No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

the access user name is incorrect when the radius server is free radius

Publication Date:  2018-03-24 Views:  100 Downloads:  0
Issue Description

Product: AC6605 V200R007C20SPC300

The radius server was free radius. All the user can authenticate successfully. But the user name on the AC was not correct.

 

<AC6605>dis access-user

 ------------------------------------------------------------------------------

 UserID Username                IP address       MAC            Status

 ------------------------------------------------------------------------------

2632   %{User-Name}            172.20.198.128   80a5-89d9-42d1 Success        

 4239   %{User-Name}            172.20.209.43    141f-7860-45d6 Success        

 5375   %{User-Name}            172.20.208.88    c0bd-d19f-d3e5 Success        

 5459   %{User-Name}            172.20.209.28    342d-0dc9-2776 Success        

 5552   %{User-Name}            172.20.209.95    e0aa-964b-29e4 Success        

 5562   %{User-Name}            172.20.208.92    d05b-a83c-d2eb Success        

 5689   %{User-Name}            172.20.209.6     1c15-1f68-c880 Success        

 5731   %{User-Name}            172.20.208.149   54f2-0185-44ad Success        

 5765   %{User-Name}            172.20.208.135   3075-12fa-163a Success        

 5848   %{User-Name}            172.20.209.57    0087-012c-c283 Success 

 

Configuration

 

#

radius-server template default

 radius-server shared-key cipher %^%#0oH++1&1FS~R5t:mw&c<wxz`7aJ8HV~aEc-<bf_%%^%#

 radius-server authentication 79.123.150.81 1812 weight 90

 radius-server accounting 79.123.150.81 1813 weight 80

radius-server ip-address 79.123.150.81 shared-key cipher %^%#,syaT>tr<R<pn:$Jd*yG%Vk]#twL{..A,xSE!f(Y%^%#

#

 


Handling Process

1. Since customer reported that everything is working fine except the user name. So we don’t need to the check the connection between the server and the AC, and also no need to check the connection between the AC and the users.

 

2 trace the terminal

[AC6605] trace object mac-address  3075-12fa-163a

[AC6605] trace enable

 

 [BTRACE][2018/03/10 11:56:24][RADIUS][3075-12fa-163a]:Receive authentication request message from AAA module.

[BTRACE][2018/03/10 11:56:24][RADIUS][3075-12fa-163a]:

  Send a authentication request packet to radius server( server ip = 79.123.150.81).

[BTRACE][2018/03/10 11:56:24][RADIUS][3075-12fa-163a]:

  Server Template: 0

  Server IP   : 79.123.150.81

  Protocol: Standard

  Code    : 1

  Len     : 413

  ID      : 87

  [User-Name                          ] [31] [o170703016@ogr.giresun.edu.tr]

  [NAS-Port                           ] [6 ] [389420]

  [Service-Type                       ] [6 ] [2]

  [Framed-Protocol                    ] [6 ] [1]

  [Calling-Station-Id                 ] [16] [3075-12fa-163a]

  [NAS-Identifier                     ] [8 ] [AC6605]

  [NAS-Port-Type                      ] [6 ] [19]

  [NAS-Port-Id                        ] [37] [slot=0;subslot=0;port=95;vlanid=300]

  [State                              ] [18] [\347\237\016\351\346Q\033\3147\236\211\013X\025\020\343]

  [EAP-Message                        ] [59] [02 ce 00 39 15 00 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 00 00 00 a2 1b 1c e1 ca a1 c6 b5 bf 22 15 72 ed 48 e6 50 3b 75 c8 60 7b a7 c7 f7 60 93 b7 54 77 e6 f1 9d ]

[BTRACE][2018/03/10 11:56:24][RADIUS][3075-12fa-163a]:

  [Message-Authenticator              ] [18] [b6 2f 53 9b 6c 63 74 8f 01 b7 10 7d 4f ae 6e 79 ]

  [Called-Station-Id                  ] [28] [C4-FF-1F-4E-CD-E0:Eduroam+]

  [Login-IP-Host                      ] [6 ] [0.0.0.0]

  [NAS-IP-Address                     ] [6 ] [79.123.150.82]

  [Framed-Mtu                         ] [6 ] [1500]

  [Acct-Session-Id                    ] [35] [AC660500095000000300e7cd070000e80]

