Upload
ngophuc
View
218
Download
3
Embed Size (px)
Citation preview
Preface
Maintenance ExperienceEditorial Committee
Director: Qiu Weizhao
Deputy Director: Chen Jianzhou
Editors:Jiang Guobing, Zhang Shoukui, Wu Feng,
Yuan Yufeng, Tang Hongxuan, Chen Huachun,
Li Gangyi, Gu Yu, Song Jianbo, Tian Jinhua,
Du Jianli, Qu Ruizheng, Zhang Zhongdong,
Liu Xianmin, Wang Zhaozheng, Liu Wenjun,
Wang Yapping, Lei Kun, Wang Tiancheng, Cai
Hongming
Technical Senior Editors:Hu Jia, Bai Jianwen
Executive Editor:Zhang Fan
Maintenance ExperienceNewsroom
Address: ZTE Plaza, Keji Road South, Hi-Tech
Industrial Park, Nanshan District,
Shenzhen, P.R.China
Postal code: 518057
Contact: Song Chunping
Email: [email protected]
Tel: +86-755-26770600,26771195
Fax: +86-755-26772236
Document support mail box: [email protected]
Technical support website: http://ensupport.zte.
com.cn
Maintenance Experience Editorial CommitteeZTE CorporationJune, 2008
In this issue of ZTE's "Maintenance Experience", we continue to pass on various field reports and resolutions that are gathered by ZTE engineers and technicians around the world.
The content presented in this issue is as below:● Two Special Documents● Nine Maintenance Cases of ZTE's Data ProductsHave you examined your service polices and procedures
lately? Are you confident that your people are using all the tools at their disposal? Are they trained to analyze each issue in a logical manner that provides for less downtime and maximum customer service? A close look at the cases reveals how to isolate suspected faulty or mis-configured equipment, and how to solve a problem step by step, etc. As success in commissioning and service is usually a mix of both discovery and analysis, consider using this type of approach as an example of successful troubleshooting investigations.
While corporate leaders maintain and grow plans for expansion, ZTE employees in all regions carry out with individual efforts towards internationalization of the company. Momentum continues to build, in all levels, from office interns to veteran engineers, who work together to bring global focus into their daily work.
If you would like to subscribe to this magazine (electronic version) or review additional articles and relevant technical materials concerning ZTE products, please visit the technical support website of ZTE Corporation (http://ensupport.zte.com.cn).
If you have any ideas and suggestions or want to offer your contributions, you can contact us at any time via the following email: [email protected].
Thank you for making ZTE a part of your telecom experience!
Maintenance ExperienceBimonthly for Data ProductsNo.33 Issue 112, June/2008
Contents
Special Documents
RADIUS Principle ...................................................................................................................................... 2
RADIUS and SSH Configuration ............................................................................................................... 7
Maintenance Case
DHCP+WEB Popping-Up Failure Processing ......................................................................................... 13
RADIUS Non-Response Failure Processing ........................................................................................... 16
RADIUS Authentication Failure Processing............................................................................................. 17
Floating IP in RADIUS Authentication ..................................................................................................... 19
Accounting Configuration for VPDN Service ........................................................................................... 22
Frequent Dial-Up of Legal Users ............................................................................................................. 25
RADIUS Authentication Failure Caused by Key ...................................................................................... 28
One MAC Address Taking Up Multiple IP Addresses .............................................................................. 30
VPDN Malfunction Processing ................................................................................................................ 34
June 2008 Issue 112
Maintenance Experience2
Special Documents
⊙ Zhang Fan/ZTE Corporation
RADIUS Principle
1 RADIUS OverviewRemote Authentication Dial In User
Service (RADIUS) is defined in RFC2865
and RFC2866. It is the most widely
used Authentication, Authorization and
Accounting (AAA) protocol currently.
RADIUS was put forward by the
Livingston Corporation originally. It aims at
authentication and accounting for dial-up
users. Later, it was modified as a general
AAA protocol.
