Preface - ZTEzte.by/magazine/Maintenance Experience, Issue112(Data Products).pdf · As success in commissioning ... ZTE employees in all regions carry out with individual efforts

Preface

Maintenance ExperienceEditorial Committee

Director: Qiu Weizhao

Deputy Director: Chen Jianzhou

Editors:Jiang Guobing, Zhang Shoukui, Wu Feng,

Yuan Yufeng, Tang Hongxuan, Chen Huachun,

Li Gangyi, Gu Yu, Song Jianbo, Tian Jinhua,

Du Jianli, Qu Ruizheng, Zhang Zhongdong,

Liu Xianmin, Wang Zhaozheng, Liu Wenjun,

Wang Yapping, Lei Kun, Wang Tiancheng, Cai

Hongming

Technical Senior Editors:Hu Jia, Bai Jianwen

Executive Editor:Zhang Fan

Maintenance ExperienceNewsroom

Address: ZTE Plaza, Keji Road South, Hi-Tech

Industrial Park, Nanshan District,

Shenzhen, P.R.China

Postal code: 518057

Contact: Song Chunping

Email: [email protected]

Tel: +86-755-26770600,26771195

Fax: +86-755-26772236

Document support mail box: [email protected]

Technical support website: http://ensupport.zte.

com.cn

Maintenance Experience Editorial CommitteeZTE CorporationJune, 2008

In this issue of ZTE's "Maintenance Experience", we continue to pass on various field reports and resolutions that are gathered by ZTE engineers and technicians around the world.

The content presented in this issue is as below:● Two Special Documents● Nine Maintenance Cases of ZTE's Data ProductsHave you examined your service polices and procedures

lately? Are you confident that your people are using all the tools at their disposal? Are they trained to analyze each issue in a logical manner that provides for less downtime and maximum customer service? A close look at the cases reveals how to isolate suspected faulty or mis-configured equipment, and how to solve a problem step by step, etc. As success in commissioning and service is usually a mix of both discovery and analysis, consider using this type of approach as an example of successful troubleshooting investigations.

While corporate leaders maintain and grow plans for expansion, ZTE employees in all regions carry out with individual efforts towards internationalization of the company. Momentum continues to build, in all levels, from office interns to veteran engineers, who work together to bring global focus into their daily work.

If you would like to subscribe to this magazine (electronic version) or review additional articles and relevant technical materials concerning ZTE products, please visit the technical support website of ZTE Corporation (http://ensupport.zte.com.cn).

If you have any ideas and suggestions or want to offer your contributions, you can contact us at any time via the following email: [email protected].

Thank you for making ZTE a part of your telecom experience!

Maintenance ExperienceBimonthly for Data ProductsNo.33 Issue 112, June/2008

Contents

Special Documents

RADIUS Principle ...................................................................................................................................... 2

RADIUS and SSH Configuration ............................................................................................................... 7

Maintenance Case

DHCP+WEB Popping-Up Failure Processing ......................................................................................... 13

RADIUS Non-Response Failure Processing ........................................................................................... 16

RADIUS Authentication Failure Processing............................................................................................. 17

Floating IP in RADIUS Authentication ..................................................................................................... 19

Accounting Configuration for VPDN Service ........................................................................................... 22

Frequent Dial-Up of Legal Users ............................................................................................................. 25

RADIUS Authentication Failure Caused by Key ...................................................................................... 28

One MAC Address Taking Up Multiple IP Addresses .............................................................................. 30

VPDN Malfunction Processing ................................................................................................................ 34

June 2008 Issue 112

Maintenance Experience2

Special Documents

⊙ Zhang Fan/ZTE Corporation

RADIUS Principle

1 RADIUS OverviewRemote Authentication Dial In User

Service (RADIUS) is defined in RFC2865

and RFC2866. It is the most widely

used Authentication, Authorization and

Accounting (AAA) protocol currently.

RADIUS was put forward by the

Livingston Corporation originally. It aims at

authentication and accounting for dial-up

users. Later, it was modified as a general

AAA protocol.

RADIUS is a p ro toco l w i th C/S

structure. At first, the client of RADIUS is

the Net Access Server (NAS). Now any

computer that runs the RADIUS client

software can become the client. RADIUS

has flexible authentication mechanism, using PAP,

CHAP or Unix login mode. It is extendable, and it

supports the special attributes of different device

manufacturers. At present, RADIUS is supported

by the wireless APs, authenticating Ethernet

switches, VPN servers, DSL access servers and

other access servers.

2 RADIUS ComponentsRADIUS has the following components:

Access client

Access server (RADIUS client)

RADIUS server

User account database

RADIUS agent

A RADIUS network is shown in Figure 1.

www.zte.com.cn

3Data Products

The access clients are the devices to access

to the vast network, such as the dial clients, VPN

clients, wireless clients and LAN clients connecting

to the switches.

The access servers (RADIUS clients) provide

accesses to the vast network. The access servers

are RADIUS clients at the same time. They send

the access request messages and accounting

messages to RADIUS server. The access servers

include:

Wireless AP: It provides the accesses to

LANs with wireless transmission and receiving

technology.

Switch and routing switch: They use the

traditional LAN (for example, Ethernet) to

provide the accesses to LANs. BRAS devices

and ZXR10 series routing switches of ZTE are

such devices.

NAS: It provides the remote accesses to LAN

or Internet. For example, a Windows 2000

computer that runs the routing and remote

access service and provides the traditional

dialing or VPN service to access to a LAN can

be a NAS.

The RADIUS server receives and deals with

the access request messages and accounting

messages sent by the RADIUS cl ients and

agents. For the access request messages, the

RADIUS server deals with the attribute lists in

the messages. According to a group of rules and

information in the user account database, the

RADIUS server performs authorization and sends

the Access-Accept messages, or the RADIUS

server sends the Access-Reject messages. The

Access-Accept messages can contain the limits

for the RADIUS servers when the RADIUS server

establishes access connections.

The user account database contains the user

accounts and their attribute lists. The information

in the user account database is the proof for

authenticating users. The RADIUS servers can

check the user account database to obtain the user

account attributes of authentication and

connection parameters.

The RADIUS agent forwards the

access request messages and accounting

messages between the RADIUS server

and clients. A RADIUS server can work

as a RADIUS agent to connect to another

RADIUS server.

3 RADIUS Message StructureT h e R A D I U S m e s s a g e s a r e

e n c a p s u l a t e d b y U D P. U D P p o r t

1812 is used for the RADIUS identity

authentication messages, and port 1813

is used for the RADIUS accounting

messages. The UDP payload of a RADIUS

packet on ly conta ins one RADIUS

message.

The structure of the RADIUS message

is shown in Figure 2.

Figure 1. RADIUS Network

Figure 2. RADIUS Message Structure

8bit 16bit 32bit

Code Identifier Length

Authenticator (16bytes)

June 2008 Issue 112


Special Documents

The identifier field is the identifier to

match request and response.

The length field is the length of the

message, including the header.

The authenticator field identifies the

RADIUS server and the reply in cryptic

password algorithm.

A RADIUS message consists of a

RADIUS header and a RADIUS attribute.

Each RADIUS a t t r i bu te ass igns a

message related to a connection try. The

RADIUS attribute includes the user name,

password, service type that the user

requests and the IP address of access

server. The RADIUS attribute is used to

transmit information among the RADIUS

clients, RADIUS agents and RADIUS

servers. For example, the attribute list of

an Access-Request message includes

the information about the user and the

connection parameters. The attribute list of

an Access-Accept message includes the

information about the connection types,

connection limits and special information

of VAS.

