No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The Delivery Policy by the RADIUS Server Does Not Correspond to the ME60 Configuration Parameters, Which Causes an Authentication Failure

Publication Date:  2012-07-27 Views:  53 Downloads:  0
Issue Description
Login authentication over PPPoE fails. The authentication used to be successful.
Alarm Information

<ME60>dis aaa online-fail-record

User online fail reason: Rds Attr Decode Fail

*****************************************************************************

Service trace:

Radius Received a Packet

Server Template: 0

Server IP: 213.145.129.35

Vpn-Instance: -

Server Port: 1812

Protocol: Standard

Code: Auth accept

Len: 256

ID: 17

[NAS-Port(5)] [6 ] [16794455]

[NAS-IP-Address(4)] [6 ][xxx]

[Service-Type(6)] [6 ] [2]

[Framed-Protocol(7)] [6 ] [1]

[Calling-Station-Id(31)] [19] [00:0f:fe:7e:db:0e]

[NAS-Identifier(32)] [16]

[NAS-Port-Type(61) ] [6 ] [15]

[Acct-Session-Id(44)] [35][213.14501004000000855a70ef2001103]

[NAS-Startup-Timestamp(26-59)] [6 ] [1207653712]

[Ip-Host-Addr(26-60)] [35] [255.255.255.255 00:0f:fe:7e:db:0e]

[Connect-ID(26-26)] [6 ] [1103]

--[2008/5/21 17:7:59-][RADIUS][000f-fe7e-db0e]:

[Version(26-254)] [13] [Huawei ME60]

--[2008/5/21 17:7:59-][RADIUS][000f-fe7e-db0e]:

[Product-ID(26-255)

[Domain-name(26-138)] [7 ] [pppoe]

[Framed-IP-Address(8)] [6 ] [255.255.255.254]

[Session-TimeOut(27)] [6 ] [86400]

[Policy-Name(26-95)] [9 ] [unlimit]

--[2008/5/21 17:7:59-][AAA][000f-fe7e-db0e]:Receive notify of message decode fail from RADIUS successfully(UserID = 1103, soruce message = AAA->Radius authenrequest)

--[2008/5/21 17:7:59-][PPP][000f-fe7e-db0e]:Received pap authentication packet  in authentication phase

--[2008/5/21 17:7:59-][AAA][000f-fe7e-db0e]:Unknown error(UserID = 1103, Code = 13757)       

--[2008/5/21 17:7:59-][AAA][000f-fe7e-db0e]:Send authentication ack to UCM successfully(UserID = 1103,Result=SRV_AUTH_FAIL)

--[2008/5/21 17:7:59-][CM][000f-fe7e-db0e]:Receive AAA_AUTH_ACK from AAA (userid:1103 Slot:0)

--[2008/5/21 17:8:0-][CM][000f-fe7e-db0e]:Send PPP_AUTH_ACK to PPP (userid:1103 slot:1)        

--[2008/5/21 17:8:0-][PPP][000f-fe7e-db0e]:Received failed authentication ack  message from ucm

--[2008/5/21 17:8:0-][CM][000f-fe7e-db0e]:Receive PPP_CUT_REQ from PPP (userid:1103 Slot:1)

--[2008/5/21 17:8:0-][PPP][000f-fe7e-db0e]:PPP send lcp TERREQ !

--[2008/5/21 17:8:0-][PPP][000f-fe7e-db0e]:Failed to process authentication-ack message

--[2008/5/21 17:8:0-][CM][000f-fe7e-db0e]:Send AAA_CUT_COMM to AAA (userid:1103 slot:0)

--[2008/5/21 17:8:0-][AAA][000f-fe7e-db0e]:Receice cut command from UCM successfully(UserID = 1103)

--[2008/5/21 17:8:0-][PPPOE][000f-fe7e-db0e]:Received PADT  packet(Session ID= 1085)

--[2008/5/21 17:8:0-][AAA][000f-fe7e-db0e]:Send cut command ack to UCM successfully(UserID = 1103, Result = Success)

--[2008/5/21 17:8:0-][CM][000f-fe7e-db0e]:Receive AAA_CUT_COMM_ACK from AAA (userid:1103 Slot:0)

--[2008/5/21 17:8:0-][PPP][000f-fe7e-db0e]:Received DOWN event

--[2008/5/21 17:8:0-][CM][000f-fe7e-db0e]:Send PPP_CUT_COMM_ACK to PPP (userid:1103 slot:1)

//For details on alarm information, see the attachment.
Handling Process

Choose either of the following methods to solve the problem:

1. Modify the configuration for name consistency on the ME60.

2. Modify the configuration for name consistency on the RADIUS server.

The problem is solved when the names are consistent.
Root Cause

Possible causes are as follows:

1. The user name or password entered on the PC is invalid.

2. The ME60 fails to connect to the RADIUS server.

3. The VLAN of the user does not match the subinterface configuration.

4. The attributes of RADIUS are incorrect.

Cause analysis:

The user name, password, and VLAN are the same as those used in the previous configuration. They are not changed on the RADIUS server. Therefore, the failure does not result from the first cause. Run the display radius-server configuration group XXX command to view the status of the ME60 and RADIUS server. Their status is UP. Therefore, the problem does not result from the second cause.

Login failure analysis and service trace information show that the RADIUS server delivers an attribute [Policy-Name(26-95)] [9 ] [unlimit]. This attribute delivers the name of the value-added service policy. It helps DAA service billing and modification of the billing system. The delivered name unlimit, however, does not match the policy name ME60_DAA configured on the device. The mismatch causes the failure.
Suggestions
When the RADIUS server delivers a policy or an attribute, the parameter must be the same as the one set on the device. Otherwise, the AAA module of the ME60 seeks to match the binding under domain. If inconsistency occurs, the decoding of the RADIUS attribute fails. Then, the authentication fails.

END