No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Authentication of Local Users Accessed from an ME60 Through PPPoE Dialup Fails, and the 691 Error Occurs

Publication Date:  2019-04-11 Views:  30 Downloads:  0
Issue Description

Authentication of the local users accessed from an ME60 through PPPoE dialup fails, and the 691 error occurs. It is doubted that the authentication configuration is incorrect.

Handling Process

1. Check the local authentication configuration on the ME60.


<ME60-05>disp cu interface  GigabitEthernet  4/1/3.3
#
interface GigabitEthernet4/1/3.3                     //Interface from which the user performs dialup
 user-vlan 333
 bas
 #
  access-type layer2-subscriber default-domain authentication ceshi
  authentication-method ppp web
 #
#
return
< ME60-05> sys
[ME60-05]aaa
[ME60-05-aaa]dis th                        //Configuration of the authentication template and accounting template
#
authentication-scheme default
  authentication-mode local radius
accounting-scheme default0
#
[ME60-05-aaa-domain-ceshi]dis this             //ceshi domain configuration
#
 domain ceshi
  authentication-scheme default
  accounting-scheme default0
  ip-pool gwbnqd15
  user-group gwbnqd
#
return
[ME60-05-aaa-domain-ceshi]q
[ME60-05]local-aaa-server
[ME60-05-local-aaa-server]dis this                      //Local user configuration
#
local-aaa-server
 user test123 password irreversible-cipher $1a$s9[l(T8_;5$.z!x-Phrm+:wrQ(HzJ#3`^M.Ofr6u!UxGb0StZQS$ authentication-type A block fail-times 3 interval 5
#
return

It is found that the authentication type of the local user is incorrect. After the authentication type is changed to authentication-type P, perform a dial-up test again. The configuration is as follows:
[ME60-05-local-aaa-server]user test123 password irreversible-cipher $1a$s9[l(T8_;5$.z!x-Phrm+:wrQ(HzJ#3`^M.Ofr6u!UxGb0StZQS$ authentication-type P

2. The problem still persists. It is doubted that the authentication configuration is still incorrect. Trace the MAC address of the dialup terminal to view the dialup process.

Dec  5 2017 15:41:56.230.8 QDHX-WK-BAS-ME60-05 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][LAM][user info:
  MAC Address    : 80C1-6EE4-5789
  IP Address     : 255.255.255.255
  Interface      : GigabitEthernet4/1/3.3
  PE VLAN ID     : 333
  User Name      : test123@ceshi]                                                 
[trace info:Authen fail: password not match]                                 //Authentication fails. An error message is displayed indicating that the password does not match. Change the user name to cba123@ceshi and test again.

Commands:

[ME60-05-local-aaa-server]user test123@ceshi password irreversible-cipher $1a$s9[l(T8_;5$.z!x-Phrm+:wrQ(HzJ#3`^M.Ofr6u!UxGb0StZQS$ authentication-type P

3. The problem still persists. Check the product document. It is found that the following information is contained in the description of configuring a local account:

When a PPP user performs local CHAP authentication, the irreversible-cipher configuration is not allowed. Otherwise, the authentication fails.

The account is encrypted based on the irreversible-cipher configuration, which needs to be changed.

Root Cause

The encryption mode configured for the local account does not match, resulting in a dialup failure.

Solution

Change the encryption mode of the local account.
[ME60-05-local-aaa-server]user test123@ceshi password cipher $1a$s9[l(T8_;5$.z!x-Phrm+:wrQ(HzJ#3`^M.Ofr6u!UxGb0StZQS$ authentication-type P

END