Got it

How to configure L2TP over IPSec with AD domain authentication ?

Latest reply: Oct 31, 2018 01:25:04 2968 13 9 0 0

Problem Description: How to configure L2TP over IPSec with AD domain authentication? Now USG6350 running V500R001C60SPC500 +SPH017

We are trying to configure such scheme by documentation from V1 VRP, but it was failed.

V1 docs: http://support.huawei.com/hedex/hdx.do?docid=EDOC1000182434&lang=en&tocURL=resources/ag_en/sec_eudemon_ag_ipsec_0180.html

Problem Analysis: 1. Check configuration ----is OK

2. check AD domain configuration , test AD account ----is OK

3. compare local authentication and AD authentication---- AD failed .

4. debugging radius all and debugging l2tp all.

 

Sep 27 2018 14:48:08.7.11+03:00 USG6300 AAA/7/DEBUG:

[AAA INFO]no cfg DaaTariffLevel in service-scheme[50]

Sep 27 2018 14:48:08.7.12+03:00 USG6300 AAA/7/DEBUG:

[AAA INFO]Author of DaaTariffLevel.(DaaEnableFlag=0, UpStat=0, DownStat=0, Acct=0, QosProfile1 =, QosProfile2 =,)

<USG6300>

Sep 27 2018 14:48:08.7.13+03:00 USG6300 AAA/7/DEBUG:

[AAA ERROR]authen finish,the authen fail reason is:17

Sep 27 2018 14:48:08.7.15+03:00 USG6300 AAA/7/DEBUG:

[AAA INFO]user info before adjust: user_name:mihalkov@karatsc.ru access_type: :10

Sep 27 2018 14:48:08.7.16+03:00 USG6300 AAA/7/DEBUG:

 

Sep 27 2018 15:08:02.847.8+03:00 USG6300 AAA/7/DEBUG:

AAA receive AAA_SRV_MSG_AUTHEN_REQ message(31) from UCM module(0).

Sep 27 2018 15:08:02.847.9+03:00 USG6300 AAA/7/DEBUG:

    DestIndex:9707 SrcIndex:9707 Slot:0

    User:mihalkov@karatsc.ru MAC:ffff-ffff-ffff

    Slot:0 SubSlot:0 Port:0 VLAN:0

    IP:255.255.255.255 AccessType:pppolns AuthenType:CHAP

    AdminLevel:0 EapSize:0 AuthenCode:PPP

    ulInterface:7 ChallengeLen:16 ChapID:1

    LineType:0 LineIndex:0 PortType:15

AcctSessionId:USG6300000000000000007f4d400000000

 

Root Cause: Device send a CHAP request packet to AD server. In theory, it need to use PAP mode connect to with AD Server.

Solution Description:

It is recommended to change the configuration to:

#

interface Virtual-Template0

ppp authentication-mode chap pap -----> ppp authentication-mode pap        // change to pap then try it again .

remote service-scheme l2tpSScheme_1528887088888888888884

ip address 10.0.0.1 255.255.255.0

alias L2TP_LNS_0

undo service-manage enable

 

Thanks for sharing your case. This solution may safe time of someone due to its share with community
View more
  • x
  • convention:

Device send a CHAP request packet to AD server. In theory, it need to use PAP mode connect to with AD Server.

but why AD server should be PAP ? not support CHAP ?

I am very interested for this sharing , which is very helpful to our daily work. I have the similar problems in my daily troubleshooting, but I do not know how to deal with them. Now I have a clear idea. Thank you very much for your post. Hope you can update continue like this , thank you very much .

This post was last edited by Finn92 at 2018-10-31 08:42.
View more
  • x
  • convention:

An L2TP client is deployed on the remote user side and connects to the L2TP server in automatic dialup mode.

An L2TP client initiates a virtual dialup request and sends information about itself to the L2TP server. The L2TP server authenticates L2TP client information and completes establishing the L2TP connection. Therefore, after a remote user can use an L2TP client access to connect to the L2TP server, the remote user can access resources in the headquarters where the L2TP server locates without any extra configuration.

This post was last edited by No.9527 at 2018-10-31 06:59.
View more
  • x
  • convention:

I have required a lot of knowledge,which encourages me to gohead for excellent level .
The post also is useful and practical to me and then take the knowledge of Network technology to us .
AT same time,this post offers a nice reference of the How to configure L2TP over IPSec with AD domain authentication ?
This is a rare sticker that has been rare for a hundred years! Heaven has eyes, let me see such a wonderful post in the eugenic year.
Thank you very much for your sharing. Hope you can update continue like this
View more
  • x
  • convention:

After reading this post, I didn't respond immediately, because I was afraid that my vulgar response would tarnish this rare post on the Internet. But I still replied, because I feel that if I can't leave my own screen name behind such a wonderful post, then I will not be afraid of death! How proud it is to be able to leave your own screen name behind such a wonderful post! The landlord, please forgive my selfishness! This post was last edited by yangyong at 2018-10-30 13:16.
View more
  • x
  • convention:

How to configure L2TP over IPSec with AD domain authentication? Now USG6350 running V500R001C60SPC500 +SPH017

We are trying to configure such scheme by documentation from V1 VRP, but it was failed.

can you share the complete configuration for this issue? because I just face same issue in my network?
thanks very much!!!How to configure L2TP over IPSec with AD domain authentication ?-2782751-1
View more
  • x
  • convention:

Some personal data (such as MAC or IP addresses of terminals) may be obtained or used during operation or fault location of your purchased products, services, features, so you have an obligation to make privacy policies and take measures according to the applicable law of the country to protect personal data This post was last edited by littlestone at 2018-10-31 05:48.
View more
  • x
  • convention:

The LAC client directly initiates a connection request to the LNS. The LAC client and LNS negotiate an IPSec tunnel, and perform L2TP negotiation to authenticate the user's identity and establish an L2TP over IPSec tunnel. The data between the LAC client and the LNS is transmitted through the tunnel. Layer-2 data is encapsulated using L2TP and then the data is encrypted using IPSec. This post was last edited by SupperRobin at 2018-10-31 06:32.
View more
  • x
  • convention:

It can be seen from this problem that when we encounter similar faults, we should not subjectively judge that the relevant configuration of the equipment is incorrect or the relevant configuration of the equipment is restricted. It is necessary to comprehensively analyze the global information. This post was last edited by Mark.hu at 2018-10-31 06:20.
View more
  • x
  • convention:

12
Back to list

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.