RADIUS is a p ro toco l w i th C/S
structure. At first, the client of RADIUS is
the Net Access Server (NAS). Now any
computer that runs the RADIUS client
software can become the client. RADIUS
has flexible authentication mechanism, using PAP,
CHAP or Unix login mode. It is extendable, and it
supports the special attributes of different device
manufacturers. At present, RADIUS is supported
by the wireless APs, authenticating Ethernet
switches, VPN servers, DSL access servers and
other access servers.
2 RADIUS ComponentsRADIUS has the following components:
Access client
Access server (RADIUS client)
RADIUS server
User account database
RADIUS agent
A RADIUS network is shown in Figure 1.
www.zte.com.cn
3Data Products
The access clients are the devices to access
to the vast network, such as the dial clients, VPN
clients, wireless clients and LAN clients connecting
to the switches.
The access servers (RADIUS clients) provide
accesses to the vast network. The access servers
are RADIUS clients at the same time. They send
the access request messages and accounting
messages to RADIUS server. The access servers
include:
Wireless AP: It provides the accesses to
LANs with wireless transmission and receiving
technology.
Switch and routing switch: They use the
traditional LAN (for example, Ethernet) to
provide the accesses to LANs. BRAS devices
and ZXR10 series routing switches of ZTE are
such devices.
NAS: It provides the remote accesses to LAN
or Internet. For example, a Windows 2000
computer that runs the routing and remote
access service and provides the traditional
dialing or VPN service to access to a LAN can
be a NAS.
The RADIUS server receives and deals with
the access request messages and accounting
messages sent by the RADIUS cl ients and
agents. For the access request messages, the
RADIUS server deals with the attribute lists in
the messages. According to a group of rules and
information in the user account database, the
RADIUS server performs authorization and sends
the Access-Accept messages, or the RADIUS
server sends the Access-Reject messages. The
Access-Accept messages can contain the limits
for the RADIUS servers when the RADIUS server
establishes access connections.
The user account database contains the user
accounts and their attribute lists. The information
in the user account database is the proof for
authenticating users. The RADIUS servers can
check the user account database to obtain the user
account attributes of authentication and
connection parameters.
The RADIUS agent forwards the
access request messages and accounting
messages between the RADIUS server
and clients. A RADIUS server can work
as a RADIUS agent to connect to another
RADIUS server.
3 RADIUS Message StructureT h e R A D I U S m e s s a g e s a r e
e n c a p s u l a t e d b y U D P. U D P p o r t
1812 is used for the RADIUS identity
authentication messages, and port 1813
is used for the RADIUS accounting
messages. The UDP payload of a RADIUS
packet on ly conta ins one RADIUS
message.
The structure of the RADIUS message
is shown in Figure 2.
Figure 1. RADIUS Network
Figure 2. RADIUS Message Structure
8bit 16bit 32bit
Code Identifier Length
Authenticator (16bytes)
June 2008 Issue 112
Maintenance Experience4
Special Documents
The identifier field is the identifier to
match request and response.
The length field is the length of the
message, including the header.
The authenticator field identifies the
RADIUS server and the reply in cryptic
password algorithm.
A RADIUS message consists of a
RADIUS header and a RADIUS attribute.
Each RADIUS a t t r i bu te ass igns a
message related to a connection try. The
RADIUS attribute includes the user name,
password, service type that the user
requests and the IP address of access
server. The RADIUS attribute is used to
transmit information among the RADIUS
clients, RADIUS agents and RADIUS
servers. For example, the attribute list of
an Access-Request message includes
the information about the user and the
connection parameters. The attribute list of
an Access-Accept message includes the
information about the connection types,
connection limits and special information
of VAS.
4 RADIUS Working FlowRADIUS working flow is described as follows:
1. An access server receives the access
request from an access client.
2. The access server creates an Access-
Request message according to the user information
and sends the message to a RADIUS server.
3. The RADIUS server evaluates the received
Access-Request message.
4. If necessary (for example, when the EAP
is used), the RADIUS server sends an Access-
Challenge message to the access client. The
access server or the access client deals with
the challenge and sends a new Access-Request
message to the RADIUS server.
