The L2tp user access failed when USG630 works as access server with Radius server case

The customer uses USG6320 as the L2TP access server, and uses radius server as authentication server. After customer configured device by following the user guide's example, but customer always accesses the L2TP server failed. 

The network topology is shown:

The configuration of  L2TP radius authentication mainly consist of 2 parts functions: 1) Configuration of  L2TP; 2)Radius server configuration.

(1) Firstly,Check if the configuration of the L2TP is correct. We find that all L2TP configuration are correct, at the same time, customer tells us that he can access the L2TP server when he used firewall local user account.This information also testifies the currect L2TP configuration is correct.

(2) And then check the radius server configuration, I find there is a command “radius-server user-name domain-included” in the radius server template.if configure this command in the radius server template,the user accounts need to include the domain in the radius server.As following:

    radius-server template temp
    radius-server shared-key %$%$ZN&gB5n|k~edFN@.@C$I@E<3%$%$
    radius-server authentication xxx.yyy.1.209 1812
    radius-server user-name domain-included
    radius-server group-filter class
   radius-server health-check enable

After confirmed with customer, the accounts in the radius server don't include the domain (like： user1 ; doesn't like user1@domain). In that case the authentication will fail due to user account is incorrect. Otherwise, customer tells us that he used account without domain to access the L2TP server, so I also check the domain configuration under AAA view, I find that radius is configured in the domain net1, but not the default domain. As following:     

    domain net1
      authentication-scheme radius
      radius-server temp
      service-type access internetaccess
      ip pool 1 10.2.1.2 10.2.1.99
      new-user deny-authentication

By using current configuration, the authentication fail exactly,because radius server is configured in domain net1,the access acount need to include the domain (like: use1@net1)。At the same time, the accounts in the radius server don't include domain, so no need to configure the command “radius-server user-name domain-included” in the radius server template. Please delete it.
After customer change the above incorrct configuration,he tests again,but also fails.

(3) And then I turn on the debug commmands (debugging aaa all (diagnose view) and debugging radius packet) on the firewall. According to the output debug information, i find that the authentication from the radius server is successful, but the user account is offlined from the AAA debug inforation, finally, the L2TP authentication is failed.

Check AAA configuration again, i find there is a strange command “new-user deny-authentication” in domain net1, it wasn’t referred in the user guide. As following:

   domain net1
     authentication-scheme radius
     radius-server temp
     service-type access internetaccess
     ip pool 1 10.2.1.2 10.2.1.99
     new-user deny-authentication

I doubt the authentication failed caused by this command, and then tell customer to change this command as following:

   domain net1
     authentication-scheme radius
     radius-server temp
     service-type access internetaccess
     ip pool 1 10.2.1.2 10.2.1.99
     new-user add-local root           //means add new user to the group root

After change the above command and try again, L2TP access successfully.

According the above analysis, the root cause of this issue is there are some incorrect configuration of AAA domain and Radius server template on the USG6320.

For USG6000 series version V100R001C10 firewalls, please following this case to correct the configuraion for L2TP radius authentication, the user guide has some mistake.