L2TP over IPSec Dial-up Fails Because the Mobile Phone Authentication Method Is Different From LDAP Server Authentication

Publication Date:  2015-07-03 Views:  321 Downloads:  0
Issue Description
Network Topology:

Mobile phone-------
                |------(Internet)---------------FW
VPN-Client----

Symptom:

Mobile phones and PCs dial in to the firewall to establish L2TP over IPSec connections and access the internal server. VPN clients and mobile phones all used LDAP server authentication. VPN clients could log in but mobile phones could not.
Handling Process
1. IPSec negotiation succeeded, but L2TP negotiation failed, and the L2TP configuration was correct.

l2tp enable
l2tp domain suffix-separator @

interface Virtual-Template1
ppp authentication-mode chap pap
alias L2TP_LNS_1
ip address 10.1.200.1 255.255.255.0
remote address pool

l2tp-group 1
mandatory-chap
undo tunnel authentication
allow l2tp virtual-template 1

domain test.com
  authentication-scheme  test.com
  authorization-scheme test.com
  ldap-server l2tp
  ip pool 0 10.1.200.2  10.1.200.254


2. For a same user name and password, why did VPN client dial-in succeed but mobile phone dial-in fail?

3. The AAA, LDAP, and UCM modules were debugged using the following commands:


[USG-diagnose]debugging ldap all
[USG-diagnose]debugging aaa all
[USG-diagnose]debugging ucm all


The output was as follows:

[LDAP(Pkt):] Receive a packet of user bind result fail.
[UCM DBG]MSG Recv From:AAA Code:AAA_UCM_AUTH_ACK Event:AUTH_FAIL Src:682 Dst:682


During a VPN client dial-in, the output was as follows:

[LDAP(Evt):] Receive a packet of bind success.
[UCM DBG]MSG Recv From:AAA Code:AAA_UCM_AUTH_ACK Event:AUTH_PASS Src:683 Dst:683


The output indicated that the firewall received the authentication failure packets from the LDAP server, but that did not explain why VPN client dial-in succeeded but mobile phone dial-in failed for a same user name and password.

4. The packets between the firewall and LDAP server were analyzed to determine the error type returned by the server.

The successful VPN client dial-in (on PCs) packets (on the left figure) were compared with unsuccessful mobile phone dial-in packets (on the right figure). The user passwords in the authentication requests sent by the firewall were plain-text in VPN client dial-in and cipher-text in mobile phone dial-in. Therefore, the fault might be caused by incorrect authentication method.




VPN clients can use PAP authentication, but mobile phones cannot, and the authentication method of mobile phone is determined by the firewall configuration.
The firewall configuration indicated that both CHAP and PAP authentication methods were configured on VT interfaces.


interface Virtual-Template1
ppp authentication-mode chap pap
alias L2TP_LNS_1
ip address 10.1.200.1 255.255.255.0
remote address pool


The firewall preferentially instructed mobile phones to use CHAP authentication, which was not supported by the LDAP server. As a result, the LDAP server could not authenticate mobile phone users.

5. Disable the CHAP authentication on VT interfaces.
Root Cause
Mobile phone authentication failed because the authentication method on mobile phones was different from that on the LDAP server. 
Solution

1. Disable the CHAP authentication on VT interfaces.

interface Virtual-Template1
ppp authentication-mode pap

2. Configure the LDAP server so that the server support CHAP authentication.
 

END