5. T h e R A D I U S s e r v e r i m p l e m e n t s
authentication and authorization for the connection
try.
6. I f t h e c o n n e c t i o n t r y p a s s e s t h e
authentication and authorization, the RADIUS
server will send an Access-Accept message to the
access server. Otherwise, the RADIUS server will
send an Access-Reject message to the access
server.
7. When the access se rve r rece i ves
the Access-Accept message, the connection
between the access server and the access client
is established. Then the RADIUS client (access
server) sends an Accounting-Request to the
RADIUS server, with the value of status-type as
start.
8. The RADIUS server repl ies with an
Accounting-Response message to start accounting.
9. When the user stops using the service, the
ADIUS client sends an Accounting-Request to the
RADIUS server, with the value of status-type as
stop.
10. The RADIUS server repl ies with an
Accounting-Response message to stop accounting.
5 RADIUS Security CharacteristicsFor the point-to-point authentication protocols,
The code field indicates the type of
the message. RADIUS message has the
following types:
Type Meaning
1 Access-Request
2 Access-Accept
3 Access-Reject
4 Accounting-Request
5 Accounting-Response
11 Access-Challenge
12 Status-Server--Experimental
13 Status-Client--Experimental
255 Reserved
www.zte.com.cn
5Data Products
such as PAP, CHAP, MS-CHAP and MS-CHAPv2,
the authentication negotiation between the access
server and the access client is forwarded to the
RADIUS server. The RADIUS server implements
the authentication negotiation.
For the Extensible Authentication Protocol
(EAP), the authentication negotiation happens
between the RADIUS server and the access client.
The RADIUS server uses an Access-Challenge to
send an EAP message to the access client. The
access server forwards the EAP message from the
access client as an Access-Request message to
the RADIUS server.
To ensure the security of RADIUS massages,
the RADIUS client and the RADIUS server share
the key. The shared key is used to authenticate
the RADIUS messages and encrypt the sensitive
attributes. The shared key is configured as a
character string on the RADIUS client and RADIUS
server.
6 RADIUSConfigurationonZXR10Series DevicesMost devices of ZXR10 series support the
configuration of RADIUS protocol. ZXR10 T240G/
T160G/T64G/T40G routing switch is taken as an
example.
ZXR10 T240G/T160G/T64G/T40G routing
switch supports multiple RADIUS server groups.
For each RADIUS server group, there are up to
three authentication servers.
6.1 ConfiguringRADIUSTo configure RADIUS, perform the following
steps:
1. To configure a RADIUS accounting server
group, use radius accounting-group <group-
number> command.
2. To configure a RADIUS authentication
server group, use radius authentication-group
<group-number> command.
3. To configure the RADIUS parameters, use
the following commands.
To configure the timeout of a RADIUS
server, use timeout <time> command.
Note: If the switch sends a message
to the RADIUS server, and the switch
does not rece ive any response
message after the value of <time>. The
switch will send a message again. The
range of <time> is 1~2000000000, in
its unit of second. The default value is
3 seconds.
To configure the algorithm to choose
a RADIUS authentication server,
use algorithm {first | round-robin} command.
Note: The parameter first means that
the switch always chooses a currently
effective server as the server of a new-
calling user. The parameter round-robin means that the switch always
chooses the next effective server as
the server. The default mode is first.To configure the alias of a RADIUS
server group, use alias <name-str>
command.
To configure the format of calling-
station-id field, use calling-station-format < Format number> command.
To conf igure the dead t ime of a
server group, use deadtime <time>
command.
Note: If the switch sends a message
to the RADIUS server, and the switch
does not rece ive any response
message, after retrying for several
times, the switch will consider that
the server is not effective for a time.
The duration is configured with this
command. The range of <time> is
0~65534, in its unit of minute. The
default value is 5 minutes.
To configure the local buffer of an
June 2008 Issue 112
Maintenance Experience6
Special Documents
accounting server, use local-buffer {enable | disable} command.
To configure the retry times, use max-retries <times> command.
Note: If the switch sends a message
to the RADIUS server, and the switch
does not rece ive any response
message, the switch will retry for times.
