Symptom: In normal cases, PPPoE dialup is implemented with a user name and a password entered. The BRAS (ME60) pushes the user name and password to the RADIUS server for authentication and accounting. The user accesses the Internet through the service policy delivered by the RADIUS server. However, the customer provides the feedback that some users who use empty user names and passwords to implement dialup on the campus network can properly access the Internet. This situation becomes more and more frequent, making authentication, authorization, and accounting meaningless for Internet access on the campus network.
1. Check the ME60 authentication scheme.
authentication-mode radius none
authening authen-redirect online authen-domain 691err
It is found that ME60s apply RADIUS authentication and then non-authentication. The configuration issue is ruled out. It is suspected that the problem may be caused by RADIUS server down.
2. Check that the RADIUS server works properly. Use an empty user name and password to implement dialup. The dialup still succeeds. It can be confirmed that the problem is not caused by RADIUS down.
3. Check the RADIUS server configuration. It is found that upon receipt of an authentication request packet with an empty user name, the RADIUS server simply discards the packet with no reply.
4. Confirm that the problem occurs because the device does not consider empty user names and passwords during interconnection. In the ME60 authentication solution, RADIUS authentication is implemented prior to none-authentication. This solution is designed in consideration of disaster tolerance in order to reduce the impact of user dialup failures caused by RADIUS server down. After receiving an empty user name and password, the RADIUS server does not give a reply to the BRAS. The ME60 incorrectly considers that the RADIUS server is dead. Therefore, none-authentication is selected, user traffic is allowed, and such users can still access the network.
This problem is caused by a device interconnection issue.
The processing of empty user names and passwords is not considered during interconnection between the BRAS and RADIUS server. The BRAS keeps sending empty user names and passwords to the RADIUS server, and the RADIUS server does not give a reply. This makes the BRAS incorrectly consider that the RADIUS server is dead and therefore selects the none-authentication scheme.
1. Reconfigure RADIUS authentication on the ME60 to replace the original authentication scheme of RADIUS authentication followed by none-authentication.
2. Allow the RADIUS server sends a reply indicating an authentication failure to a request using an empty user name and password or an error message indicating an incorrect user name.
Solution 2 is preferred to solution 1 because solution 1 leaves potential risks. If RADIUS dead occurs, all users cannot access the network.