[Insider sharing]L2TP&PPP authentication failure due of radius attribute configu Highlighted

Latest reply: Apr 22, 2018 23:32:15 2207 2 0 0

Hi Guys,

 

I would like to share an interesting case that involves L2TP radius authentication. The scenario that one of our customer want to accomplish is to establish and L2TP tunnel from branch to HQ, by authenticating remote side using a radius server. Of course it was not easy from the start :), some problem occur. By doing a packet capture, customer was able to see that the falling point of this issue is the PPP CHAP process, after receiving the Authentication message "ACCEPT" from our radius, the LNS AR2240 send a CHAP failure instantly (no 3-way handshake session involved). To make this info more clear I will insert the topology: 

 

Certainly it's necesary to start a debugging session while trying to authetication the remote end radius.

On LNS:

debugging ppp all

debugging l2tp all

debugging cm all

debugging radius all 

debugging aaa all

  

I will not post all debugging logs here but I can tell you what messages I was able to spot.

1. Authentication request

2. Authentication accept

3. Attr decode err. (type=11)

4. Authentication fail with illegal user or password.

5. LCP opened to closing.

 

Clearly the most inportand message is the error decode. This tells us that one of the attributes that are send by the radius server cannot be decoded by AR side.

By checking into packet capture we observe some Microsoft private attributes involved into the process. Moreover the "Tunnel-Assignment-Id" attribute have a longer length (15) than the maximum admitted (6). Check the snip.

By removing the Microsoft private attributes and adjusting the lenght for the Tunnel-Assignment-Id attribute we will able to solve the decoding error and advance with the troubleshooting.

It's important to remove unnecessary attributes from the radius messages especially when you work in a multi-vendor environment.

Hope to enjoy reading this case. 

 

  • x
  • convention:

Created Dec 30, 2014 09:07:16 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

MVE Created Apr 22, 2018 23:32:15 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Telecommunications%20Engineer%2C%20currently%20senior%20project%20manager%20of%20the%20radio%20access%20network%20and%20partner%20of%20Huawei%20de%20Tunisia.

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top