4 RADIUS Working FlowRADIUS working flow is described as follows:

1. An access server receives the access

request from an access client.

2. The access server creates an Access-

Request message according to the user information

and sends the message to a RADIUS server.

3. The RADIUS server evaluates the received

Access-Request message.

4. If necessary (for example, when the EAP

is used), the RADIUS server sends an Access-

Challenge message to the access client. The

access server or the access client deals with

the challenge and sends a new Access-Request

message to the RADIUS server.

5. T h e R A D I U S s e r v e r i m p l e m e n t s

authentication and authorization for the connection

try.

6. I f t h e c o n n e c t i o n t r y p a s s e s t h e

authentication and authorization, the RADIUS

server will send an Access-Accept message to the

access server. Otherwise, the RADIUS server will

send an Access-Reject message to the access

server.

7. When the access se rve r rece i ves

the Access-Accept message, the connection

between the access server and the access client

is established. Then the RADIUS client (access

server) sends an Accounting-Request to the

RADIUS server, with the value of status-type as

start.

8. The RADIUS server repl ies with an

Accounting-Response message to start accounting.

9. When the user stops using the service, the

ADIUS client sends an Accounting-Request to the

RADIUS server, with the value of status-type as

stop.

10. The RADIUS server repl ies with an

Accounting-Response message to stop accounting.

5 RADIUS Security CharacteristicsFor the point-to-point authentication protocols,

The code field indicates the type of

the message. RADIUS message has the

following types:

Type Meaning

1 Access-Request

2 Access-Accept

3 Access-Reject

4 Accounting-Request

5 Accounting-Response

11 Access-Challenge

12 Status-Server--Experimental

13 Status-Client--Experimental

255 Reserved

www.zte.com.cn

5Data Products

such as PAP, CHAP, MS-CHAP and MS-CHAPv2,

the authentication negotiation between the access

server and the access client is forwarded to the

RADIUS server. The RADIUS server implements

the authentication negotiation.

For the Extensible Authentication Protocol

(EAP), the authentication negotiation happens

between the RADIUS server and the access client.

The RADIUS server uses an Access-Challenge to

send an EAP message to the access client. The

access server forwards the EAP message from the

access client as an Access-Request message to

the RADIUS server.

To ensure the security of RADIUS massages,

the RADIUS client and the RADIUS server share

the key. The shared key is used to authenticate

the RADIUS messages and encrypt the sensitive

attributes. The shared key is configured as a

character string on the RADIUS client and RADIUS

server.

6 RADIUSConfigurationonZXR10Series DevicesMost devices of ZXR10 series support the

configuration of RADIUS protocol. ZXR10 T240G/

T160G/T64G/T40G routing switch is taken as an

example.

ZXR10 T240G/T160G/T64G/T40G routing

switch supports multiple RADIUS server groups.

For each RADIUS server group, there are up to

three authentication servers.

6.1 ConfiguringRADIUSTo configure RADIUS, perform the following

steps:

1. To configure a RADIUS accounting server

group, use radius accounting-group <group-

number> command.

2. To configure a RADIUS authentication

server group, use radius authentication-group

<group-number> command.

3. To configure the RADIUS parameters, use

the following commands.

To configure the timeout of a RADIUS

server, use timeout <time> command.

Note: If the switch sends a message

to the RADIUS server, and the switch

does not rece ive any response

message after the value of <time>. The

switch will send a message again. The

range of <time> is 1~2000000000, in

its unit of second. The default value is

3 seconds.

To configure the algorithm to choose

a RADIUS authentication server,

use algorithm {first | round-robin} command.

Note: The parameter first means that

the switch always chooses a currently

effective server as the server of a new-

calling user. The parameter round-robin means that the switch always

chooses the next effective server as

the server. The default mode is first.To configure the alias of a RADIUS

server group, use alias <name-str>

command.

To configure the format of calling-

station-id field, use calling-station-format < Format number> command.

To conf igure the dead t ime of a

server group, use deadtime <time>

command.




message, after retrying for several

times, the switch will consider that

the server is not effective for a time.

The duration is configured with this

command. The range of <time> is

0~65534, in its unit of minute. The

default value is 5 minutes.

To configure the local buffer of an

June 2008 Issue 112


Special Documents

accounting server, use local-buffer {enable | disable} command.

To configure the retry times, use max-retries <times> command.




message, the switch will retry for times.

The max retry time is configured with

this command. The range of <time> is

1~2000000000. The default value is 3.

To configure the NAS IP address of a

RADIUS server, use nas-ip-address <NAS IP address> command.

To configure other parameters of a

RADIUS server, use server <number>

< i paddress> key <keyst r> port <portnum> command.

The parameters are described in the

following table.

the domain name is not included in the user

name. By default, the format is strip-domain.

To configure whether to define the vendor-

defined attributes in RADIUS messages, use

vendor {enable | disable} command.

4. To configure the maintenance and diagnosis

of RADIUS, use the following commands.

To display the RADIUS debugging information,

use debug radius all command.

To display the statistical information, use show counter radius all command.

To display the accounting information in the

local buffer, use show accounting local-buffer all command.

To clear the accounting information in the local

buffer, use clear accounting local-buffer all command.

6.2 RADIUSConfigurationExampleThis example shows how to configure a

RADIUS accounting server group.

Parameter Description

<number>The number of the server,

ranging 1~4

<ipaddress> The IP address of the server

<keystr>The shared key, within 32

characters

<portnum>

The port number of the

server, ranging 1025~65535.

By default, it is 1813 for the

authentication server group.

To configure the field format of a

user name that the switch sends to

a RADIUS server, use user-name-format {include-domain | strip-domain} command.

Note : The pa ramete r inc lude-domain means that the domain name

is included in the user name. The

parameter strip-domain means that

ZXR10(config)#radius accounting-group 1

ZXR10(config-acct-group-1)#algorithm round-robin

ZXR10(config-acct-group-1)#calling-station-format 2

ZXR10(config-acct-group-1)#deadtime 5

ZXR10(config-acct-group-1)#local-buffer enable

ZXR10(config-acct-group-1)#max-retries 5

ZXR10(config-acct-group-1)#nas-ip-address 10.1.1.4

ZXR10(config-acct-group-1)#server 1 10.2.1.3 master key uas port 1813

ZXR10(config-acct-group-1)#server 2 12.1.2.3 key uas port 1813

ZXR10(config-acct-group-1)#timeout 10

■

www.zte.com.cn

7Data Products

⊙ Huang Hongru/ZTE Corporation

RADIUS and SSH Configuration

1 Introduction to SSH1.1 SSH Overview

The traditional network service programs, such

as FTP, pop and Telnet, are not secure essentially

because they use the simple text to transmit

passwords and data. Therefore, the passwords and

data are easy to be captured. Services are likely to

be attacked by the man-in-the-middle. The man-in-

the-middle attack can pretend to be the real server

to receive the data from users. It also can pretend

to be the user to send data to the real server. The

data between the user and the server may be

changed which causes serious problem.