The max retry time is configured with
this command. The range of <time> is
1~2000000000. The default value is 3.
To configure the NAS IP address of a
RADIUS server, use nas-ip-address <NAS IP address> command.
To configure other parameters of a
RADIUS server, use server <number>
< i paddress> key <keyst r> port <portnum> command.
The parameters are described in the
following table.
the domain name is not included in the user
name. By default, the format is strip-domain.
To configure whether to define the vendor-
defined attributes in RADIUS messages, use
vendor {enable | disable} command.
4. To configure the maintenance and diagnosis
of RADIUS, use the following commands.
To display the RADIUS debugging information,
use debug radius all command.
To display the statistical information, use show counter radius all command.
To display the accounting information in the
local buffer, use show accounting local-buffer all command.
To clear the accounting information in the local
buffer, use clear accounting local-buffer all command.
6.2 RADIUSConfigurationExampleThis example shows how to configure a
RADIUS accounting server group.
Parameter Description
<number>The number of the server,
ranging 1~4
<ipaddress> The IP address of the server
<keystr>The shared key, within 32
characters
<portnum>
The port number of the
server, ranging 1025~65535.
By default, it is 1813 for the
authentication server group.
To configure the field format of a
user name that the switch sends to
a RADIUS server, use user-name-format {include-domain | strip-domain} command.
Note : The pa ramete r inc lude-domain means that the domain name
is included in the user name. The
parameter strip-domain means that
ZXR10(config)#radius accounting-group 1
ZXR10(config-acct-group-1)#algorithm round-robin
ZXR10(config-acct-group-1)#calling-station-format 2
ZXR10(config-acct-group-1)#deadtime 5
ZXR10(config-acct-group-1)#local-buffer enable
ZXR10(config-acct-group-1)#max-retries 5
ZXR10(config-acct-group-1)#nas-ip-address 10.1.1.4
ZXR10(config-acct-group-1)#server 1 10.2.1.3 master key uas port 1813
ZXR10(config-acct-group-1)#server 2 12.1.2.3 key uas port 1813
ZXR10(config-acct-group-1)#timeout 10
■
www.zte.com.cn
7Data Products
⊙ Huang Hongru/ZTE Corporation
RADIUS and SSH Configuration
1 Introduction to SSH1.1 SSH Overview
The traditional network service programs, such
as FTP, pop and Telnet, are not secure essentially
because they use the simple text to transmit
passwords and data. Therefore, the passwords and
data are easy to be captured. Services are likely to
be attacked by the man-in-the-middle. The man-in-
the-middle attack can pretend to be the real server
to receive the data from users. It also can pretend
to be the user to send data to the real server. The
data between the user and the server may be
changed which causes serious problem.
Secure Shell (SSH) is a network service based
on TCP, with default port number 22. With SSH,
the transmitted data can be encrypted to defend
against the man-in-the-middle attacks. In addition,
the data is also compressed. Therefore, the
transmission is faster. SSH can replace Telnet, and
Key words: SSH, RADIUS, security, putty client
also provides secure channels for FTP,
pop and PPP.
SSH consists of the client software
and server software. There are two
incompatible versions: 1.x and 2.x.
1.2 SSH Protocol ComponentsSSH protocol is a security protocol
on the base of application layer and
transmission layer. It consists of three
components that realize the security
mechanism of SSH.
Transmission layer protocols: They
provide the security measures, such
as authentication and integrality check,
and function to compress data. Theses
protocols are on the base of the TCP
data flow.
User authentication protocols: They are
June 2008 Issue 112
Maintenance Experience8
Special Documents
used to implement authentication for
clients. They run over the transmission
layer protocols.
Connection layer protocols: They
assign some encrypted channels to
some logical channels, and they run
over the user authentication protocols.
After the secure transmission layer
connection is established, the client sends
a request. After the user authentication
layer connection is established, the client
sends a second request. This allows
the new defined protocol coexist with
the primary protocols. The connection
protocols provide channels that can be
used for different functions, and also
provide the standard methods to set shell
sessions, transmit any TCP/IP port and
X11 connections.
