No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Terminal PC dials to LNAS, can't set up the tunnel through the RADIUS server authentication

Publication Date:  2012-10-18 Views:  132 Downloads:  0

Issue Description

USG2130 configured to LNS, users PC dialing up through the RADIUS server authentication, in order to reach identity authentication authorization and charging purpose, but terminal PC dialing is not able to establish L2TP tunnel,
Relevant configurations are as follows:
l2tp enable
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
nat address-group 1
radius-server template tem1
radius-server shared-key 123456
radius-server authentication 1645
radius-server accounting 1646
radius-server group-filter class
vlan 1
interface Vlanif1
ip address
dhcp select interface
dhcp server dns-list
interface Ethernet0/0/0
ip address
interface Virtual-Template1
ppp authentication-mode pap

ip address unnumbered interface Ethernet0/0/0
remote address pool 1
acl number 3002
rule 5 permit ip
firewall zone trust
set priority 85
add interface Vlanif1
firewall zone untrust
set priority 5
add interface Ethernet0/0/0
add interface Virtual-Template1
firewall interzone trust untrust
nat outbound 3002 address-group 1
l2tp-group 1
allow l2tp virtual-template 1
tunnel password simple 123456
tunnel name 123456
local-user ** password cipher &^%*
local-user ** level 3
local-user ** ftp-directory flash:/
ip pool 1
authentication-scheme default
authentication-scheme auth1
  authentication-mode radius local
authorization-scheme default
accounting-scheme default
accounting-scheme acc1
  accounting-mode radius
domain default
  authentication-scheme  auth1
  accounting-scheme acc1
  radius-server tem1
ip route-static

Alarm Information


Handling Process

1. First confirm that whether it is L2TP itself problem, modify the authentication mode to local, use local authentication, remote PC uses local account dialing to LNS, found it can dial and access to the internal resources
2. To determine whether it is the firewall AAA configuration problem, hasn’t sent the remote PC dial-up user name to radius for authentication, “debugging radius packet” found firewall has sent the user's information to radius server, eliminate firewall allocation problem
3. Check radius server response packages to see, the user name: user, and it is not the dialing account: user@, namely the user name the firewall sent to radius server is “user”, hasn’t sent the domain name to the radius server, lead to the server authenticates this account identity failed
4. Change the firewall configuration, open the domain name additional function, dial-up found that still can't establish the tunnel, from the “debugging radius packet” can see the identity authentication has passed, but when dialing the virtual template is first UP, immediately to DOWN, from “debugging l2tp envet” can see that it hasn’t assigned address to the remote PC.
 5. Check l2tp related configuration, found that address pool is established under “domain”, so it won't assign the IP address for domain users of the radius server, causes l2tp tunnel can't be established, the specific operations are as follows:
A. Use domain name automatic additional function in the firewall, let the firewall adds domain name automatically when sending user information to the radius server, add a command under “radius-server template”: “radius-server user-name domain-included”
B. Establish address pool in “domain”, and transfer it in virtual template.

Root Cause

1. When the remote PC dials to LNS, firewall will separate the user name of the dialed-up PC and the domain name, directly send the name to radius server to authenticate, but the radius server’s account which used for setting identity authentication brings domain name, radius server cannot find this number, the authentication fails.
2. Radius authenticated domain users accessed the IP address through L2TP dial-up is in the address pool of corresponding domain, but not directly establish address pool on the AAA.