S5100系列交换机使用正确的用户名和密码进行SSH登录时提示错误的解决方法

一、组网：

无

二、问题描述：

使用远程认证方式(Radius或Tacacas Server)对登录到S5100系列交换机上的SSH用户进行认证时，输入正确的用户名和密码后系统却提示密码错误。

三、过程分析：

查看交换机Logbuffer，发现如下记录。

%May 2808:20:25:015 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_

Main_Connect TO SSH_Main_VersionMatch

%May 2808:20:25:027 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_

Main_VersionMatch TO SSH_Main_SSHProcess

%May 2808:20:25:029 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_

Sub1_KEX_Init TO SSH_Sub1_KEX_GEX_Group

%May 28 08:20:27:645 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_

Sub1_KEX_GEX_Group TO SSH_Sub1_KEX_GEX_Reply

%May 28 08:20:30:779 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_

Sub1_KEX_GEX_Reply TO SSH_Sub1_KEX_NewKey

%May 28 08:20:31:088 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_

Sub1_KEX_NewKey TO SSH_Sub1_Authentication

%May 28 08:20:33:920 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_

Sub2_Service_Acc TO SSH_Sub2_Auth_Init

%May 28 08:20:42:281 2008 PHPAM-ACCESS-52 SSH/5/fsm_move:- 1 -FSM MOVE FROM SSH_

Sub2_Auth_Init TO SSH_Sub2_Auth_Password

%May 28 08:20:42:941 2008 PHPAM-ACCESS-52 VTY/5/VTY_LOG:- 1 - SSH user rcaballeg

an failed to login from 10.160.225.108 on VTY0.

%May 28 08:21:01:803 2008 PHPAM-ACCESS-52 SSH/5/err_disconnect:- 1 -The connection is closed by SSH Server

在交换机上开启debug命令如下。

[PHPAM-ACCESS-52]dis debug

SSH Debugging switch on VTY 0 is on

SSH Debugging switch on VTY 1 is on

SSH Debugging switch on VTY 2 is on

SSH Debugging switch on VTY 3 is on

SSH Debugging switch on VTY 4 is on

HWTACACS error debugging is on

HWTACACS event debugging is on

HWTACACS message debugging is on

HWTACACS send-packet debugging is on

HWTACACS receive-packet debugging is on

*0.12805107 PHPAM-ACCESS-52 SSH/8/debugging_msg_send:- 1 -SSH_VERSION_SEND message sent on VTY 0

*0.12805214 PHPAM-ACCESS-52 SSH/8/msg_rcv_vty:- 1 -SSH_VERSION_RECEIVE message received on VTY 0

*0.12817054 PHPAM-ACCESS-52 TAC/8/Event:- 1 - Create TACACS authentication request packet success

*0.12817168 PHPAM-ACCESS-52 TAC/8/Event:- 1 -

TAC_MESSAGE for AAA->TAC:

*0.12817247 PHPAM-ACCESS-52 TAC/8/Event:- 1 -

UserID=29  PacketType=3  AuthenType=1

AuthenService=1  PrivLevel=0  Version=c0  TemplateNum=0

UserName=rcaballegan  PortName=vty0  RemAddress=async

UserMsg=********  DataMsg=********

*0.12817530 PHPAM-ACCESS-52 TAC/8/Event:- 1 -

hwtacacs create new session :

session id: 12720, user id: 29, server ip: 170.65.230.18

*0.12817697 PHPAM-ACCESS-52 TAC/8/Event:- 1 -

version:c0  type:AUTHEN_REQUEST

seq_no:1  flag:ENCRYPTED_FLAG

session_id:31b0  length:28

action:AUTHEN_LOGIN  priv_lvl:VISIT  authen_type:AUTHEN_TYPE_ASCII

service:AUTHEN_SVC_LOGIN

user len:11       port len:4      rem_addr len:5  data len:0

user name:rcaballegan  port:vty0  rem_addr:async  data:

*0.12818114 PHPAM-ACCESS-52 TAC/8/Event:- 1 -statics: transmit flag:1, server flag: 0,packet flag:0xff

*0.12818230 PHPAM-ACCESS-52 TAC/8/Event:- 1 -

hwtacacs packet sending success!

version:c0 type:1 sequence:1 flag:0 session id:12720 length:28

*0.12818417 PHPAM-ACCESS-52 TAC/8/Event:- 1 -

version:c0  type:AUTHEN_REPLY

seq_no:2  flag:ENCRYPTED_FLAG

session_id:31b0  length:6

packet body is error

*0.12818614 PHPAM-ACCESS-52 TAC/8/Event:- 1 -

TAC_MESSAGE for TAC->AAA:

*0.12818697 PHPAM-ACCESS-52 TAC/8/Event:- 1 -

ulUserID=29

ucTACTemplateNO=0

ucflag=2

ServerMsg=

Echo=0

*0.12818833 PHPAM-ACCESS-52 TAC/8/Event:- 1 -statics: transmit flag:2, server flag: 0,packet flag:0x88

*0.12818947 PHPAM-ACCESS-52 TAC/8/Event:- 1 -

hwtacacs session is deleted due to finishing session:

session id: 12720, user id: 29, server ip: 170.65.230.18

从debug信息中显示的“packet body is error”信息看，产生上述提示的原因有两种：

(1)远端Server上配置允许接入的IP网段与客户端不匹配。

(2)Server上配置的key与交换机上配置的key不同。

四、解决方法：

查看远端Server上配置的IP网段与接入客户端是否匹配；并确认Server与交换机上配置的key值是否一致。