Secure Shell (SSH) is a network service based

on TCP, with default port number 22. With SSH,

the transmitted data can be encrypted to defend

against the man-in-the-middle attacks. In addition,

the data is also compressed. Therefore, the

transmission is faster. SSH can replace Telnet, and

Key words: SSH, RADIUS, security, putty client

also provides secure channels for FTP,

pop and PPP.

SSH consists of the client software

and server software. There are two

incompatible versions: 1.x and 2.x.

1.2 SSH Protocol ComponentsSSH protocol is a security protocol

on the base of application layer and

transmission layer. It consists of three

components that realize the security

mechanism of SSH.

Transmission layer protocols: They

provide the security measures, such

as authentication and integrality check,

and function to compress data. Theses

protocols are on the base of the TCP

data flow.

User authentication protocols: They are

June 2008 Issue 112


Special Documents

used to implement authentication for

clients. They run over the transmission

layer protocols.

Connection layer protocols: They

assign some encrypted channels to

some logical channels, and they run

over the user authentication protocols.

After the secure transmission layer

connection is established, the client sends

a request. After the user authentication

layer connection is established, the client

sends a second request. This allows

the new defined protocol coexist with

the primary protocols. The connection

protocols provide channels that can be

used for different functions, and also

provide the standard methods to set shell

sessions, transmit any TCP/IP port and

X11 connections.

1.3 SSH AuthenticationsSSH provides two levels of security

authentications.

F o r t h e f i r s t l e v e l o f s e c u r i t y

authentication (password based security

authentication), a user only needs to know

the account and password to log into the

server. The transmitted data is encrypted.

However, the server that the user connects

to is not the server that the user wants

necessarily. That is, man-in-the-middle

attack occurs.

For the second level of secur i ty

authent icat ion (key based secur i ty

authentication), the user has to create a

public key and a private key, and keeps

the public key on the server that the

user wants to access to. When the user

connects to the SSH server, the SSH client

sends a request to the SSH server for

security authentication with the public key.

The SSH server searches the public key

under the home catalog, and compares the public

key it finds with the public key it receives. If the

two keys are consistent, the SSH server encrypts

the challenge with the public key and sends it to

the SSH client. When the SSH client receives the

challenge, it uses the private key to decrypt the

challenge and send it to the server. In this mode,

the user must know the password for the key,

and the password is not transmitted through the

network.

With SSH, a digital certificate connects the

client to the server, and encrypts the password.

SSH1 uses RSA to encrypt the key. SSH2 uses

DSA to protect the connection and authentication.

The encryption algorithms include Blowfish, DES

and 3DES.

2 RADIUS OverviewRADIUS is a pro toco l to t ransmi t AAA

information between the Network Access Server

(NAS) and the shared authentication server.

RADIUS has the following features:

Client/Server mode

As the client of RADIUS server, the NAS

transmits user information to designated RADIUS

server, and then takes action according to return

information. The RADIUS server receives the

access request from the user and implements

authentication, and then returns necessary

configuration information to the client. The RADIUS

server can also work as the agent of other RADIUS

server and authentication server.

Network security

The communication between the client and

RADIUS server is identified by the shared keys.

The shared keys are not transmitted through

network. In addition, any key is encrypted when

it is transmitted between the client and RADIUS

server, which prevents the key from being sniffed.

Flexible authentication mechanism

The RADIUS server supports multiple types of

authentications. If the user name and password

www.zte.com.cn

9Data Products

are provided, the RADIUS server can support

authentications such as PPP PAP, CHAP and UNIX

login.

Extendable ability

Each event consists of an attribute, a length

and a value. Any new added attribute value will not

affect the primary protocol.

3 Supported DevicesZXR10 GER router and T64G/T160G switch

support SSH. T64E/T128 (V1.2.2) does not support

SSH.

All routers and Layer 3 switches support

RADIUS.

The following example has been validated on

T64G (2.6.03) switch and GER (2.6.2a13) router.

The two types of software are required for the

following example: winradius and putty0.54.

4 ConfiguringSSHandRADIUS4.1 ConfiguringaReachableRoute

Configure an IP address for the putty client and

an IP address for the RADIUS server. Make sure

the link between the putty client and the RADIUS

server is through.

4.2 ConfiguringaRADIUSServerTo configure a RADIUS server, perform the

following steps.

1. Double-click WinRadius.exe. An interface

appears. Click Add Account to create a new

account. Set the user name and password and

click OK.

2. Cl ick System Configuration in the

interface to set the NAS key, authentication port

and accounting port, and then click OK.

4.3 ConfiguringaRouter/SwitchTo configure a router or a switch, perform the

following steps:

1. To enable the SSH function, use the

following command.

ZXR10(config)#ssh server enable

2. To configure SSH authentication

mode, use the following command.

Z X R 1 0 ( c o n f i g ) # s s h s e r v e r

authentication mode radius

N o t e : T h e r e a r e t w o S S H

authentication modes: local and radius.

Here take radius mode for an example.

If the local mode is configured, it is not

need to configure a RADIUS server.

3. To configure SSH authentication

type, use the following command.


authentication type chap

N o t e : T h e r e a r e t w o S S H

authentication types: pap and chap.

Here take chap for example.

4. To configure the version of SSH,

use the following command.

ZXR10(config)#ssh server version 2

Note: There are two incompatible

versions of SSH: version 1 and version

2. Here take version 2 for example.

5. To configure the SSH key, use the

following command.


generate-key

Note: For the SSH version 2, it is not

necessary to configure the key. This

command is only used for SSH version

1. To generate a key, it takes about 15

minutes.

6. To con f igure the ISP group

number of SSH authentication, use the

June 2008 Issue 112


Special Documents

7. To conf igure the parameters of the

RADIUS server, use the following command:

ZXR10(config)#radius server 1 authen

master 192.168.2.1 1812 ZTEGER

Note: If the SSH authentication mode is

configured to local in step 2, it is not necessary

to use this command.

Note: Configuration commands for RADIUS have

differences on GER router and T64G switch. For

GER router, each ISP group number supports three

different authentication server groups. For T64G

switch, each ISP group number supports three

different authentication server groups and three

different accounting server groups.

4.4 Enabling a Putty ClientTo enable a putty client, perform the following

steps:

1. Input the IP address of remote router, as

shown in Figure 1.

2. Set the SSH version, as shown in Figure 2.

Note: If SSH version 2 is configured on the

router or switch, it is not necessary to set the

version to 2 on the putty client.

3. Click Open to log into the client. For the

first login, a dialogue box appears, as shown in

Figure 3. Click Yes or No according to requirement.

following command.


authentication ispgroup 1

Note: If the SSH authentication mode

is configured to local in step 2, it is not

necessary to use this command.

Figure 1. Inputting IP address

Figure 2. Setting SSH Version

Figure 3. Security Alert

4. Input user name and password in the login

interface. Login is successful, as shown in Figure 4.

For further configuration, it is required to input the

www.zte.com.cn

11Data Products

user name and password for telnet.

Note: The record indicating that the account

has passed the authentication is displayed in

the interface of winradius.

4.5LocalAuthenticationConfigurationFor local authentication, it is only required to

use ssh server enable command on the router or

switch, and input the IP address of the router or

switch on putty. The user name and password are

the same to that of telnet.

5 ConfigurationExperienceThe users can log into SSH2 with client

software putty0.58 and SecureCRT. The error

information for login of putty0.58 and SecureCRT is

shown in Figure 5 and Figure 6.

