No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Wrong Radius server shared-key configuration on ME60 failed users on-line

Publication Date:  2014-10-24 Views:  93 Downloads:  0
Issue Description

Version:
ME60 V600R006C00SCP300

Networking:
HG ------ ME60-------- Radius Server

Description:
PPP users could not dial online with the error report 718 on new site.

Handling Process

1 Check users' online failure: user request.

 

<WZ-WZ-HD-BAS-3.MAN.ME60>display aaa online-fail-record
-------------------------------------------------------------------
User name : wz6m
Domain name : zjtelecom
User MAC : 3c97-0e15-ef3c
User access type : PPPoE
User interface : GigabitEthernet1/1/0.1
User access PeVlan/CeVlan : 300/-
User IP address : -
User ID : 143
User authen state : AuthenWait
User acct state : AcctIdle
User author state : AuthorIdle
User login time : 2013-07-10 16:06:44
Online fail reason : PPP user request
-------------------------------------------------------------------


2 Then open trace feature to trace user's online process:


[WZ-WZ-HD-BAS-3.MAN.ME60]trace access-user object 1 mac-address 3c97-0e15-ef3c
<WZ-WZ-HD-BAS-3.MAN.ME60>terminal debugging
Info: Current terminal debugging is on.
<WZ-WZ-HD-BAS-3.MAN.ME60>t m
Info: Current terminal monitor is on.
<WZ-WZ-HD-BAS-3.MAN.ME60>
Jul 10 2013 03:57:02.500.1 WZ-WZ-HD-BAS-3.MAN.ME60 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][RADIUS][user info:
MAC Address : 3C97-0E15-EF3C
IP Address : 255.255.255.255
Interface : GigabitEthernet1/1/0.1
PE VLAN ID : 300
USERNAME : wz6m@zjtelecom]
[trace info:
[RDS(Err):] Receive a illegal packet(Authenticator error)
(ip:220.191.201.18 port:1645 cid:71 STIdx:0 PktType:1
Protocol:1 SrcMsg:0 SerId:4294967295 SerType:0 SndTimes:1 IfRui:0
Authenticator:077A29847BCD195618871AC841213D0A)]


In the output of trace we find that the device receive illegal message from Radius server. The Authenticator of message sending by the server mismatched the one which is from receiving packet and cryptographic calculated through local MD5. It cause equipment considering the received packet is invalid.

3 check the configuration of RADIUS server group:


radius-server group zjtelecom
radius-server authentication 220.191.201.18 1645 weight 50
radius-server authentication 202.101.172.243 1645 weight 50
radius-server accounting 220.191.201.18 1646 weight 50
radius-server accounting 202.101.172.243 1646 weight 50
radius-server shared-key lsxx717 --- "shared-key"
radius-server timeout 10
radius-server format-attribute nas-port z8o12i12
radius-server attribute translate
radius-server user-name original
radius-server algorithm loading-share
radius-attribute disable NAS-Port-Id send

Shared-key is lsxx717, confirmed by Radius server that their shared-key should be lsxx317, ME60's configuration error,  after modify the configuration, the problem solved and users could be online.

Root Cause

The reason possibilities:
1. ME60's configuration problem.
2. Radius Server's configuration error.
3. link's problem.

Reason one is the root cause of this issue.


Solution

ME60 and Radius server's share-key should be the same.

Suggestions
Shared-key under radius-server group view on ME60 must be the same with the one on Radius server, or it will cause the user can not go online.

END