Login the E200E-X with web-manager fail using radius authentication .

Publication Date:  2013-09-27 Views:  418 Downloads:  0
Issue Description

The customer has his own radius server, for management equipments customer wants to access through SSH and Web-manager using  radius user.Customer can access through SSH but through web-manager cannot. The user used for the access is the same.
When  connected  to  another firewall Eudemon1000E-D(version : V100R005C00SPC500) through web-manager  using the same radius user and same configuraiion,it succeeded.
Alarm Information
1.This is the success result through SSH.
HRP_M<HUAWEI>
*0.4220635130 HUAWEI RDS/7/debug2:
  Radius Sent a Packet
  Server Template: 0
  Server IP   : 10.10.2.150
  Protocol: Standard
  Code    : 1
  Len     : 248
  ID      : 13
  [User-name(1)                       ] [12] [test]
  [Password(2)                        ] [18] [28f39613d93ada92dc03dc19d71aa975]
  [NAS-Port(5)                        ] [6 ] [0]
  [Service-Type(6)                    ] [6 ] [6]
  [Framed-Protocol(7)                 ] [6 ] [6]
  [Framed-IP-Address(8)               ] [6 ] [10.10.17.21]
  [NAS-Identifier(32)                 ] [13] [HUAWEI]
  [NAS-Port-Type(61)                  ] [6 ] [5]
  [NAS-Port-Id(87)                    ] [34] [slot=0;subslot=0;port=0;vlanid=0]
  [Login-IP-Host(14)                  ] [6 ] [168431893]
  [Acct-Session-Id(44)                ] [43] [FW-BGA20130814164704000b3ef8874373d502001]
  [NAS-Startup-Timestamp(26-59)       ] [6 ] [1372278244]
  [Ip-Host-Addr(26-60)                ] [31] [10.10.17.21 ff:ff:ff:ff:ff:ff]
*0.4220635140 HUAWEI RDS/7/debug2:
  [Connect_ID(26-26)                  ] [6 ] [2001]
  [Version(26-254)                    ] [12] [Huawei VRP]
  [Product-ID(26-255)                 ] [5 ] [VRP]
  [NAS-IP-Address(4)                  ] [6 ] [10.1.24.2]
*0.4220635240 HUAWEI RDS/7/debug2:
  Radius Received a Packet
  Server Template: 0
  Server IP   : 10.10.2.150
  Server Port : 1812
  Protocol: Standard
  Code    : 2
  Len     : 96
  ID      : 13
  [Service-Type(6)                    ] [6 ] [6]
  [Class(25)                          ] [46] [Hè]
2013-08-14 16:47:04 HUAWEI %%01SHELL/4/LOGIN(l): vrf:public user:test login from 10.10.17.21PuTTY
2.The second result from debug is through Web-manager and indicated the login fail.
0.4220649960 HUAWEI RDS/7/debug2:
  Radius Sent a Packet
  Server Template: 0
  Server IP   : 10.10.2.150
  Protocol: Standard
  Code    : 1
  Len     : 267
  ID      : 14
  [User-name(1)                       ] [12] [test]
  [Challenge-Password(3)              ] [19] [3029a7bf9efac9aca798c9fc04266cd5f0]
  [CHAP-Challenge(60)                 ] [18] [83000000c2eda997e78f27cbd9abe3cc]
  [NAS-Port(5)                        ] [6 ] [0]
  [Service-Type(6)                    ] [6 ] [6]
  [Framed-Protocol(7)                 ] [6 ] [6]
  [Framed-IP-Address(8)               ] [6 ] [10.10.17.21]
  [NAS-Identifier(32)                 ] [13] [HUAWEI]
  [NAS-Port-Type(61)                  ] [6 ] [5]
  [NAS-Port-Id(87)                    ] [34] [slot=0;subslot=0;port=0;vlanid=0]
  [Login-IP-Host(14)                  ] [6 ] [168431893]
  [Acct-Session-Id(44)                ] [43] [FW-BGA20130814164718000b3efb1e40ce5a02002]
  [NAS-Startup-Timestamp(26-59)       ] [6 ] [1372278244]
*0.4220649970 HUAWEI RDS/7/debug2:
  [Ip-Host-Addr(26-60)                ] [31] [10.10.17.21 ff:ff:ff:ff:ff:ff]
  [Connect_ID(26-26)                  ] [6 ] [2002]
  [Version(26-254)                    ] [12] [Huawei VRP]
  [Product-ID(26-255)                 ] [5 ] [VRP]
  [NAS-IP-Address(4)                  ] [6 ] [10.1.24.2]
2013-08-14 16:47:19 HUAWEI %%01HTTPD/4/FAIL(l): User test(IP:10.10.17.21 ID:131) login failed
*0.4220650070 HUAWEI RDS/7/debug2:
  Radius Received a Packet
  Server Template: 0
  Server IP   : 10.10.2.150
Server Port : 1812
  Protocol: Standard
  Code    : 3
  Len     : 20
  ID      : 14
3.Eudemon1000E-D  login through web-manager also success .
0.1745289033 FW-DG-EUD1 %%01RDS/7/debug2(d):
  Radius Sent a Packet
  Server Template: 0
  Server IP   : 10.10.2.150
  Protocol: Standard
  Code    : 1
  Len     : 222
  ID      : 30
  [User-name(1)                       ] [12] [test]
  [Password(2)                        ] [18] [c2139c9a863744aff58312dab2192bb9]
  [NAS-Port(5)                        ] [6 ] [0]
  [Service-Type(6)                    ] [6 ] [6]
  [Framed-Protocol(7)                 ] [6 ] [6]
  [Framed-IP-Address(8)               ] [6 ] [10.10.17.21]
  ...
Handling Process
Advise client to  add the CHAP authenticaiton options for radius user on radius server  and finally test successfully.
Root Cause
If login success ,the debug information only showed password,and this kind of packet format is PAP authenticaiton protocol
If fail ,it shows  Challenge-Password and CHAP-Challenge,this is CHAP  authentication protocol.
And we can get a conclusion that E200E-X use CHAP and Eudemon1000E-D use PAP when login though web-manager.
Suggestions
If you fail to login the device by web-manager please check the debug information .
Also it is better to select all the authentication protocol on radius server  for radius user.

END