When version 2 of SSH is selected in Figure

and click Open, it takes about 15 minutes before

the login prompt “login as:” appears. If press Enter key for several times, the login prompt “login

as:” will appear within 10 seconds. However, if

the Enter key is pressed for too many times, the

connection may have to be established again.

The re i s l i t t l e d i f f e rence to i npu t t he

configuration commands with putty and secureCRT.

The only difference is that the backspace key is

not effective in putty. If a wrong command is input,

users have to input it again.

ZTE devices do not support login to other

devices through SSH.

6 Maintenance SummaryMain malfunctions about RADIUS have the

following situations:

The keys of the RADIUS server and the

RADIUS client are not consistent. Therefore,

the user authentication fails.

If the value of timeout parameter on the

RADIUS server is too big, the RADIUS server

will receive multiple same authentication

request messages during single processing

Figure 4. Successful Login

Figure 5. Error Information 1

i n t e r v a l . I n t h i s s i t u a t i o n , t h e

RADIUS server refuses to implement

authentication and discards the request

messages. The authentication fails.

The links between the RADIUS server

and the RADIUS client are not through.

This also leads to the authentication

failure.

The interval to re-dial of the user

Figure 6. Error Information 2

June 2008 Issue 112


Special Documents

dialing software after timeout is too

short. When the delay of the network

f rom the user who in i t ia tes the

authentication to the RADIUS server is

long, the authentication fails.

T h e v i r t u a l I P a d d r e s s u s e d

fo r r edundancy may a f f ec t t he

authentication.

The docking with devices of other

v e n d o r s m a y c a u s e s R A D I U S

m a l f u n c t i o n s . D e v i c e s t h a t d o

not support RADIUS also cause

malfunctions.

Wrong configuration for RADIUS on

the devices leads to malfunctions.

To solve the RADIUS malfunctions,

perform the following steps:

1. Check whether the links between the

RADIUS server and the RADIUS client are through

with ping command.

2. Check whether the keys of the RADIUS

server and the RADIUS client are consistent with

related show commands.

3. Check the configuration of timers of the

RADIUS server and the routers or the switches.

4. Check the configuration of user dialing

software.

5. Check the RADIUS configuration carefully

to avoid wrong configuration.

6. If the malfunctions are caused by the

hardware or the docking of devices, turn to

technologists for help.■

www.zte.com.cn

13Data Products

Network TopologyA user has to pass RADIUS authentication

before he accesses to the network, as shown in

Figure 1. Related commands are configured on

UAS 10600. The user passes the authentication in

WEB mode.

Malfunction Situation

The conf igurat ion for DHCP+WEB was

configured on UAS 10600. When the user input

detailed IP address in the address bar of IE, a web

authentication interface popped-up. However, when

the user input the detailed name of a website, for

example, www.sina.com, the web authentication

interface failed to pop-up.

Malfunction AnalysisWhen the user input the IP address of a website,

it was not necessary for the system to implement

domain name resolution. The system redirected to

the destination web page directly. When the user

input the detailed name of a website, the system

had to implement domain name resolution and

redirect to the destination web page.

For the IP address obtained through DHCP,

it could not ping to any IP address successfully

before it passed the web authentication. Therefore,

special ACL should be used to help the IP

address obtained through DHCP to access to a

⊙ Huang Zhiyan/ZTE Corporation

DHCP+WEB Popping-Up Failure Processing

Key words: DHCP, WEB, UAS10600, DNS, RADIUS, authentication

destination IP address before it passed

the authentication. In this situation, permit

entries were configured. However, if the

DNS address was ignored, the domain

name could not be resolved correctly and

the redirection would fail.

The correct configuration for the special

ACL can be configured with special-acl permit <IP address> command.

SolutionThe correct configuration on UAS

10600 is shown below.

1. Configure the DHCP function.

i. Enable the DHCP function on

UAS 10600.

Figure 1. Network Topology

Maintenance Case


Maintenance CaseJune 2008 Issue 112

ZXUAS(config)#ip dhcp enable

ii. Configure the VBUI.

ZXUAS(config)#interface vbui2000

ZXUAS(config-if)#ip address 12.1.1.1 255.255.0.0

ZXUAS(config-if)#ip pool 6 dhcpw 12.1.1.9 12.1.1.201 dhcp-slot 6

Note: The parameter dhcp-slot should be configured for the IP address pool.

iii. Enable the DHCP Server function on the VBUI.

ZXUAS(config-if)#ip dhcp mode server

ZXUAS(config-if)#ip dhcp server gateway 12.1.1.1

iv. Configure fei_6/3.1 BRAS at the user side (with VLAN 50).

ZXUAS(config)#interface fei_6/3.1 bras

ZXUAS(config-subif)#encapsulation dot1q ip-over-ethernet

ZXUAS(config-subif)#bind vbui vbui2000

ZXUAS(config-subif)#dot1Q 50

The configuration for fei_6/3.1 BRAS at the user side (without any VLAN) is shown below.

ZXUAS(config)#interface fei_6/3.1 bras

ZXUAS(config-subif)#encapsulation ip-over-ethernet

ZXUAS(config-subif)#bind vbui vbui2000

ZXUAS(config-subif)#dot1Q none

Note: Set the network card on the user PC to obtain an IP address automatically with ipconfig/release commands and ipconfig/renew commands in CLI of the PC.

2. Configure the web authentication.

i. Configure the web authentication mode on the VBUI.

ZXUAS(config-if)#web authentication subscriber web force

Note: The command format is web authentication subscriber [none | web [force]]. In this

command, none means forbidding web authentication function, web means enabling web

authentication function, and web force means that enabling mandatory web authentication

function.

www.zte.com.cn

15Data Products

ii. Configure the WEB Server on the VBUI.

ZXUAS(config-if)#web server 172.168.1.56

/*IP address of the web authentication server*/

ZXUAS(config-if)#http-param uas uas uas

/*the third uas is the parameter for mandatory web authentication page*/

ZXUAS(config-if)#http-param user userip

ZXUAS(config-if-websvr)#url http://172.168.1.56

/*the mandatory web page for the DHCP+WEB users*/

iii. Configure the node IP in BRAS configuration mode.

ZXUAS(config-bras)#node-ip 172.168.1.6

iv. Configure the special ACL.

ZXUAS(config-bras)#special-acl 1

ZXUAS(config-special-acl-1)#permit 172.168.1.56

ZXUAS(config-special-acl-1)#permit <dns-ip>

v. Associate the VBUI with the special ACL.

ZXUAS(config-if)#special-acl 1

Note: Set the network card on the user PC to obtain an IP address automatically with

ipconfig/release commands and ipconfig/renew commands in CLI of the PC. Now the PC

user can ping to the IP address of the web server and the addresses allowed in the special

ACL successfully. The PC user can not ping to other IP addresses successfully, including that

of VBUI.

3. Configure the domain and subscriber.

Experience SummaryFor the RADIUS authentication of DHCP+WEB user, the value of timeout parameter on the

DHCP server should be bigger than the value that multiplies the timeout parameter by max-retries

on BRAS. Otherwise, even if the user passes the authentication, the DHCP server still will prompt

that “BAS response timeout”.■



⊙ Zhang Dianjun/ZTE Corporation

RADIUS Non-Response Failure Processing

Malfunction SituationWhen a user dia led to send the

RADIUS authentication request, the

system always prompted the No.718 error

that indicated server response timeout. On

the RADIUS device, the system displayed

a lot of Duplicate_request alerts.

