RADIUS under MA5200 prompts that the user password is invalid because of diversity in configuration of RADIUS share-key

Publication Date:  2012-07-27 Views:  131 Downloads:  0
Issue Description

Version: independent of versions
The user is of RADIUS authentication and accesses network by PPPOE, and radius-server has been configured. The display command shows the state of radius-server is up, but it prompts error always when the user dials up. Surprisingly, it is found that the user name and password are the same at the client and RADIUS server.

Alarm Information

Handling Process
1. Make sure that the password for the account used by PPPoE dialup user agrees with that configured at RADIUS;
2. Check the configurations of RADIUS server. It is found that the configuration of RADIUS secret-key differs to that of MA5200, and the problem is solved after changing it.


Root Cause
The problem roots in that RADIUS server does not check the RADIUS packet authenticator, and it normally responds to the packet with false authenticator. However, in PAP authentication, the key used in encryption at both sides is the one of RADIUS; thus, the difference in configurations of both sides causes RADIUS prompt that the user name does not agree with the password.
Generally, if the configuration of keys for BAS and RADIUS is not identical, the RADIUS packet authenticators will not be identical yet, and RADIUS should not respond to such a packet. However, some RADIUS servers don't check up the packet authenticator, so they could respond the RADIUS packets although the keys are not identical. So although the display command shows that radius-server has been up, it cannot ensure that each parameter in MA5200 configured by RADIUS agrees with that at RADIUS server. At this point, we should make sure if these parameters are configured correctly. PAP authentication is very sensitive to such a problem, because it uses the RADIUS key configured at both BAS and RADIUS for the encryption between both of them. So if the configurations of both sides are not identical, RADIUS will respond with invalid user password, though it arises from diversity in keys at both sides. It is very simple to address the problem. We could revise it to CHAP mode since the challenge used in encryption of CHAP is generated by BAS, and advertised to the client and RADIUS, which could avoid that the cryptographs calculated out are not identical due to the problem of configuration. If the same account password could pass CHAP authentication, and PAP prompts invalid password, it mainly arises from the diversity in configuration of RADIUS at both sides.