MA5200 is attached with DSLAM users who are authenticated at RADIUS server through PPPOE dial-up. One account is a public one, and once its password is changed at RADIUS server, it could access Network by using the original password although it is cut offline at MA5200.
1. Log into the equipment and force the user offline. Check the debug packets, and it is found that when a user transmits code＝1 (authentication request packet), the radius server responds code＝3 (authentication failure) packets. Generally, no packets will be transmitted again, and the user will be forced to offline. However, once the radius server responds code＝3 packet, MA5200G transmits another code=4 (accounting request packet) to the radius, and the server responds code＝5 (accounting echo) packets. Thus, the user comes online. That is to say, the configurations contain one command permitting a user who fails in authentication to come online.
2. Check the configuration, and the authentication mode is configured with one command that permits a user who fails in remote authentication to come online.
authening authen-fail online
As a result, when the account changes its password at the radius, the user fails in authentication at radius, but because of the command configured, the user could come online again. Delete the command and force the user offline; check again, and the user cannot come line again.
1. The configuration of radius is problematic.
2. The authentication policy is problematic.
In the case, the authentication policy configured at RADIUS is to permit users who fail to pass authentication to come online, so the users could access network by using the original password after changing password at radius.