An Account could Access Network After changing the Password Because of Improper

Latest reply: Feb 29, 2016 22:24:12 969 1 0 0

MA5200G is attached with DSLAM users who are authenticated at RADIUS server through PPPOE dial-up. One of the accounts is public, of which the password is changed at RADIUS server; it is cut offline at MA5200G, but the user could access network by using the password before changing.

  • x
  • convention:

gennady_fedonov Created Feb 29, 2016 22:24:12 Helpful(0) Helpful(0)

1. First log into the equipment and force the user offline; according to checkup for debug packets, it is found that once the user sends code=1 (authentication request), radius responds with code=3 (authentication failure), at which point no packets will be sent usually but the user is forced offline; however, after radius echoes a packet of code=3, MA5200G transmits code=4(accounting request) to radius and the radius echoes with code=5 (accounting response), so the user could access network again. In other words, it is configured with a command permitting users who fail in authentication to access network.
2. According to checkup for configurations, it is found that it is configured a command permitting users to be online after failure in remote authentication.
authentication-scheme  guangdong_authen                                          
authening authen-fail online
authen-domain 16900.gd     
So after the password for the account at radius is changed, although users fail in authentication at radius, the command mentioned above permits the user to be online. Delete the command and force the user offline; by checking the online users, the user cannot come on again.

Root Cause
1. The setting of radius is problematic. 
2. Authentication policy is problematic. 
In the case, the authentication policy permits users to access network if RADIUS authentication fails, so after changing the passwof at radius, users could come online by using the former password. 

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top