When engineers input debug radius user <username domain name> command

on the BRAS to trace the user, the result

showed that there were only request

messages with code=1 sent by the BRAS,

and there were no response messages.

Malfunction AnalysisTo find out the problem, the engineers

took the following steps.

1. The engineers monitored the

running information of RADIUS device.

They found that there were a lot of

Duplicate_request alerts. This indicated

that the RADIUS device thought that it

received multiple duplicate messages of

the same at a time, therefore it refused to

reply.

2. T h e e n g i n e e r s u s e d p i n g

<Radius-ip> command to check the links.

The result showed that it could ping to the

RADIUS device successfully. Therefore,

the links did not have any problem.

3. The eng ineers checked the

Key words: RADIUS non-response, BRAS, No.718 error, response timeout

configuration of BRAS, especially the values of

parameters timeout and max-retries. The value of

timeout was 10 seconds, and the value of max-

retries is 3.

4. The engineers checked the configuration

on the RADIUS device. They found that the value

of parameter timeout was 40 seconds, that is,

the RADIUS device dealt with the request sent

by the BRAS every 40 seconds. That was why

the malfunction occurred. The BRAS sent a first

request, after 10 second, the BRAS did not receive

any response message. The BRAS considered

it was timeout, because the value of timeout on

BRAS was 10 seconds. Therefore, the BRAS

retried to send the request for 3 times. That is to

say, the BRAS sent 4 requests within 40 seconds.

When the RADIUS device began to deal the

request, it found that there were 4 same requests

within 40 seconds. The RADIUS device considered

that there was problem about the network or the

users, and it refused to respond to the BRAS.

This made the RADIUS device generate a lot of

Duplicate_request alerts.

SolutionThe engineers changed the value of parameter

timeout on the RADIUS device to 10 seconds, and

it was the same to that on BRAS. Therefore, within

any 10 seconds, only one request was sent to the

RADIUS device by BRAS, and the RADIUS device

could deal with the request normally.■

www.zte.com.cn

17Data Products

⊙ Wang Tujian/ZTE Corporation

RADIUS Authentication Failure Processing

Key words: 2826S, RADIUS, authentication failure

Network TopologyIn a college, the students in six blocks (from B1

to B6) of dormitories should pass authentications

before they get online. The RADIUS servers

and BRAS hardware are provided by Amtium

Corporat ion. As the access layer devices,

ZXR10 2826S switches are configured DOT1X

port authentication function, which provides

authentication and accounting service together

with the authentication and accounting servers of

Amtium Corporation.

Amtium Corporation finishes the debugging

on the RADIUS accounting server and BRAS

device. The students install the authentication

and accounting client software programs on their

computers. The students register and activate their

accounts. After that, the DOT1X port authentication

function is enabled on the ZXR10 2826S switches.

Malfunction SituationAf ter a l l conf igura t ions were f in ished,

authentication timeout malfunction occurred

on the computers of some students in B1, B2

and B3. Excluding the problems of accounts

and passwords, and the problem of unsuitable

settings on the computers, the engineers checked

the configuration on the switches and they did

not find any problem. On the two switches in

the same block, configurations about DOT1X

port authentication were the same. However,

the students connecting to one switch (ZXR10

2826S-1) could pass the authentication

and get online; students connecting to

the other switch (ZXR10 2826S-2) failed

to pass the authentication. The system

prompted “authentication timeout”.

Malfunction AnalysisTo find out the problem, the engineers

took the following steps.

1. The engineers rep laced the

ZXR10 2826S-2 with a new switch ZXR10

2826S-3 and configured the switch. The

problem was not solved.

2. The engineers checked related

configuration on the switch, as shown

below.

set port 1-24 security enableconf nasradius isp test defaultisp enableradius isp test sharedsecret amtium/*negotiate the shared key with Amtium*/radius isp test add accounting 10.150.12.101/*the IP address of the authentication server*/radius isp test add authentication 10.150.12.101/*the IP address of the accounting server*/radius isp test client 172.16.0.181/*configure the ISP name and the IP address of access switch*/aaa-control port 1-24 dot1x enableaaa-control port 1-24 accounting enableaaa-control port 1-24 port-mode auto



The configurations of DOT1X port

authentication were the same on the

other switches. Therefore the malfunction

was not caused by the hardware of the

switches. The engineers considered

that the problem was caused by the

interconnection with devices of Amtium

Corporation.

3. T h e e n g i n e e r s

captured packet information

o n t h e p o r t s o f Z X R 1 0

2826S-3. The result showed

that the switch sent Access-Request

messages to the accounting server of

Amtium Corporation, but the server did not

sent any response messages, as shown in

Figure 1.

v. The access switch sends an Accounting-

Request message.

vi. The server replies with an Accounting-

Response message.

4. The captured packet information on

the ports of ZXR10 2826S-1 showed that EAP

negotiation between ZXR10 2826S-1 and the

RADIUS was finished, as shown in Figure 2.

5. The engineers of Amtium Corporation

checked the alert information on their server. They

found that there was information prompting “AP

not support user auth type”, indicating that the

authentication types on the switch and the server

are not consistent. Therefore, they checked the

detailed configuration on the server and they found

that the shared key on the server corresponding to

some switches in B1, B2 and B3 were configured

to “antium”. However, the correct shared key

should be “amtium”. This made some switches

could not pass the authentication negotiation, and

users connecting to these switches failed to pass

the authentication.

SolutionThe engineers of Amtium Corporation changed

the wrong shared key. All students could pass the

authentication and get online. The malfunction was

solved.■

Figure 1. Authentication Timeout

The working flow in normal situation is

shown below:

i. The access switch sends an


ii. The server replies with an Access-

Challenge message.

iii. The access switch sends another


iv. The server replies with an Access-

Accept message.

Figure 2. Authentication Success

www.zte.com.cn

19Data Products

⊙ Shan Changliang/ZTE Corporation

Floating IP in RADIUS Authentication

Key words: RADIUS, Windows Cluster, debug, No.718 error, non-response, floating IP

Network TopologyIn a network, a UAS 10800E connects to

two RADIUS servers. The two RADIUS servers

form a dual-server with the Windows Cluster

technology. The IP addresses of the two servers

are 172.30.253.131 and 172.30.253.132, and

the floating IP address of the dual-server is

172.30.253.136. The RADIUS server IP address

configured on UAS 10800E is 172.30.253.136.

Malfunction SituationA PPPoE user connecting to UAS 10800E

should pass the RADIUS authentication. When

the user input correct user names and passwords,

the system prompted No.718 error, indicating that

there was no response on the remote computer.

Malfunction AnalysisTo find out the problem, the engineers took the

following steps:

1. The engineers checked the communication

between UAS 10800E and the RADIUS servers.

Result showed that the link was through, and there

was no problem.

2. The engineers checked the log on

the RADIUS servers, as shown in Figure 1.

Figure 1. Log on the RADIUS Servers



There was “Access ACK” information in the log, which meant that the user had passed the

authentication.

3. The engineers input debug aaa authen command on UAS 10800E to enable debugging

function. At the same time, the engineers told the user to dial up. The debugging result was

displayed, as shown below.

