RADIUS under MA5200 prompts that the user password is invalid because of diversi

Created: Mar 29, 2016 21:37:12Latest reply: Mar 30, 2016 03:47:28 1120 1 0 0

Version: independent of versions
The user is of RADIUS authentication and accesses network by PPPOE, and radius-server has been configured. The display command shows the state of radius-server is up, but it prompts error always when the user dials up. Surprisingly, it is found that the user name and password are the same at the client and RADIUS server.




  • x
  • convention:

love_yan     Created Mar 30, 2016 03:47:28 Helpful(0) Helpful(0)

Handling Process
1. Make sure that the password for the account used by PPPoE dialup user agrees with that configured at RADIUS;
2. Check the configurations of RADIUS server. It is found that the configuration of RADIUS secret-key differs to that of MA5200, and the problem is solved after changing it.

 


Root Cause
The problem roots in that RADIUS server does not check the RADIUS packet authenticator, and it normally responds to the packet with false authenticator. However, in PAP authentication, the key used in encryption at both sides is the one of RADIUS; thus, the difference in configurations of both sides causes RADIUS prompt that the user name does not agree with the password.
Suggestions
Generally, if the configuration of keys for BAS and RADIUS is not identical, the RADIUS packet authenticators will not be identical yet, and RADIUS should not respond to such a packet. However, some RADIUS servers don't check up the packet authenticator, so they could respond the RADIUS packets although the keys are not identical. So although the display command shows that radius-server has been up, it cannot ensure that each parameter in MA5200 configured by RADIUS agrees with that at RADIUS server. At this point, we should make sure if these parameters are configured correctly. PAP authentication is very sensitive to such a problem, because it uses the RADIUS key configured at both BAS and RADIUS for the encryption between both of them. So if the configurations of both sides are not identical, RADIUS will respond with invalid user password, though it arises from diversity in keys at both sides. It is very simple to address the problem. We could revise it to CHAP mode since the challenge used in encryption of CHAP is generated by BAS, and advertised to the client and RADIUS, which could avoid that the cryptographs calculated out are not identical due to the problem of configuration. If the same account password could pass CHAP authentication, and PAP prompts invalid password, it mainly arises from the diversity in configuration of RADIUS at both sides.


  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top