No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

The L2TP User Cannot Log in to the Network Through the ME60 Because the RADIUS Delivers Error Attributes

Publication Date:  2019-07-17  |   Views:  153  |   Downloads:  0  |   Author:  Xing Pengtao  |   Document ID:  EKB0000302799


Issue Description

Device version: ME60 V100R003C01B023
Phenomenon: After the user dials up, the system generates a "691 error" alert and the user cannot log in to the network.

Alarm Information


Handling Process

1. Run the display aaa online-fail command and it displays "Authorization data error". It is confirmed that a fault occurs in the authentication.
2. Run the debug radius command to check the authentication packet. The following information is displayed:
  Radius Received a Packet 
  Server Template: 2   
  Server IP   : ×××××
  Vpn-Instance: -      
  Server Port : 1812   
  Protocol: Standard   
  Code    : Auth accept
  Len     : 169        
  ID      : 43         
  [Service-Type(6)      ] [6 ] [2]   
  [Framed-Protocol(7)   ] [6 ] [1]   
  [Framed-Netmask(9)    ] [6 ] []   
  [Class(25)            ] [34] [02621440005242880262144000524288]
  [Session-TimeOut(27)  ] [6 ] [172620]            
  [Tunnel-Type(64)      ] [6 ] [1][3]
  [Tunnel-Medium-type(65)             ] [6 ] [1][1]
  [Tunnel-Server-Endpoint(67)         ] [17] [1][] 
  [Tunnel-password(69)  ] [21] [018001ef72f4297f94855fb66be6f08ce9d39a]    
  [Tunnel-Preference(83)] [6 ] [1][1000]           
  [Tunnel-Type(64)      ] [6 ] [2][3]
  [Tunnel-Medium-type(65)             ] [6 ] [2][1]
  [Tunnel-Server-Endpoint(67)         ] [17] [2][] 
  [Tunnel-Preference(83)] [6 ] [2][2000]
The RADIUS server responds to Code 2 packets and the user passes the authentication. By analyzing the attributes of the returned packet, we find that the user is an L2TP user. Parameters such as the LNS address are delivered by the RADIUS. There are two groups of LNS delivered: active group and standby group. However, "Tunnel-password" is not delivered to the standby group.
3. Contact the RADIUS to modify the parameter. Only one group of LNS parameters is delivered. The user dials up again but still cannot pass the authentication. Run the debug radius command to check again:
  [Service-Type(6)                    ] [6 ] [2]
  [Framed-Protocol(7)                 ] [6 ] [1]
  [Framed-Netmask(9)                  ] [6 ] []
  [Class(25)                          ] [34] [02621440005242880262144000524288]
  [Session-TimeOut(27)                ] [6 ] [172620]
  [Tunnel-Type(64)                    ] [6 ] [1][3]
  [Tunnel-Medium-type(65)             ] [6 ] [1][1]
  [Tunnel-Server-Endpoint(67)         ] [17] [1][]
  [Tunnel-password(69)                ] [21] [01800108dc89606600352cfe5e925d4b43a6b9]
There is no prompt of attribute errors, which indicates that all the attributes are correctly resolved. The user, however, still cannot get online.
4. Run the _h command to enter the diagnosis view. Then, run the debug aaa command. The following message is displayed:
  [AAA Debug]Framed-IP-Netmask from radius is Invalid.  
5. The value of the attribute "Framed-Netmask" delivered by the RADIUS is correct. The attribute, however, needs to be delivered together with "Framed-IP-Address". Otherwise, the device cannot correctly identify "Framed-Netmask".
6. Contact the RADIUS to delete the "Framed-Netmask" attribute and then the problem is solved.

Root Cause

1. The accounting works abnormally after the user passes the authentication.
2. The address cannot be assigned.
3. The RADIUS authentication packets are abnormal.
4. The establishment of an L2TP tunnel fails.
The problem is caused by abnormal authentication packets in this case.


"Framed-IP-Address" and "Framed-Netmask" should be delivered together by the RADIUS. Otherwise, the user cannot log in to the network. The device does not report "decode error" because it still can resolve the packet attributes correctly. In this case, you have to run the decode error command to locate the fault.
In addition, when the RADIUS delivers multiple LNS parameters, the attributes must have tag domains. Otherwise, the authentication fails. In this case, though correct tag domains are delivered, parameters are insufficient. For the attributes that have tag domains, "Tunnel-password" is quite special. For example, "Tunnel-password" in this case is "01800108dc89606600352cfe5e925d4b43a6b9", which is not introduced by tag domains. The attribute, however, is correct. That's because the tag domain is integrated into the packet. The first two digits of "01" in the attribute is the tag domain; the other 32 digits are the encrypted tunnel password.