  [HW-NAS-Startup-Time-Stamp          ] [6 ] [1517479659]

  [HW-IP-Host-Address                 ] [35] [255.255.255.255 30:75:12:fa:16:3a]

  [HW-Connect-ID                      ] [6 ] [3712]

  [HW-Version                         ] [22] [Huawei AC6605-26-PWR]

  [HW-Product-ID                      ] [4 ] [AC]

  [HW-AP-Information                  ] [16] [C4FF-1F4E-CDE0]

  [HW-Access-Type                     ] [6 ] [1]

[BTRACE][2018/03/10 11:56:24][RADIUS][3075-12fa-163a]:

 Received a authentication accept packet from radius server(server ip = 79.123.150.81).

[BTRACE][2018/03/10 11:56:24][RADIUS][3075-12fa-163a]:

  Server Template: 0

  Server IP   : 79.123.150.81

  Server Port : 1812

  Protocol: Standard

  Code    : 2

  Len     : 236

  ID      : 87

  [User-Name                          ] [31] [o170703016@ogr.giresun.edu.tr]

  [User-Name                          ] [14] [%{User-Name}]

  [MS-MPPE-Recv-Key                   ] [52] [92 01 37 e4 c1 02 84 c3 57 b0 e6 0a a3 49 a4 8f cf 8b a6 db dc 86 ad 14 c8 dd fe 26 21 97 b6 75 4b d8 e6 1e 09 84 e7 76 f4 3b a0 79 a0 1c 4b 4b 1a a2 ]

  [MS-MPPE-Send-Key                   ] [52] [9c 09 68 be ba f3 ca 9a b9 aa 4b 46 ec bb ff b7 a9 d4 dc 2b f7 c5 2f a0 14 73 86 73 07 07 e1 d4 6e 6f a4 2f dc 2a af 3c f0 41 cf 68 38 3b 5d 99 eb e3 ]

  [EAP-Message                        ] [6 ] [03 ce 00 04 ]

  [Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]

[BTRACE][2018/03/10 11:56:24][RADIUS][3075-12fa-163a]:Send authentication reply message to AAA.

[BTRACE][2018/03/10 11:56:24][AAA][3075-12fa-163a]:

 AAA receive AAA_RD_MSG_AUTHENACCEPT message from RADIUS module.

[BTRACE][2018/03/10 11:56:24][AAA][3075-12fa-163a]:

    CID:3764  TemplateNo:0

    SrcMsg:AAA_RD_MSG_AUTHENREQ

    PriyServer::: Vrf:0

    SendServer::: Vrf:0

    SessionTimeout:0 IdleTimeout:0

    AcctInterimInterval:0 RemanentVolume:0

    InputPeakRate:0 InputAverageRate:0

    OutputPeakRate:0 OutputAverageRate:0

    InputBasicRate:0 OutputBasicRate:0

    InputPBS:0 OutputPBS:0

    Priority:[0,0] DNS:[0.0.0.0, 0.0.0.0]

    ServiceType:0 LoginService:0 AdminLevel:0 FramedProtocol:0

    LoginIpHost:0 NextHop:0

    EapLength:4 ReplyMessage:

    TunnelType:0 MediumType:0 PrivateGroupID:

[BTRACE][2018/03/10 11:56:24][AAA][3075-12fa-163a]:

 AAA send AAA_SRV_MSG_AUTHEN_ACK message to UCM module.

[BTRACE][2018/03/10 11:56:24][AAA][3075-12fa-163a]:

    DestIndex:3712 SrcIndex:3712 Slot:4294967295

    Result:0 DomainIndex:69 ServiceScheme:65535

    AuthedPalace:3 VLAN:65535 IsCallBackVerify:0 IsCallbackUser:0

    IfSessionTimeout:0 IfRemanentVolume:0 IfIdleCut:0

    SessionTimeout:4294967295 RemanentVolume:4294967295 IdleTimeout:4294967295

    EAPSessionTimeout:4294967295 EAPPasswordRetry:4294967295

    RTAcctInterval:4294967295 Priority:[255,255]

    AdminLevel:255 NextHop:4294967295

    EapSize:4 ReplyMessage:

    TunnelType:0 MediumType:0 PrivateGroupID:

[BTRACE][2018/03/10 11:56:24][CM][3075-12fa-163a]:CM receive AAA_SRV_MSG_AUTHEN_ACK from AAA module (msg code: 36 userid:3712).

