PPPoE Dialing Subscriber RADIUS Authentication Failure due to the Loopback Address

Publication Date:  2012-07-27 Views:  201 Downloads:  0
Issue Description
Networking: RADIUS?OUTER?8016 (NAT) ?A5200?S2?C (subscriber) Fault: A PPPoE subscriber of Version R007 fails in the RADIUS authentication. The MA5200 cannot ping the RADIUS server successfully.
Alarm Information
The service flow of the PPPoE subscriber recorded by the Tracert is given below: --[PPPOE][8824-0000-0000]:Received PADI packet(Session ID = 1) --[PPPOE][8824-0000-0000]:Process PADI packet,send PADO packet successfully(Session ID = 1) --[PPPOE][8824-0000-0000]:Create virtual access, send PADS packet successfully(Session ID = 1) --[PPPOE][8824-0000-0000]:Lower up, send connention-request message successfully(Session ID = 1) --[PPPOE][8824-0000-0000]:Lcp opened and up, send lcp config request(SessionID = 1) --[CM][8824-0000-0000]:Receive PPP_CONN_REQ from PPP (userid 92) --[CM][8824-0000-0000]:Send PPP_CONN_ACK to PPP (userid 92) --[PPPOE][8824-0000-0000]:Received connection-success-ack message(Session ID= 1) --[PPPOE][8824-0000-0000]:Receive config request packet(Session ID = 1) --[PPPOE][8824-0000-0000]:Send sync message successfully(Session ID = 1) --[PPPOE][8824-0000-0000]:Receive config ack packet(Session ID = 1) --[PPPOE][8824-0000-0000]:Send authentication message successfully(Session ID = 1) --[CM][8824-0000-0000]:Receive PPP_AUTH_REQ from PPP (userid 92) --[CM][8824-0000-0000]:Send AAA_AUTH_REQ to AAA (userid 92) --[AAA][8824-0000-0000]:Receive authentication request from CM successfully (UserID = 92) --[AAA][8824-0000-0000]:Send authentication request to RADIUS successfully(UserID = 92) --[RADIUS][8824-0000-0000]: Receive authen message from AAA successfully --[RADIUS][8824-0000-0000]:Send Auth req packet to radius server successfully(IP:192.168.7.253,Port:1812,ID:40 ) --[RADIUS][8824-0000-0000]:Send Auth req packet to radius server successfully(IP:192.168.7.253,Port:1812,ID:40 ) --[PPPOE][8824-0000-0000]:Send sync message successfully(Session ID = 1) --[RADIUS][8824-0000-0000]:Send Auth req packet to radius server successfully(IP:192.168.7.253,Port:1812,ID:40 ) --[RADIUS][8824-0000-0000]:Send fail message to AAA successfully(reason: Send count full,source msg:) --[AAA][8824-0000-0000]:Receive notify of message send fail from RADIUS successfully(UserID = 92, soruce message = AAA->Radius authen request) --[AAA][8824-0000-0000]:Send authentication ack to CM successfully(UserID = 92, Result = SRV_AUTH_FAIL) --[CM][8824-0000-0000]:Receive AAA_AUTH_ACK from AAA (userid 92) --[CM][8824-0000-0000]:Send PPP_AUTH_ACK to PPP (userid 92) # [07/29/2003 10:23:02-] RDS-5-02032003:RADIUS authentication server(IP 192.168.7.253) is down! --[PPPOE][8824-0000-0000]:Failed to process authentication-ack message(Session ID = 1)
Handling Process
1) Check the data configuration. The PPPoE-related configuration is correct and the authentication policy set in the domain is RADIUS. It is not the configuration error. 2) Enable the trace function to view the subscriber? service procedure by using the enable trace and trace object ethernet 4 output-file ppp.txt commands. 3) From the service trace information, PADI, PADO, PADR and PADS packets of ppp discovery are correct, but the RADIUS authentication procedure does not finish. 4) Set the user authentication mode as local authentication and the authentication successes. So it is the RADIUS configuration error or RADIUS packet exchange error. 5) Check the RADIUS configuration. Considering the RADIUS configuration does not change after the upgrading and so does the RADIUS configuration of R007 (adopts the standard protocols, 1645/1646 authentication and accounting port and consistent shared key), it is not the RADIUS configuration error. 6) The MA5200 cannot ping the RADIUS server. 7) Review the R007 configuration and find that a loopback0 address is configured. In this case, the source address of the RADIUS packet from the MA5200 is the loopback address instead of the MA5200 upstream port address. So there may be no route configured on the upstream router to the loopback0 address of the MA5200. Thus the MA5200 cannot ping the RADIUS server successfully. 8) Configure a route on the upstream router to the loopback address of the MA5200. The MA5200 can ping the RADIUS server successfully and the user authentication successes.
Root Cause
The following are some possible causes for the failure. 1) The user name/password is wrong; the user name does not exist; the user name is inactivated; the domain does not exist; or the domain is inactivated. There are some RADIUS-related causes for the RADIUS authentication failure. 1) The MA5200 is not added into the NAS-IP on the RADIUS server. 2) The authentication and accounting port fails. 3) The RADIUS protocol configuration is inconsistent. 4) There is no route to the RADIUS server. 5) The RADIUS breaks down. In this case, the authentication failure is due to: In the previous version, the source address of the RADIUS packet from the MA5200 is the upstream port address of the MA5200, and the address is the same one set in the NAS-IP on the RADIUS server. In Version R007, the source address of the RADIUS packet from the MA5200 is the loopback0 address configured, which is optional to be enabled in Version R007. Thus the destination address of the RADIUS response packet is the loopback0 address of the MA5200. The loopback address is not set in the same network segment as the upstream port address. So when there is no route configured to the loopback0 address of the MA5200 from the upstream router, the RADIUS response packet cannot be sent back and the RADIUS authentication fails accordingly.

END