网络安全与技术
Highlighted
网络安全与技术

FWAUTH 相关模块及各自的职责(续)——如何对各模块进行troubleshooting

修改时间 ‎11-30-2011 07:26 PM

前面我们介绍了fwauth 相关的模块以及之间的协作, 如果遇到问题如何debug 如何确定是那个模块的问题呢?
这也许是大家另一个关心的问题, 所以这里我们介绍下做fwauth的 troubleshooting。


    1. fwauth 模块的debug命令以及结果分析:
        set security firewall-authentication traceoptions flag all extensive
        set security traceoptions file fwauth_log
        set security traceoptions flag all

        root@jetstar> show log fwauth_log
        .
        .
        .
        Nov 22 22:39:24 22:39:23.1205425:CID-0:RT:process_auth_config: Got config from fwauthd when added to ssam
        这条信息说明fwauth 已经将配置下发的 PFE上、


        Nov 23 20:44:53 20:44:51.1555880:CID-0:RT:TCP Proxy: process_ack_received_for_auth: lsys id 0, 1.1.1.10 -> 2.2.2.10 authentication packet
        这条信息表示完成 syn-proxy 的过程

 
        Nov 23 20:44:53 20:44:51.1555880:CID-0:RT:fwauth_get_profile: policy didn't specify profile to use: Using default pass-through profile: local_pf
        fwauth 读取access profile配置
        .  
        .  
        .  
        Nov 23 20:44:53 20:44:51.1556381:CID-0:RT:telnet_hook_proc: username=user1, max len = 64, passwd=*, max len = 128 ? collect username and password
        fwauth 收集到用户名密码
        .  
        .  
        .  
        Nov 23 20:44:53 20:44:51.1556381:CID-0:RT:flow_auth_request: [A] Sending user: user1, pass: user1, auth id 0, app id 10 
        将用户名密码发给 fwauthd 模块
        .  
        .  
        .  
        Nov 23 20:44:53 20:44:52.648779:CID-0:RT:process_auth_rt_messages: Updating auth id 10 auth_by 2 (ip 1.1.1.10) to Successful
        从fwauthd 模块收到认证结果并更新 auth entry
        .  
        .  
        .  
        Nov 23 20:44:53 20:44:52.649028:CID-0:RT:sendmsg_to_client: msg (
        Firewall User Authentication: Accepted
        ) len 41    这里是发送 认证成功的banner 信息
  
        上面的信息我们基本看到了整个fwauth的工作过程 从syn-proxy 一直到最后的 认证成功发送 banner, 当然我们实际工作学习中可以根据具体的错误信息来定位问题。


    2. Fwauthd 的debug命令和结果分析:
        set access firewall-authentication traceoptions file fwauthd_log
        set access firewall-authentication traceoptions flag all

        root@jetstar> show log fwauthd_log
        Nov 23 21:48:14 process_auth_req_msg: Received user: user1, password ******** for authentication, 
        从fwauth模块收到用户名密码

        Nov 23 21:48:14 add_to_auth_tailq: total 1 aq_ent enqueued
        加入认证队列

        Nov 23 21:48:14 add_to_auth_tailq: Queued aq_ent 0x6fd400 authd request successfully.
          Indx 11, cookie 11, id 4. auth_by=2,
        Nov 23 21:48:14 source IP: 101010a
        Nov 23 21:48:14 fwauth_add_to_authd_send_queue: enqueue authd req(cookie 11), current total 1
        加入发送队列准备将认证信息发送到authd 模块

        Nov 23 21:48:14 fwauth_authd_write_enable: write select fd 18!
        Nov 23 21:48:14 fwauthd_authd_write_conn_callback: 0 auth req left
        Nov 23 21:48:14 create_auth_msg_for_authd: cookie = b
        创建用message 将信息封装
        .
        .
        Nv 23 21:48:14 process_authd_responses: Received authd reply for auth id 0,
        Nov 23 21:48:14 source IP: 101010a
        收到authd的回应开始认证


