No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Login of Multiple Users Using One Account Was not Allowed on ME60 When user-max-session and Port-Limit Were Configured

Publication Date:  2013-10-30 Views:  34 Downloads:  0
Issue Description

Version: all applicable versions

Networking:

STB-ME60- RADIUS server

In the domain of a site, the user-max-session 3 command was run to allow three users to use the same account for login. In the testing, customers found that only one user was allowed for login.

Equipment configuration:

domain draco

  authentication-scheme draco

  accounting-scheme draco

  ip-pool draco1

  ip-pool draco2

  ip-pool draco3

  user-max-session 3//A maximum of three users were allowed to use the same account for login.

  radius-server group draco

#

interface GigabitEthernet2/0/0.100

pppoe-server bind Virtual-Template 1

description Sbb3-Res

user-vlan 100

bas

#

  access-type layer2-subscriber

  permit-domain draco backbone

 

#

interface GigabitEthernet2/0/0.502

pppoe-server bind Virtual-Template 1

description Sbb4-Res

user-vlan 502

bas

#

  access-type layer2-subscriber default-domain authentication draco

  permit-domain draco backbone

#
Handling Process

Huawei identified the possible causes of the issue as follows:

1. The user-max-session command configuration did not take effect.

2. The Port-Limit attribute had been applied by the RADIUS server.

Huawei then concluded that cause 2 was the reason.

Checked the trace information of the user using the same account on the ME60. For details, see the attachment.

[trace info:

  Radius Received a Packet

  Server Template: 0

  Server IP   : 200.31.208.154

  Vpn-Instance: -

  Server Port : 1645

  NAS Port    : 1812

  Protocol: Standard

  Code    : Authentication accept

  Len     : 112

  ID      : 8

  [Class(25)                          ] [34] [01000000010000000500000005000000]

  [Service-Type(6)                    ] [6 ] [2]

  [Framed-MTU(12)                     ] [6 ] [1500]

  [Framed-Protocol(7)                 ] [6 ] [1]

  [Unknown-attr(13)                   ] [6 ] [00000001]

  [Termination-Action(29)             ] [6 ] [0]

  [Port-Limit(62)                     ] [6 ] [1]

  [Unknown-attr(3199-2)               ] [16] [5245534944454e4349414c2d3131]]

 

Huawei found that the RADIUS authentication reply message carried the Port-Limit attribute that modified the maximum number of allowed users to 1. Therefore, only one user was allowed.

 

Users could also run the display access-user user-id xx command to view the information about the online users. 

User session (limit,online)   : (1,1) 

"Limit" indicates the number of users configured running the user-max-session command or the value of the Port-Limit attribute applied by the RADIUS server. "Online" indicates the number of online users using the same account.
Root Cause
The RADIUS server applied the Port-Limit attribute.
Solution
Huawei modified the Port-Limit attribute.
Suggestions
If the user-max-session command and Port-Limit are both applied, the Port-Limit value always takes effect first.

END