Users Cannot Obtain the Specified IP Address When AR G3 Router Uses Specified IP Address Delivered by the RADIUS Server

Publication Date:  2015-06-25 Views:  524 Downloads:  0
Issue Description
In the following figure, the LNS is configured with RADIUS authentication, and the RADIUS server assigns IP addresses to terminals. When a PC initiates a dialup request to the LNS, the PC goes online but cannot obtain the specified IP address. As a result, L2TP services are interrupted.



LNS main configuration:

l2tp enable
#
interface Virtual-Template1
ppp authentication-mode chap domain hbpostmbp.vpdn.hb  
ip address unnumbered interface GigabitEthernet0/0/1 
#
radius-server template hbtest
radius-server shared-key cipher %@%@a&*3R}%)tY1u!Z1=E1*5<F)c%@%@
radius-server authentication 3.1.1.2 1812 weight 80
radius-server accounting 3.1.1.2 1813 weight 80
undo radius-server user-name domain-included
#
aaa
authentication-scheme hbpost1207
accounting-scheme hbpost1207
domain hbpostmbp.vpdn.hb
  authentication-scheme hbpost1207
  accounting-scheme hbpost1207
  radius-server hbtest 
#
l2tp-group 1
allow l2tp virtual-template 1
tunnel password simple HBYZtest
#
Handling Process
1. Check the L2TP tunnel status on the LNS. The L2TP tunnel and session have been established, indicating that the L2TP configuration is correct.

2. Check the RADIUS configuration. The RADIUS configuration is correct.

3. Run the debugging radius all, terminal monitor, and terminal debugging commands on the LNS.

[LNS]
Dec  9 2014 18:24:21.32.3+00:00 LNS RDS/7/DEBUG:
[RDS(Evt):] Recv a msg(Auth req)
[RDS(Evt):] Send a packet(IP:3.1.1.2,Port:1812,Code:authentication request,ID:145 )
[LNS]
Dec  9 2014 18:24:21.42.4+00:00 LNS RDS/7/DEBUG:
  RADIUS Sent a Packet.
[RDS(Evt):] Receive a packet(IP:3.1.1.2,Port:1812,Code:authentication accept,ID:145 )
[LNS]
Dec  9 2014 18:24:21.42.9+00:00 LNS RDS/7/DEBUG:
  RADIUS Received a Packet.

According to the debugging information, after the LNS receives the request packet from the PC, the LNS forwards it to the RADIUS server. The RADIUS server returns the message about the authentication success and delivers an IP address. The PC does not obtain the IP address.

Run the debugging ppp all and debugging l2tp all commands. When delivering the IP address to the PC, the device checks the global address pool. The check fails because the global address pool is not configured, so the IP address is not delivered.

4. Add the global IP address pool on the LNS on the same network segment as the IP address requested from the RADIUS server.

ip pool l2tp                                                                   
gateway-list 10.2.2.1                                                        
network 10.2.2.0 mask 255.255.255.0 

After the modification, the PC can obtain the IP address and the L2TP service is normal.

Note:
Earlier versions of V200R005C10 do not support the RADIUS server used to deliver IP addresses in L2TP dialup scenarios; however, the AR must be configured with an IP address pool in earlier versions of V200R005C30. Otherwise, the device cannot obtain a specified IP address. In V200R005C30 and later versions, you can choose not to configure an IP address pool. When the IP address pool is not configured and multiple users requests the same IP address from the RADIUS server, the user that goes online first is disconnected and the user that goes online later can establish a connection. When the IP address pool is configured, the user that goes online later cannot obtain an IP address to establish a connection.
Root Cause
In versions between V200R005C10 and V200R005C30, the device checks the global IP address pool. When the IP address pool is not configured, the device cannot obtain an IP address. In V200R005C30 and later versions, you can choose not to configure an IP address pool.
Suggestions
When the IP address delivered by the RADIUS server is used for L2TP dialup, you are advised to first configure an IP address pool on the same network segment as the IP address delivered by the RADIUS server. The device uniformly manages allocated addresses in the address pool to prevent the exception of a user device going online first when multiple users request the same IP address from the RADIUS server.

In this case, the L2TP dialup user can always use the specified IP address. When user names and IP addresses are bound on the RADIUS server, online users always use the bound IP addresses.

END