）: CALL STOP *Mar  1 01:36:44.451: AAA/ACCT/CALL STOP（00000017）: Sending stop requests *Mar  1 01:36:44.451: AAA/ACCT（00000017）: Send all stops *Mar  1 01:36:44.455: AAA/ACCT/EXEC（00000017）: STOP *Mar  1 01:36:44.459: AAA/ACCT/EXEC（00000017）: Queueing record is STOP osr 1 *Mar  1 01:36:44.459: AAA/ACCT/NET（00000017）: STOP *Mar  1 01:36:44.463: AAA/ACCT/NET（00000017）: Method list not found *Mar  1 01:36:44.463: AAA/ACCT/NET（00000017）: free_rec, count 1 *Mar  1 01:36:44.467: AAA/ACCT/NET（00000017） reccnt 1, csr TRUE, osr 1 *Mar  1 01:36:44.471: AAA/ACCT（00000017）: Accouting method=tacacs+ （TACACS+） *Mar  1 01:36:44.859: AAA/ACCT/EXEC（00000017）: STOP protocol reply PASS *Mar  1 01:36:44.863: AAA/ACCT（00000017）: Send STOP accounting notification to EM successfully *Mar  1 01:36:44.867: AAA/ACCT/EXEC（00000017）: Cleaning up from Callback osr 0 *Mar  1 01:36:44.867: AAA/ACCT（00000017）: del node, session 20 *Mar  1 01:36:44.871: AAA/ACCT/EXEC（00000017）: free_rec, count 0 *Mar  1 01:36:44.871: AAA/ACCT/EXEC（00000017） reccnt 0, csr TRUE, osr 0 *Mar  1 01:36:44.875: AAA/ACCT/EXEC（00000017）: Last rec in db, intf not enqueued