No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Access user domain containing @ character.

Publication Date:  2018-03-31 Views:  199 Downloads:  0
Issue Description

PPPoE client router authenticating with username “20100003111985@burciutel@xdsl” was unable to get online.

Configuration of the PPPoE client Cisco router:



Device: NE20E-S4 running V800R009C10SPC100

Alarm Information

<HUAWEI>display aaa online-fail-record interface GigabitEthernet 0/2/3

  -------------------------------------------------------------------

  User name          : 20100003111985@burciutel@xdsl

  Domain name        : default1

  User MAC           : 6031-970e-f364

  User access type   : PPPoE

  User interface     : GigabitEthernet0/2/3

  User access PeVlan/CeVlan    : -/-

  User IP address    : -

  User ID            : 16448

  User authen state  : Authened

  User acct state    : AcctIdle

  User author state  : AuthorIdle

  User login time    : 2018-02-20 01:31:08

  Online fail reason : Failed to send authentication request


Handling Process

1) Trigger the client on-line through PPPoE.

2) Run below commands to see PPPoE message debug:

<huawei> t m

<huawei> t d

<huawei> system

[huawei] display aaa online-fail-record interface GigabitEthernet 0/2/3

[huawei] trace enable

[Huawei] trace access-user object 1 interface GigabitEthernet 0/2/3

[Huawei] trace access-user object 2 mac-address mac-address 6031-970e-f364

3) Cancel the trace function

[huawei] undo trace enable

 

<HUAWEI>display aaa online-fail-record interface GigabitEthernet 0/2/3

  -------------------------------------------------------------------

  User name          : 20100003111985@burciutel@xdsl

  Domain name        : default1

4) Checked AAA configuration:

#

aaa

 domain default0

 #

 domain default1

 #

 domain xdsl

  authentication-scheme default0

  accounting-scheme default0

  radius-server group radiuscm

  ip-pool pool1

#


Root Cause

Observed that PPPoE credentials sent in PPP CHAP/PAP authentication were parsed as username “20100003111985” and domain name "burciutel@xdsl", but the domain name was not created on the router, so it goes to the default domain. Also, no domain name can be configured to contain the “@” character under AAA-view.

Solution

Either setup authentication for default domain:

#

aaa

 domain default1

  authentication-scheme default0

  accounting-scheme default0

  radius-server group radiuscm

  ip-pool pool1

#

Or correct domain parsing for current customer setup under name “xdsl”, by using domain name-parse-direction right-to-left command to change direction of checking PPP PAP/CHAP username.

#

aaa

 domain xdsl

  authentication-scheme default0

  accounting-scheme default0

  radius-server group radiuscm

#


Suggestions

Plan in advance the domain-based authentication for access users.

END