1.3 SSH AuthenticationsSSH provides two levels of security
authentications.
F o r t h e f i r s t l e v e l o f s e c u r i t y
authentication (password based security
authentication), a user only needs to know
the account and password to log into the
server. The transmitted data is encrypted.
However, the server that the user connects
to is not the server that the user wants
necessarily. That is, man-in-the-middle
attack occurs.
For the second level of secur i ty
authent icat ion (key based secur i ty
authentication), the user has to create a
public key and a private key, and keeps
the public key on the server that the
user wants to access to. When the user
connects to the SSH server, the SSH client
sends a request to the SSH server for
security authentication with the public key.
The SSH server searches the public key
under the home catalog, and compares the public
key it finds with the public key it receives. If the
two keys are consistent, the SSH server encrypts
the challenge with the public key and sends it to
the SSH client. When the SSH client receives the
challenge, it uses the private key to decrypt the
challenge and send it to the server. In this mode,
the user must know the password for the key,
and the password is not transmitted through the
network.
With SSH, a digital certificate connects the
client to the server, and encrypts the password.
SSH1 uses RSA to encrypt the key. SSH2 uses
DSA to protect the connection and authentication.
The encryption algorithms include Blowfish, DES
and 3DES.
2 RADIUS OverviewRADIUS is a pro toco l to t ransmi t AAA
information between the Network Access Server
(NAS) and the shared authentication server.
RADIUS has the following features:
Client/Server mode
As the client of RADIUS server, the NAS
transmits user information to designated RADIUS
server, and then takes action according to return
information. The RADIUS server receives the
access request from the user and implements
authentication, and then returns necessary
configuration information to the client. The RADIUS
server can also work as the agent of other RADIUS
server and authentication server.
Network security
The communication between the client and
RADIUS server is identified by the shared keys.
The shared keys are not transmitted through
network. In addition, any key is encrypted when
it is transmitted between the client and RADIUS
server, which prevents the key from being sniffed.
Flexible authentication mechanism
The RADIUS server supports multiple types of
authentications. If the user name and password
www.zte.com.cn
9Data Products
are provided, the RADIUS server can support
authentications such as PPP PAP, CHAP and UNIX
login.
Extendable ability
Each event consists of an attribute, a length
and a value. Any new added attribute value will not
affect the primary protocol.
3 Supported DevicesZXR10 GER router and T64G/T160G switch
support SSH. T64E/T128 (V1.2.2) does not support
SSH.
All routers and Layer 3 switches support
RADIUS.
The following example has been validated on
T64G (2.6.03) switch and GER (2.6.2a13) router.
The two types of software are required for the
following example: winradius and putty0.54.
4 ConfiguringSSHandRADIUS4.1 ConfiguringaReachableRoute
Configure an IP address for the putty client and
an IP address for the RADIUS server. Make sure
the link between the putty client and the RADIUS
server is through.
4.2 ConfiguringaRADIUSServerTo configure a RADIUS server, perform the
following steps.
1. Double-click WinRadius.exe. An interface
appears. Click Add Account to create a new
account. Set the user name and password and
click OK.
2. Cl ick System Configuration in the
interface to set the NAS key, authentication port
and accounting port, and then click OK.
4.3 ConfiguringaRouter/SwitchTo configure a router or a switch, perform the
following steps:
1. To enable the SSH function, use the
following command.
ZXR10(config)#ssh server enable
2. To configure SSH authentication
mode, use the following command.
Z X R 1 0 ( c o n f i g ) # s s h s e r v e r
authentication mode radius
N o t e : T h e r e a r e t w o S S H
authentication modes: local and radius.
Here take radius mode for an example.
If the local mode is configured, it is not
need to configure a RADIUS server.
3. To configure SSH authentication
type, use the following command.
Z X R 1 0 ( c o n f i g ) # s s h s e r v e r
authentication type chap
N o t e : T h e r e a r e t w o S S H
authentication types: pap and chap.
Here take chap for example.
4. To configure the version of SSH,
use the following command.
