Got it
Huawei Enterprise Support Community
Community Forums Security
How to configure L2TP ove...

How to configure L2TP over IPSec with AD domain authentication ?

Latest reply: Oct 31, 2018 01:25:04 2968 13 9 0 0
View the author 1#

Problem Description: How to configure L2TP over IPSec with AD domain authentication? Now USG6350 running V500R001C60SPC500 +SPH017

We are trying to configure such scheme by documentation from V1 VRP, but it was failed.

V1 docs: http://support.huawei.com/hedex/hdx.do?docid=EDOC1000182434&lang=en&tocURL=resources/ag_en/sec_eudemon_ag_ipsec_0180.html

Problem Analysis: 1. Check configuration ----is OK

2. check AD domain configuration , test AD account ----is OK

3. compare local authentication and AD authentication---- AD failed .

4. debugging radius all and debugging l2tp all.

 

Sep 27 2018 14:48:08.7.11+03:00 USG6300 AAA/7/DEBUG:

[AAA INFO]no cfg DaaTariffLevel in service-scheme[50]

Sep 27 2018 14:48:08.7.12+03:00 USG6300 AAA/7/DEBUG:

[AAA INFO]Author of DaaTariffLevel.(DaaEnableFlag=0, UpStat=0, DownStat=0, Acct=0, QosProfile1 =, QosProfile2 =,)

<USG6300>

Sep 27 2018 14:48:08.7.13+03:00 USG6300 AAA/7/DEBUG:

[AAA ERROR]authen finish,the authen fail reason is:17

Sep 27 2018 14:48:08.7.15+03:00 USG6300 AAA/7/DEBUG:

[AAA INFO]user info before adjust: user_name:mihalkov@karatsc.ru access_type: :10

Sep 27 2018 14:48:08.7.16+03:00 USG6300 AAA/7/DEBUG:

 

Sep 27 2018 15:08:02.847.8+03:00 USG6300 AAA/7/DEBUG:

AAA receive AAA_SRV_MSG_AUTHEN_REQ message(31) from UCM module(0).

Sep 27 2018 15:08:02.847.9+03:00 USG6300 AAA/7/DEBUG:

    DestIndex:9707 SrcIndex:9707 Slot:0

    User:mihalkov@karatsc.ru MAC:ffff-ffff-ffff

    Slot:0 SubSlot:0 Port:0 VLAN:0

    IP:255.255.255.255 AccessType:pppolns AuthenType:CHAP

    AdminLevel:0 EapSize:0 AuthenCode:PPP

    ulInterface:7 ChallengeLen:16 ChapID:1

    LineType:0 LineIndex:0 PortType:15

AcctSessionId:USG6300000000000000007f4d400000000

 

Root Cause: Device send a CHAP request packet to AD server. In theory, it need to use PAP mode connect to with AD Server.

Solution Description:

It is recommended to change the configuration to:

#

interface Virtual-Template0

ppp authentication-mode chap pap -----> ppp authentication-mode pap        // change to pap then try it again .

remote service-scheme l2tpSScheme_1528887088888888888884

ip address 10.0.0.1 255.255.255.0

alias L2TP_LNS_0

undo service-manage enable

 

Like (9) Dislike (0) Favorite(0) Share Report
Previous: Troubleshooting Of IPSEC Negotiation failures
Next: How to Configure firewall statistic.
(0) (0)
2#
faysalji
Author Created Oct 1, 2018 10:52:28

Thanks for sharing your case. This solution may safe time of someone due to its share with community
View more
  • x
  • convention:
(0) (0)
3#
Finn92
Created Oct 19, 2018 02:03:58

Device send a CHAP request packet to AD server. In theory, it need to use PAP mode connect to with AD Server.

but why AD server should be PAP ? not support CHAP ?

I am very interested for this sharing , which is very helpful to our daily work. I have the similar problems in my daily troubleshooting, but I do not know how to deal with them. Now I have a clear idea. Thank you very much for your post. Hope you can update continue like this , thank you very much .

This post was last edited by Finn92 at 2018-10-31 08:42.
View more
  • x
  • convention:
(0) (0)
4#
No.9527
Created Oct 19, 2018 03:29:09

An L2TP client is deployed on the remote user side and connects to the L2TP server in automatic dialup mode.

An L2TP client initiates a virtual dialup request and sends information about itself to the L2TP server. The L2TP server authenticates L2TP client information and completes establishing the L2TP connection. Therefore, after a remote user can use an L2TP client access to connect to the L2TP server, the remote user can access resources in the headquarters where the L2TP server locates without any extra configuration.

This post was last edited by No.9527 at 2018-10-31 06:59.
View more
  • x
  • convention:
(0) (0)
5#
lizhi94
Created Oct 19, 2018 09:27:12

I have required a lot of knowledge,which encourages me to gohead for excellent level .
The post also is useful and practical to me and then take the knowledge of Network technology to us .
AT same time,this post offers a nice reference of the How to configure L2TP over IPSec with AD domain authentication ?
This is a rare sticker that has been rare for a hundred years! Heaven has eyes, let me see such a wonderful post in the eugenic year.
Thank you very much for your sharing. Hope you can update continue like this
View more
  • x
  • convention:
(0) (0)
6#
yangyong
Created Oct 19, 2018 09:37:27

After reading this post, I didn't respond immediately, because I was afraid that my vulgar response would tarnish this rare post on the Internet. But I still replied, because I feel that if I can't leave my own screen name behind such a wonderful post, then I will not be afraid of death! How proud it is to be able to leave your own screen name behind such a wonderful post! The landlord, please forgive my selfishness! This post was last edited by yangyong at 2018-10-30 13:16.
View more
  • x
  • convention:
(0) (0)
7#
Torrent
Created Oct 22, 2018 05:48:40

How to configure L2TP over IPSec with AD domain authentication? Now USG6350 running V500R001C60SPC500 +SPH017

We are trying to configure such scheme by documentation from V1 VRP, but it was failed.

can you share the complete configuration for this issue? because I just face same issue in my network?
thanks very much!!!How to configure L2TP over IPSec with AD domain authentication ?-2782751-1
View more
  • x
  • convention:
(0) (0)
8#
littlestone
Created Oct 26, 2018 06:18:05

Some personal data (such as MAC or IP addresses of terminals) may be obtained or used during operation or fault location of your purchased products, services, features, so you have an obligation to make privacy policies and take measures according to the applicable law of the country to protect personal data This post was last edited by littlestone at 2018-10-31 05:48.
View more
  • x
  • convention:
(0) (0)
9#
SupperRobin
Created Oct 26, 2018 06:19:08

The LAC client directly initiates a connection request to the LNS. The LAC client and LNS negotiate an IPSec tunnel, and perform L2TP negotiation to authenticate the user's identity and establish an L2TP over IPSec tunnel. The data between the LAC client and the LNS is transmitted through the tunnel. Layer-2 data is encapsulated using L2TP and then the data is encrypted using IPSec. This post was last edited by SupperRobin at 2018-10-31 06:32.
View more
  • x
  • convention:
(0) (0)
10#
Mark.hu
Created Oct 26, 2018 06:28:40

It can be seen from this problem that when we encounter similar faults, we should not subjectively judge that the relevant configuration of the equipment is incorrect or the relevant configuration of the equipment is restricted. It is necessary to comprehensively analyze the global information. This post was last edited by Mark.hu at 2018-10-31 06:20.
View more
  • x
  • convention:
12
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.