Dec 16 14:33:34: [5/9:1023:63/6/2/9639]: %AAA-7-AUTHEN:

aaa_idx 0: Received AUTHEN_REQUEST msg from PPPd for username kkl@edu with

external handle = 1320

Dec 16 14:33:34: [0000]: [5/9:1023:63/6/2/9639]: %AAA-7-AUTHEN: aaa_idx 100da5a5:

aaa_create_session_with_cct_handle: creating session for cct 5/9:1023:63/6/2/9639 index

269329829

Dec 16 14:33:34: [5/9:1023:63/6/2/9639]: %AAA-7-AUTHEN: aaa_idx 0: Assigned aaa_idx

269329829 to username kkl@edu


Binding subscriber (kkl@edu) to context edu via well-formed username or last resort.


Adding aaa_idx 269329829 to context edu


Sending Authentication request to radius

Dec 16 14:33:34: %AAA-7-AUTHEN: aaa_idx 100da5a5: Sending DB_REQUEST to

radius.

Dec 16 14:33:34: %AAA-7-EXCEPT1: aaa_idx 0: rad_process_received_pkt: Server has been deleted, disregard packet

The above result showed that the RADIUS server still existed, but the UAS 10800E thought

that the RADIUS server was deleted.

4. The engineers captured the packet information on the RADIUS server. The result was

shown in Figure 2.

Figure 2. Packet Information

www.zte.com.cn

21Data Products

5. According to the configuration on UAS

10800E, the authentication request message

was sent to the dual-server with IP address

172.30.253.136. When the RADIUS server sent

the response message, the source IP address

it used was 172.30.253.131. It was the address

of the local server. When UAS 10800E received

the response message, it considered that the

message was not sent by the RADIUS server

and then it discarded the message. Therefore,

UAS 10800E did not th ink i t received any

response messages, so it generated No.178

error information.

SolutionsTo solve the malfunction, there are two

methods:

Change the configurat ion on the

RADIUS servers and make the

RADIUS servers use the floating IP

address as the source address of the

response messages.

Configure two IP addresses of RADIUS

servers on UAS 10800E and use the

polling algorithm, or primary/secondary

algori thm. The IP addresses are

172.30.253.131 and 172.30.253.132.■



⊙ Wang Yufeng/ZTE Corporation

Accounting Configuration for VPDN Service

Key words: L2TP, VPDN, code, RADIUS, accounting authentication

Network TopologyThe VPDN users should pass RADIUS

authentication before they get online.

The RADIUS server connects to the UAS

10600. The VPDN users connect to the

UAS 10600 through the PSTN/ISDN

network. The topology is shown in Figure 1.

Malfunction AnalysisTo find out the problem, the engineers took the

following steps:

1. The engineers checked the configuration

of domain on UAS 10600, as shown below.

domain 10

accounting-group 10

accounting-type radius

accounting-update ipcp-up

authentication-group 10

authentication-type radius

max-subscriber 32000

alias TC1.TC

alias hnfc.xs

alias tc1.tc

subscriber-template

ip address vrf

tunnel domain

According to the above result, the engineers

c o n f i r m e d t h a t t h e u s e r s u s e d R A D I U S

authentication and accounting to get online.

2. When the users tried to dial up, the

engineers input debug radius user TC73207115

tc1.tc command (TC73207115 was the subscriber


Malfunction SituationFor the first time, the VPDN users

could pass the RADIUS authentication.

When the users got offline and wanted

to get online again, they failed to pass

the RADIUS authentication. The system

prompted No.691 error information.

www.zte.com.cn

23Data Products

name, and tc1.tc is the domain name) on UAS 10600, as shown below.

code = 1 id = 109 length = 197

authenticator = 53 37 25 73 45 65 38 F1 DC 91 B4 9B BF F4 91 AE

type = 1 , length = 19 , value = 54 43 37 33 32 30 37 31 31 35 40 74 63 31 2E 74 63 :

[email protected]


authenticator = 64 4A 32 97 90 68 4A 30 2F F4 0B 6F EF C8 6E EE

type = 18 , length = 18 , value = 54 6F 6F 20 6D 61 6E 79 20 61 63 63 65 73 73 21 : Max user number exceed!

According to the above result, the information “code=3, Max user number exceed” indicated

that the VPDN user was online, and the number of the online users were to the upper limit. The

engineers of ISP checked the information in IP Integrated Service Management Platform, and they

found that the user was online and the limit of online users was 1. Therefore, when the user got

offline, he failed to pass the authentication and get online again.

3. With the help of ISP engineers, the engineers cleared the user on the RADIUS server. The

engineers told the user to dial up again, they found that the user could pass the authentication and

get online successfully. They checked the debugging information on UAS 10600 again, as shown

below.


authenticator = D7 FD 42 D9 EC 27 51 97 B8 8A DA 03 66 8D C5 A0

type = 1, length = 19 , value = 54 43 37 33 32 30 37 31 31 35 40 54 43 31 2E 54 43 :

[email protected]


authenticator = 72 73 27 D7 CF A2 88 2D D7 6A CC FF 05 10 11 99

type = 69 , length = 21 , value = 01 89 4B BE 10 57 41 46 2F DB 3A EB E6 01 0D 98 90 05

EC : ..K..WAF/.:........

In above result, there were only messages with code=1 and code=2. There were no accounting

messages with code=4 and code=5. If the user was authenticated and accounted on UAS 10600,

there should be messages with code=1, code=2, code=4 and code=5. Therefore, the engineers

considered that UAS 10600 did not send accounting message with code=4 that indicated

accounting start to the RADIUS server

4. The engineers asked the user to get offline. Because there was no message indicating

accounting start, so there was no message with code=5 that indicated accounting stop on UAS

10600. When the user got offline, the RADIUS server did not know that the user got offline,

because it did not receive the accounting stop message. Therefore, the record that the user was

online was kept on the RADIUS server. When the user dialed in again, the RADIUS server thought

the user had been online and the online user limit was 1, so the user failed to dial up. The system

generated No.691 error information.



5. There was no accounting message sent to the RADIUS server, therefore the malfunction

occurred. The engineers checked the configuration of domain 10 on UAS 10600. The configuration

was all right for common users. However, for VPDN service users, there should be a command to

start accounting for VPDN service.

SolutionThe engineers added a command in the domain configuration on UAS 10600, as shown below:

domain 10

aaa accounting l2tp accounting-group 10


accounting-update ipcp-up




alias TC1.TC

alias hnfc.xs

alias tc1.tc

subscriber-template

ip address vrf

tunnel domain

After the configuration, the engineer cleared the VPDU user record on the RADIUS server.

When the user dialed in again, he could pass the authentication. There were messages with

code=1, code=2 and code=4 in the debugging information on UAS 10600. When the user got

offline, there was a message with code=5 sent to the RADIUS server. The user could get online

again normally after he got offline. The malfunction was solved.

Note: For the UAS 10600 of Version 2.0, the command to enable accounting for VPDN service

is l2tp-accounting class2.■

www.zte.com.cn

25Data Products

Network TopologyThe dial-up user connecting to UAS 10600

should pass the RADIUS authentication before

he gets online. The network topology is shown in

Figure 1.

Malfunction Situation

The user failed to pass the authentication

with a legal account. The engineers checked the

authentication state of the user. The result showed

that the RADIUS server had responded to the

authentication request from the user normally, and

the user was in online state.

