Failure in Interconnection Between the USG5000 and H3C IMC-CAM

Publication Date:  2012-07-16 Views:  271 Downloads:  0
Issue Description
H3C IMC-CAMS acts as the accounting authentication server, and the USG5000 serves as the gateway to provide authentication points. The failure causes are simple: USG5000 configuration problem and the CAMS configuration problem. The interconnection configuration is not complex, but you need to pay attention to a lot of items.  
Alarm Information
None.
Handling Process

1.          Check the communication between the USG5000 and the IMC server.

2.          Check the packet exchange between the USG5000 and the IMC by running the debug radius pascket command.

3.          Check the IMC and USG5000 configurations.

Root Cause

1.          The default domain is changed.

You must specify the authentication domain on the USG5000. Usually, a Huawei-style device has a default domain (system). Make sure that you use the default domain or have changed the default domain to the configured domain. Otherwise, the system indicates that the user name does not exist or the password is incorrect upon user authentication.

2.          NAS-IP configuration is improper.

You must specify the NAS IP address when you configure the RADIUS. The device encapsulates the account and password sent by the user in a RADIUS packet and sends the packet to the RADIUS server for authentication. The source IP address of the packet is the NAS IP address. The access device is configured on the RADIUS server. If the NAS IP address does not match the IP address configured on the RADIUS server, the server discards the packet. Then the device reports the "radius server no response" error. Therefore, you must make sure that the NAS IP address on the USG5000 matches the access device IP address configured on the RADIUS server.

3.          The RADIUS packet type is incorrect.

When you configure the RADIUS type, you will discover that each vendor has its own private type in addition to its own standard. For example, Huawei has the type huawei, H3C has extend, and Huawei Symantec has portal. Why do they have their private types?
The previous three vendors respectively have their own endpoint access systems for user authentication, security check, and desktop asset management. Such a system requires a user to send a request to the security policy server after user authentication. How to let the user know the IP address of the security policy server? Some special information (for example, the security policy server address) is loaded to the RADIUS packets through operations on unused flag bits of RADIUS packets. In this way, RADIUS packets that are different from standard RADIUS packets are generated. Because different vendors use different methods to generates these special RADIUS packets, different RADIUS types are generated.
Fortunately, the previous three vendors have the same origin. Therefore, they use the same method to generate special RADIUS packets on the platform versions (not confirmed, but experiments indicate that this is true) though they use different RADIUS type names. That is, Huawei's huawei, H3C's extend, and Huawei Symantec's portal are the same in nature. If you select an H3C access device type when you add access devices on the IMC, select portal for Huawei Symantec type. If you select standard for the H3C device, select standard also for the Huawei Symantec device.
Suggestions
This is a typical case for cooperation between Huawei Symantec device and the RADIUS server. This problem is discovered in L2TP application, but is hardly relevant to the L2TP configuration. Therefore, it is also applicable to RADIUS interconnection between a Huawei Symantec device and H3C application software product or between a Huawei Symantec device and device of another vendor. The interconnection will succeed if you note the following during the interconnection.

1.          Default domain modification.

You must specify the authentication domain on the USG5000. Usually, a Huawei-style device has a default domain (system). Make sure that you use the default domain or have changed the default domain to the configured domain. Otherwise, the system indicates that the user name does not exist or the password is incorrect upon user authentication.

2.          NAS IP address configuration.

You must specify the NAS IP address when you configure the RADIUS. The device encapsulates the account and password sent by the user in a RADIUS packet and sends the packet to the RADIUS server for authentication. The source IP address of the packet is the NAS IP address. The access device is configured on the RADIUS server. If the NAS IP address does not match the IP address configured on the RADIUS server, the server discards the packet. Then the device reports the "radius server no response" error. Therefore, you must make sure that the NAS IP address on the USG5000 matches the access device IP address configured on the RADIUS server.

3.          RADIUS packet type.

When you configure the RADIUS type, you will discover that each vendor has its own private type in addition to its own standard. For example, Huawei has the type huawei, H3C has extend, and Huawei Symantec has portal. Why do they have their private types?
The previous three vendors respectively have their own endpoint access systems for user authentication, security check, and desktop asset management. Such a system requires a user to send a request to the security policy server after user authentication. How to let the user know the IP address of the security policy server? Some special information (for example, the security policy server address) is loaded to the RADIUS packets through operations on unused flag bits of RADIUS packets. In this way, RADIUS packets that are different from standard RADIUS packets are generated. Because different vendors use different methods to generates these special RADIUS packets, different RADIUS types are generated.
Fortunately, the previous three vendors have the same origin. Therefore, they use the same method to generate special RADIUS packets on the platform versions (not confirmed, but experiments indicate that this is true) though they use different RADIUS type names. That is, Huawei's huawei, H3C's extend, and Huawei Symantec's portal are the same in nature. If you select an H3C access device type when you add access devices on the IMC, select portal for Huawei Symantec type. If you select standard for the H3C device, select standard also for the Huawei Symantec device.
If you pay attention to the previous three points, you can resolve most problems related to interconnection with the RADIUS server. According to many years of frontline engineers' experience, 80% of such problems are caused by the previous three factors. Silly mistakes such as incorrect user name, password, link disconnection, and server faults are excluded here.  

END