[BTRACE][2018/03/10 11:56:24][CM][3075-12fa-163a]:

 [CM DBG][CM NAC Get Local Authorize]Authen ACL str len.(len=0)

[BTRACE][2018/03/10 11:56:24][CM][3075-12fa-163a]:[CM NAC Set Parse Ok Acl](oldUserGroup=65535, newGroupId=65535, newAclId[0]=65535, newAclV6Id[0] = 65535, newUclGroupId=65535)

[BTRACE][2018/03/10 11:56:24][CM][3075-12fa-163a]:UserGroupChanged:0

[BTRACE][2018/03/10 11:56:24][CM][3075-12fa-163a]:

 [CM DBG][Get Authorize Info From AAA](inCarFlag=0, outCarFlag=0, GroupID=65535, VLAN=0, voiceVlanflag=0, InDscpValue=255, In8021pValue=255, ServiceSchemeName=, IdleCutFlowDirection=4, IdleCutTime=0, IdleCutFlow=0, redirect acl id:65535, EapSessionTimeout=4294967295, SessionTimeout=4294967295, )

[BTRACE][2018/03/10 11:56:24][CM][3075-12fa-163a]:CM fill user authorization information (userid:3712).

[BTRACE][2018/03/10 11:56:24][CM][3075-12fa-163a]:User authentication success (userid:3712).

 

 

From the log, we found that the AC sent the correct user name to server. But the server send the user name twice, the first one is correct, and the other one is incorrect. After confirmed, the AC will use the latest one overwrite the previous one.

 

 

The radius server is not ours, we don’t know how to resolve it in server side. We suggest customer add the below command to disable the user name received.

#

radius-server template default

 radius-server shared-key cipher %^%#0oH++1&1FS~R5t:mw&c<wxz`7aJ8HV~aEc-<bf_%%^%#

 radius-server authentication 79.123.150.81 1812 weight 90

 radius-server accounting 79.123.150.81 1813 weight 80

 radius-server attribute translate

 radius-attribute disable User-Name receive

radius-server ip-address 79.123.150.81 shared-key cipher %^%#,syaT>tr<R<pn:$Jd*yG%Vk]#twL{..A,xSE!f(Y%^%#

#

 

After configure it, the user name can be displayed normally.

 

[AC6605]dis access-user

 ------------------------------------------------------------------------------

 UserID Username                IP address       MAC            Status

 ------------------------------------------------------------------------------

 6      admin                   79.123.150.83    -              Success        

 4588   o170704038@ogr.gire...  172.20.218.11    e446-dae1-02c0 Success        

 4591   o150803098@ogr.gire...  172.20.218.72    5848-2273-dfac Success        

 4617   o160803135@ogr.gire...  172.20.218.70    60e3-acd7-25fe Success        

 4650   o160803129@ogr.gire...  172.20.217.249   bce6-3f5b-5ded Success        

 4685   konferans2018@gires...  172.20.209.6     1c15-1f68-c880 Success        

 4704   o160704003@ogr.gire...  172.20.216.146   6c96-cf91-1402 Success        

 4705   o160302075@ogr.gire...  172.20.219.63    8883-2212-bf37 Success        

 4706   o170703016@ogr.gire...  172.20.216.98    3075-12fa-163a Success        

 4757   o150304058@ogr.gire...  172.20.219.71    748d-08c7-eb8e Success  

Root Cause

The AC sent the correct user name to server. But the server send the user name twice, the first one is correct, and the other one is incorrect. After confirmed, the AC will use the latest one overwrite the previous one.


Solution

We suggest customer add the below command to disable the user name received.

#

radius-server template default

 radius-server shared-key cipher %^%#0oH++1&1FS~R5t:mw&c<wxz`7aJ8HV~aEc-<bf_%%^%#

 radius-server authentication 79.123.150.81 1812 weight 90

 radius-server accounting 79.123.150.81 1813 weight 80

 radius-server attribute translate

 radius-attribute disable User-Name receive

radius-server ip-address 79.123.150.81 shared-key cipher %^%#,syaT>tr<R<pn:$Jd*yG%Vk]#twL{..A,xSE!f(Y%^%#

#


END