USG6370 radius用户L2TP OVER IPSEC拨号失败

发布时间:  2017-01-05 浏览次数:  280 下载次数:  0
问题描述
USG6370 V100R001C30SPC600版本,本地用户l2tp over ipsec拨号成功。加radius认证拨号失败。
告警信息
客户端拨号提示认证失败,查看防火墙日志:

%2016-10-25 15:44:33 USG6300 %%01AAA/4/AUTH_RDS_FAILED(l): RADIUS authentication failed. (UserName=datang, Vsys=root)
处理过程
1、查看radiu配置模板及应用配置,没有错误。并且在WEB上进行radius服务器检测提示成功。

radius-server template jiuyan
radius-server shared-key %$%$>fR47Fg>h#*-D~=q_1O7zypg%$%$
radius-server authentication 10.10.106.201 1812
radius-server group-filter class

aaa
authentication-scheme default
  authentication-mode radius

domain default
  radius-server jiuyan
  service-type access internet-access administrator-access
  ip pool 1 192.168.10.2 192.168.10.100
  reference user current-domain
  new-user add-local group /default

2、采集debug信息分析,经确认是USG与radius服务器chap认证交互出了问题

DP_L2TP_Input: ControlPacket send to negotiate thread
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::Proc Peer control type=14, len = 42
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::Tunnel 1 Flow ctrl: Ns(4) Nr(4) from peer
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::Tunnel 1 (SendLow=4 SendUp=4) proc ack Nr=4 from peer
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP:: I Call 26 recv CDN in state 9 from Remote Call
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::Tunnel 1 Resume 60 second Hello timer
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::Check CDN MSG Type 14
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::Parse AVP Remote call ID: 1029
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::Parse AVP Result code : 768
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::Clean Call Structure ID = 26
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::Proc Call ID = 26 Down
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::LNS Link IO Ctrl Recv Phy CMD 2
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::LNS Link IO Ctrl Recv Phy CMD 10
*0.122659670 USG6300 L2TP/7/L2TDBG:L2TP::MISC:callback Lns Id
*0.122659670 USG6300 L2TP/7/L2TDBG:L2TP::MISC: dispatch l2tp message
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::MISC:Smbuf to Mbuf
*0.122659670 USG6300 L2TP/7/L2TDBG: L2TP::Recv data Len = 42
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::Receive message with message type: 4
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::Board 0 recv from SOCK CallID=0 TunnelID=1 MsgType = 4 Length = 42
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::Proc Peer control type=4, len = 42
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::Tunnel 1 Flow ctrl: Ns(5) Nr(4) from peer
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::Tunnel 1 (SendLow=4 SendUp=4) proc ack Nr=4 from peer
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP:: I Tunnel 1 recv StopCCN in state 4
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::Check StopCCN message type 4
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::Parse AVP Remote Tunnel ID: 7
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::Tunnel 1  CallID=0 send ZLB message
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::remoteTunnel 7  remoteCallID=0 send ZLB message
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::Send ZLB messag
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::MISC:l2tp udp packet is send to dataplan from manageplan
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::MISC:Mbuf to Smbuf
*0.122659680 USG6300 L2TP/7/L2TDBG: L2TP::Parse AVP Result code: 256
*0.122659680 USG6300 DEBUG/7/PktInfo:

3、VT口下之前为chap和pap都包含:ppp authentication-mode chap pap,改为pap认证后成功

interface Virtual-Template1
ppp authentication-mode  pap
ppp ipcp dns
10.10.106.201
ip address 192.168.10.1 255.255.255.0
remote address pool 1
根因
USG6370与radius服务器chap交互异常,可能客户radius服务器不支持chap或者版本不兼容。
解决方案
VT口下改为pap认证后成功

interface Virtual-Template1
ppp authentication-mode  pap
ppp ipcp dns
10.10.106.201
ip address 192.168.10.1 255.255.255.0
remote address pool 1

END