        Nov 23 21:48:14 user user1, ugx_name , found aq_ent 0x6fd400, aq_ent id 4, aq_ent cookie 11, auth_by 2, reply_code 1 (User Authentication Success)
        认证成功

        Nov 23 21:48:14 check_authd_response: authd reply avps: recvd idle_timeout=0, using idle_timeout=0.
        Nov 23 21:48:14 fwauth_send_msg2pfe: Data sent: msg_data.id 2, user user1, auth-id 13, msg_data.type 0
        将消息发送到fwath模块
        .
        .
        Nov 23 21:48:14 CLIENT MATCH SUCCESS ? authd get the user and password matched
        Nov 23 21:48:14 process_auth_messages: fwauthd Successfully received ipc data from RT side on socket 19
        Nov 23 21:48:14 process_auth_messages: Data rcvd: msg_data.id 104
        Nov 23 21:48:14 process_auth_messages: Received CLIENT_MATCH_SUCCESS:auth
        收到认证成功信息

        至此fwauthd 完成了它的使命, 上述信息中也验证了我们之前介绍的 fwauthd 主要负责封装和交互的功能。


    3.authd debug命令和结果分析
        set system processes general-authentication-service traceoptions file authd_log
        set system processes general-authentication-service traceoptions flag all

        root@jetstar> show log authd_log
        Nov 23 21:48:14 authd_auth_aaa_msg_create aaa-key: username:(user1) profile:(local_pf)
        Nov 23 21:48:14 Process Request 从fwauthd 处拿到用户名密码以及access profile
        .
        .
        .
        Nov 23 21:48:14 authd_auth_modules_pre_feed_sanity: message passed sanity test profile=(local_pf), username=(user1
        authd 做一个sanity check 确保送过来的信息 格式正确

        Nov 23 21:48:14 AuthFsm::current state=AuthInit(0) event=1 astEntry=0xe0d06c
        Nov 23 21:48:14 ###################################################################
        Nov 23 21:48:14 ########################### AUTH REQ RCVD #########################
        Nov 23 21:48:14 ###################################################################
        Nov 23 21:48:14 Auth-FSM: Process Auth-Request for session-id:9257430577756908343
        Nov 23 21:48:14 Framework: Starting authentication
        Nov 23 21:48:14 authd_advance_module_for_aaa_request_msg: result:0
        Nov 23 21:48:14 Authd module start 开始认证
        Nov 23 21:48:14 Local : authd_local_start_auth: got params  profile=local_pf, username=user1
        Nov 23 21:48:14 Local : start authd_local_lookup  开始按照profile 规定的认证方式进行认证
        Nov 23 21:48:14 Local : profile local_pf found   找到 profile
        Nov 23 21:48:14 Local : client user1 found       用户名正确
        Nov 23 21:48:14 Local : passwords matched        密码正确
        Nov 23 21:48:14 authd_auth_module_start: result = 2 start_auth; state = 0
        Nov 23 21:48:14 REQUEST: AUTHEN - module_index 0 module(password) return: SUCCESS,返回认证成功信息给 fwauthd
        Nov 23 21:48:14 Framework: auth result is 1. Performing post-auth operations
        Nov 23 21:48:14 (authd_update_session_options) num_tlv_blocks:0

        这个例子是 local database 的users, 然而对于不同的认证server, 也大同小异 只是认证过程中去和server进行交互


这里就介绍了下deug的方式和一些结果的分析, 当然这里没有覆盖多数的case 但可以按照这样的步骤去 做troubleshooting  很快就能找到问题的所在。
还是建议认证失败的时候先确保您的用户名密码正确, 免得费了半天劲是拼写错误,那就吃亏了
     

1 条回复1
Highlighted
网络安全与技术

回复: FWAUTH 相关模块及各自的职责(续)——如何对各模块进行troubleshooting

修改时间 ‎02-06-2012 02:38 PM

分析的不错,学习ing

Feedback