⊙ Huang Zhiyan/ZTE Corporation

Frequent Dial-Up of Legal Users

Key words: authentication timeout, redial, PPP, RADIUS, UAS 10600


However, the dial-up client system

prompted that user could not access

normally with No.691 error information.



Malfunction AnalysisTo find out the problem, the engineers took the following steps.

1. The engineers traced the access procedure of the user with debug username <user-

account> <domain-name> UAS 10600, as shown below:

send authentication packet: 218.75.255.12:6030->202.103.100.116:1645 code = 1 id = 75 length = 178

authenticator = 74 0B 21 3E 4A F9 E5 FB 5C 62 46 0A 7D 1E 7E 59

type = 1 , length = 12 , value = 78 74 64 38 32 38 39 35 30 33 : xtd8289503

type = 2 , length = 18 , value = 09 79 6B 7E F1 14 70 BE D0 E5 C4 9E 16 A0 99 93 :

.yk~..p.........

type = 32 , length = 5 , value = 7A 74 65 : UAS10600

type = 4 , length = 6 , value = DA 4B FF 0C : .K..

type = 31 , length = 28 , value = 30 31 30 32 30 30 30 30 30 30 30 32 36 31 30 30 31 36

64 33 34 37 30 64 30 61 : 010200000002610016d3470d0a

type = 61 , length = 6 , value = 00 00 00 0F : ....

type = 5 , length = 6 , value = 12 00 02 61 : ...a

type = 87 , length = 32 , value = 65 74 68 20 31 2F 30 2F 32 3A 34 30 39 36 2E 36 30 39

20 30 2F 30 2F 30 2F 30 2F 30 2F 30 : eth 1/0/2:4096.609 0/0/0/0/0/0

type = 6 , length = 6 , value = 00 00 00 02 : ....

type = 7 , length = 6 , value = 00 00 00 01 : ....

type = 44 , length = 33 , value = 37 30 30 31 30 31 30 39 34 35 35 31 70 70 70 30 30 31

36 64 33 34 37 30 64 30 61 33 36 34 31 : 700101094551ppp0016d3470d0a3641

receive authentication packet: 202.103.100.116:1645->218.75.255.12:6030 req_id:1611


authenticator = 4B A7 BB B2 68 48 BE AF B2 7E 27 A0 B6 17 8C D9

:: radius event:Receive Packet from Server

The above result showed that the RADIUS had responded to the authentication request; the

user had passed the authentication and could access.

2. The engineers checked the online information of the user on UAS 10600, as shown below.

UAS10600#show sub ppp name xtd8289503

-------------------------------------------------------------------------------------------------------------------------

slot/port: 1/2 VlanID/ScdVlan: 609/65535 PVC: 65535/65535

LCP State: opened Auth State: success IPCP State: opened

SessionID: 125 IP Address: 220.172.198.47 ACL: 65535

Location: /ANID:/rack:255/frame:0/slot:0/subslot:0/port:0/OP-flag:0/XPI:0/XCI:0

MAC: 00:16:d3:47:0d:0a Vpn_ID: 0

Down Band Width: 4294967295 Up Band Width 4294967295

Subscriber: xtd8289503

www.zte.com.cn

27Data Products

The user dialed up through a modem. The fast speed may cause the UAS 10600 to respond to

the authentication request continually, which led to high CPU usage ratio.

3. After the authentication request reached UAS 10600, UAS 10600 sent an authentication

request to the RADIUS server and received the reply from the RADIUS server. Then UAS 10600

triggered the IPCP process to distribute an IP address and DNS information to the user. In this

way, the user could get online normally.

The user could negotiate user name and password with UAS 10600. This indicated that the

PPP discovery and LCP negotiation were normal.

Generally, the values of timeout on NAS and RADIUS server were in the unit of second. The

data packets could be received within several seconds and would not be timeout. Therefore, the

RADIUS server and UAS 10600 pass the authentication request from the user.

According to the protocol regulation, the client could trigger the redialing mechanism when the

NAS information was timeout. The NAS information had to travel through the Metropolitan Area

Network (MAN) before it reached the RADIUS server. There may be time delay. The RADIUS

server responded to the authentication request and sent reply message to UAS 10600, and 10600

forwarded the message to the user. Before the user received the reply message from the NAS,

the dialing terminal was timeout. Therefore, the dialing terminal considered that authentication was

timeout and it resent authentication requests continually.Solution

The engineers set the value of timeout on the dialing terminal a little bigger to make sure that

the dialing terminal could receive the reply message from the NAS before it was timeout.

Experience SummaryThe parameter values of the dialing software in Microsoft system are described as follows:

Timeout: 3 seconds

Retry times: 10 times

If the system retries for 10 times and there is no response, the dialing terminal will initiate from

PPP discovery.■



⊙ Yu Lu/ZTE Corporation

RADIUS Authentication Failure Caused by Key

Key words: RADIUS, simple text, cryptograph, UAS 10800E, PPPoE

Network TopologyIn a network, there are two types of

users: PPPoE users and RADIUS users.

The topology is shown in Figure 1.

No.619 error information.

Malfunction AnalysisBefore the configuration change, the services in

PPPoE domain and primary RADIUS domain were

normal. After the configuration change, the service

in the primary RADIUS domain was still normal,

while the service in the new RADIUS domain was

not normal. This indicated that the communication

between UAS 10800E and the RADIUS server was

normal.

According to the No.718 and No.619 error

information, the engineers checked the RADIUS

configuration for the new RADIUS domain, as

shown below:

radius accounting server 222.34.129.117

encrypted-key jlipbillradius server 222.34.129.117 encrypted-key

jlipbill

T h e e n g i n e e r s c h e c k e d t h e R A D I U S

configuration for the primary RADIUS domain, as

shown below:

radius accounting server 222.34.129.117

encrypted-key 08F7690E54FD2FB5radius

server 222.34.129.117 encrypted-key

08F7690E54FD2FB5


Malfunction SituationThe PPPoE users were required

to pass the RADIUS authentication.

Therefore, the configuration for the PPPoE

users on UAS 10800E was changed to

RADIUS authentication. After the change,

the users could not pass the authentication

and the system prompted No.718 and

www.zte.com.cn

29Data Products

SolutionThe key for the new RADIUS domain was a cryptograph, while the key for the primary RADIUS

domain was a simple text. The engineers checked the RADIUS server. They found that the server

did not support the cryptograph. Therefore, the engineers changed the key for the new RADIUS

domain to a simple text. The service in the new RADIUS domain became normal. The malfunction

was solved.

Experience SummaryUAS 10800E supports the cryptograph in RADIUS authentication. The configuration

commands are as follows:

[local]jl-10800(config)#con

[local]jl-10800(config)#context pppoe

[local]jl-10800(config-ctx)#radius server 222.34.129.117 ?encrypted-key encrypted

server key /*cryptograph*/key Set the server key /*simple text*/

[local]jl-10800(config-ctx)#radius server 222.34.129.117 encrypted-key jlipbill

[local]jl-10800(config-ctx)#radius server 222.34.129.117 key jlipbill

■



Network TopologyAs shown in Figure 1, the users use fast dialing software to dial up. The users have to pass the

authentication before getting online.

