Radius certification of USG2210 failed when l2tp dialing

Publication Date:  2012-09-14 Views:  237 Downloads:  0
Issue Description
Topology of user as picture bellow:

USG2210 as LNS, pc constitutes l2tp vpn through vpn client dialing, certificate with radius. Prompt username and password wrong when dialing certification, check username and password on radius server and they are correct. After change account into local certification, dialing normally.
Alarm Information
NULL
Handling Process
check the status of radius server and network connecting, effective, do dialing test on radius server, effective. It says that username and password are correct.
2、check the radius certification configuration of user
aaa
local-user maintain password simple Maintain123
local-user maintain level 3
local-user admin password simple Admin@123
local-user admin service-type web terminal telnet
local-user admin level 3
authentication-scheme default
authentication-scheme auth1
authentication-mode radius
#
authorization-scheme default
#
accounting-scheme default
#
domain default
domain dot1x
domain net
authentication-scheme auth1
radius-server temp
ip pool 1 192.168.150.5 192.168.150.254
#
Finding out that user configured a domain named net and applied radius template and certification plan, but the account used to access is in the format without domain name, and this leads to user access certification failed, change user configuration into:
domain default
authentication-scheme auth1
radius-server temp
ip pool 1 192.168.150.5 192.168.150.254
dialing normally after modify the configuration.
Root Cause
1、 radius server of user matters
2、 radius certification configuration of user firewall matters
Suggestions
 When configure radius certification, if username has no domain name, then the domain is the default domain, if username has domain name, it needs to configure domain name in aaa and apply radius template and certification plan in domain.  

END