No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Terminal PC dials to LNAS, can't set up the tunnel through the RADIUS server authentication

Publication Date:  2012-10-18 Views:  44 Downloads:  0
Issue Description
USG2130 configured to LNS, users PC dialing up through the RADIUS server authentication, in order to reach identity authentication authorization and charging purpose, but terminal PC dialing is not able to establish L2TP tunnel,
Relevant configurations are as follows:
l2tp enable
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
nat address-group 1 100.100.100.1 100.100.100.1
#
radius-server template tem1
radius-server shared-key 123456
radius-server authentication 200.200.200.1 1645
radius-server accounting 200.200.200.1 1646
radius-server group-filter class
#
vlan 1
#
interface Vlanif1
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server dns-list  10.10.10.1
interface Ethernet0/0/0
ip address 100.100.100.1  255.255.255.0
#
interface Virtual-Template1
ppp authentication-mode pap

ip address unnumbered interface Ethernet0/0/0
remote address pool 1
#
acl number 3002
rule 5 permit ip
#
firewall zone trust
set priority 85
add interface Vlanif1
#
firewall zone untrust
set priority 5
add interface Ethernet0/0/0
add interface Virtual-Template1
#
firewall interzone trust untrust
nat outbound 3002 address-group 1
#
l2tp-group 1
allow l2tp virtual-template 1
tunnel password simple 123456
tunnel name 123456
#
aaa
local-user ** password cipher &^%*
local-user ** level 3
local-user ** ftp-directory flash:/
ip pool 1 10.10.10.2  10.10.10.254
authentication-scheme default
authentication-scheme auth1
  authentication-mode radius local
#
authorization-scheme default
#
accounting-scheme default
accounting-scheme acc1
  accounting-mode radius
#
domain default
domain huawei.com
  authentication-scheme  auth1
  accounting-scheme acc1
  radius-server tem1
#
ip route-static 0.0.0.0 0.0.0.0  100.100.100.2
Alarm Information
None.
Handling Process
1. First confirm that whether it is L2TP itself problem, modify the authentication mode to local, use local authentication, remote PC uses local account dialing to LNS, found it can dial and access to the internal resources
2. To determine whether it is the firewall AAA configuration problem, hasn’t sent the remote PC dial-up user name to radius for authentication, “debugging radius packet” found firewall has sent the user's information to radius server, eliminate firewall allocation problem
3. Check radius server response packages to see, the user name: user, and it is not the dialing account: user@ huawei.com, namely the user name the firewall sent to radius server is “user”, hasn’t sent the domain name to the radius server, lead to the server authenticates this account identity failed
4. Change the firewall configuration, open the domain name additional function, dial-up found that still can't establish the tunnel, from the “debugging radius packet” can see the identity authentication has passed, but when dialing the virtual template is first UP, immediately to DOWN, from “debugging l2tp envet” can see that it hasn’t assigned address to the remote PC.
 5. Check l2tp related configuration, found that address pool is established under “domain huawei.com”, so it won't assign the IP address for domain users of the radius server, causes l2tp tunnel can't be established, the specific operations are as follows:
A. Use domain name automatic additional function in the firewall, let the firewall adds domain name automatically when sending user information to the radius server, add a command under “radius-server template”: “radius-server user-name domain-included”
B. Establish address pool in “domain huawei.com”, and transfer it in virtual template.
Root Cause
1. When the remote PC dials to LNS, firewall will separate the user name of the dialed-up PC and the domain name, directly send the name to radius server to authenticate, but the radius server’s account which used for setting identity authentication brings domain name, radius server cannot find this number, the authentication fails.
2. Radius authenticated domain users accessed the IP address through L2TP dial-up is in the address pool of corresponding domain, but not directly establish address pool on the AAA.
Suggestions
None.

END