⊙ Wang Yufeng/ZTE Corporation

One MAC Address Taking Up Multiple IP Addresses

Key words: UAS 10600, MAC, RADIUS, aging, fast redialing, fast authentication

Malfunction SituationWhen a user succeeded to dial up with the fast dialing software, the engineers checked the

state of the user. The result showed that one MAC address took up multiple IP addresses, as

shown below.


www.zte.com.cn

31Data Products

xsdx-10600#show sub ppp name [email protected]

-------------------------------------------------------------------------------------------------------------------------





MAC: 00:16:d4:ed:b1:7a Vpn_ID: 0


Subscriber: [email protected]

------------------------------------------------------------------------------------------------------------------------








------------------------------------------------------------------------------------------------------------------------








------------------------------------------------------------------------------------------------------------------------

total is: 3, up is :3, down is : 0

In the authentication and accounting interface of ISP, the three IP addresses were all accounted.

Five minutes later, only the last piece of authentication and accounting information was left.

Malfunction AnalysisThe principle of fast dialing is described as follows:

Suppose that the max-session of a local account is set to 1. When the user redials, the system

will check whether the max-session is matched. If the user was online, the redialing fails. The

user has to wait for about 5 minutes until the account is aged.

Suppose that the max-session of a local account is set to 2 (or more). When the network line

of a PC was unplugged, and the user dials up immediately, the redial will success. The session

id and IP address are changed.

According to principle, the malfunction occurred because one account was allowed to be used

on multiple PCs at the same time. This was similar to the second point of the fast dialing principle.



If a user used fast dialing software, it equaled to repeating unplugging and plugging the network

line on a PC.

Fast dialing software supports multiple processes. For fast dialing, the situation that multiple

same users are online is allowed. This made that UAS 10600 did not have enough time to age

the processes. Therefore, each fast dialing could pass the RADIUS authentication and obtain a

session id and an IP address from UAS 10600. If ppp keepalive timer 60 count 10 command

was input in UAS 10600 to clear the user, UAS 10600 would send messages of abnormal off-line

to the RADIUS server.

The engineers checked the configuration of UAS 10600, as shown below.

vfi bjtest103

vcid 2000

pwtype ethernet-vlan

interface loopback1

ip address 218.76.67.244 255.255.255.255

The above result showed that the fast authentication function was not enabled on UAS 10600,

which caused the malfunction.

SolutionThe engineers enabled the fast authentication function on UAS 10600, as shown below.

10600(config-bras)#ppp fast-dial enable

The engineers tested the configuration with fast dialing software and checked the configuration

with show sub ppp name [email protected] command, as shown below.

xsdx-10600#sho sub ppp name [email protected]

-------------------------------------------------------------------------------------------------------------------------








-------------------------------------------------------------------------------------------------------------------------

total is: 1, up is :1, down is : 0

In the authentication and accounting interface of ISP, there was only one piece of

authentication and accounting information. The user could get online normally. The malfunction

was solved.

www.zte.com.cn

33Data Products

Experience SummaryFor UAS10600 of Version 2.0, the command to enable the fast authentication function is

different from the command used in this case, as shown below:

domain 1 /*in domain 1*/

accounting-group 1




ip vrf internet_vpn


ppp web-force timer 5 count 0

account-share enable

quick-redial enable/*enabling fast authentication function*/

alias sy-pppoe

subscriber-template

ip address vrf

Note: Pay attention to the version when using command to enable the fast authentication

function. For UAS10600 of Version 2.8, if the fast authentication function is enabled, when users

of different PCs dial up, the later user will cover the earlier user, and only one user can get online

normally.■



Network TopologyVPDN service is used for a water

supply corporation. A ZXR10 1800 router

is used as an LNS device. The user at

Chengdong connects to the network

⊙ Du Yongbao/Anhui Filiale, China Telecom

VPDN Malfunction Processing

Key words: MTU, MSS, server, transmission timeout

through ADSL. HW 5200G is used as the LAC

device. The server connecting to the LNS uses

dual network cards. The network card connecting

to Chengdong is a new card, and it is in network

segment 192.168.100.0 . The network card

connecting to user hosts is in network segment

100.100.100.0. The network topology is shown in

Figure 1.

Fault Situation

The IP address for the network card connecting

to Chengdong was 192.168.100.2, with mask

255.255.255.0 and gateway 192.168.100.1. The

user at Chengdong obtained the IP address through

DHCP and dialed up to get online. The user could

dial up and ping to the server successfully. When

the user used the water accounting system and

entered the server interface, he failed to get the

user information after inputting user account.Figure 1. Network Topology

www.zte.com.cn

35Data Products

Fault AnalysisTo find out the problem, the engineers took the following steps.

1. The engineers checked the configuration on ZXR10 1800 router, as shown below.

ZXR10(config)#vpdn enable

ZXR10(config)#ip local pool zlsc 192.168.200.1 192.168.200.254 255.255.255.0

ZXR10(config)#vpdn default vpdn-group 1

ZXR10(config)# vpdn-group 1

ZXR10(vpdn-group-config)#service-type lns

ZXR10(vpdn-group-config)#lcp renegotiation on-mismatch

ZXR10(vpdn-group-config)#virtual-template 1

ZXR10(vpdn-group-config)#l2tp tunnel password qjzlsc

ZXR10(vpdn-group-config)#source-ip 202.100.192.20

ZXR10(vpdn-group-config)#exit

ZXR10(config)#interface virtual-template1

ZXR10(config-if)#ip unnumbered fei_0/1

ZXR10(config-if)#peer default ip pool zlsc

ZXR10(config-if)#ppp authentication pap

ZXR10(config-if)#ppp pap sent-username zlsc password zlsc

ZXR10(config-if)#exit

ZXR10(config)#interface fei_0/1

ZXR10(config-if)#ip address 202.100.192.20 255.255.255.0

ZXR10(config-if)#no negotiation auto

ZXR10(config-if)#speed 100ZXR10(config-if)#exit

ZXR10(config)#interface fei_0/2

ZXR10(config-if)#ip address 192.168.100.1 255.255.255.0

ZXR10(config-if)#negotiation auto

ZXR10(config-if)#exit

ZXR10(config)#username hyd password hyd

ZXR10(config)#user-group special zlsc zlsc zlsc

ZXR10(config)#user-vpdn-group user-group zlsc vpdn-group 1ZXR10(config)#user-

authentication-type localZXR10(config)#user-authorization-type localZXR10(config)#ip

route 0.0.0.0 0.0.0.0 202.100.192.1ZXR10(config)#write

The above result showed that there was no problem.

2. The engineers checked the server and they found that there was no problem.

3. The engineers installed an FTP program and a Pigeon program. The user name and

password were set on the PC at Chengdong for FTP. When the user downloaded a file of 1M,

it costs much time and the system prompted that there was no response. When the user used

the Pigeon program to chat, the service was normal. Therefore, the engineers installed DrTCP



program on the PC and set the MTU to 1000. After these operations, the malfunction was still on.

4. The engineers removed the LNS device and configured a VPN server on the server

directly. The engineers could download programs from the server through dial-up service with a

PC. The engineers recovered the LNS device and added ip tcp adjust-mss 1000 command on

related interface. The malfunction disappeared.

SolutionThe engineers added ip tcp adjust-mss 1000 command on related interface.

Experience SummarySuch a malfunction usually caused by MTU and Maximum Segment Size (MSS). MSS is

the maximum data segment that a TCP packet can transmit at a time. For best transmission

performance, the value of MSS should be negotiated when a TCP connection is established. Both

communication ends use the smaller MSS value as the MSS for the TCP connection.■

www.zte.com.cn

37Data Products