ZXR10(config)#ssh server version 2
Note: There are two incompatible
versions of SSH: version 1 and version
2. Here take version 2 for example.
5. To configure the SSH key, use the
following command.
Z X R 1 0 ( c o n f i g ) # s s h s e r v e r
generate-key
Note: For the SSH version 2, it is not
necessary to configure the key. This
command is only used for SSH version
1. To generate a key, it takes about 15
minutes.
6. To con f igure the ISP group
number of SSH authentication, use the
June 2008 Issue 112
Maintenance Experience10
Special Documents
7. To conf igure the parameters of the
RADIUS server, use the following command:
ZXR10(config)#radius server 1 authen
master 192.168.2.1 1812 ZTEGER
Note: If the SSH authentication mode is
configured to local in step 2, it is not necessary
to use this command.
Note: Configuration commands for RADIUS have
differences on GER router and T64G switch. For
GER router, each ISP group number supports three
different authentication server groups. For T64G
switch, each ISP group number supports three
different authentication server groups and three
different accounting server groups.
4.4 Enabling a Putty ClientTo enable a putty client, perform the following
steps:
1. Input the IP address of remote router, as
shown in Figure 1.
2. Set the SSH version, as shown in Figure 2.
Note: If SSH version 2 is configured on the
router or switch, it is not necessary to set the
version to 2 on the putty client.
3. Click Open to log into the client. For the
first login, a dialogue box appears, as shown in
Figure 3. Click Yes or No according to requirement.
following command.
Z X R 1 0 ( c o n f i g ) # s s h s e r v e r
authentication ispgroup 1
Note: If the SSH authentication mode
is configured to local in step 2, it is not
necessary to use this command.
Figure 1. Inputting IP address
Figure 2. Setting SSH Version
Figure 3. Security Alert
4. Input user name and password in the login
interface. Login is successful, as shown in Figure 4.
For further configuration, it is required to input the
www.zte.com.cn
11Data Products
user name and password for telnet.
Note: The record indicating that the account
has passed the authentication is displayed in
the interface of winradius.
4.5LocalAuthenticationConfigurationFor local authentication, it is only required to
use ssh server enable command on the router or
switch, and input the IP address of the router or
switch on putty. The user name and password are
the same to that of telnet.
5 ConfigurationExperienceThe users can log into SSH2 with client
software putty0.58 and SecureCRT. The error
information for login of putty0.58 and SecureCRT is
shown in Figure 5 and Figure 6.
When version 2 of SSH is selected in Figure
and click Open, it takes about 15 minutes before
the login prompt “login as:” appears. If press Enter key for several times, the login prompt “login
as:” will appear within 10 seconds. However, if
the Enter key is pressed for too many times, the
connection may have to be established again.
The re i s l i t t l e d i f f e rence to i npu t t he
configuration commands with putty and secureCRT.
The only difference is that the backspace key is
not effective in putty. If a wrong command is input,
users have to input it again.
ZTE devices do not support login to other
devices through SSH.
6 Maintenance SummaryMain malfunctions about RADIUS have the
following situations:
The keys of the RADIUS server and the
RADIUS client are not consistent. Therefore,
the user authentication fails.
If the value of timeout parameter on the
RADIUS server is too big, the RADIUS server
will receive multiple same authentication
request messages during single processing
Figure 4. Successful Login
Figure 5. Error Information 1
i n t e r v a l . I n t h i s s i t u a t i o n , t h e
RADIUS server refuses to implement
authentication and discards the request
messages. The authentication fails.
The links between the RADIUS server
and the RADIUS client are not through.
This also leads to the authentication
failure.
The interval to re-dial of the user
Figure 6. Error Information 2
June 2008 Issue 112
Maintenance Experience12
Special Documents
dialing software after timeout is too
short. When the delay of the network
f rom the user who in i t ia tes the
authentication to the RADIUS server is
long, the authentication fails.
T h e v i r t u a l I P a d d r e s s u s e d
fo r r edundancy may a f f ec t t he
authentication.
The docking with devices of other
v e n d o r s m a y c a u s e s R A D I U S
m a l f u n c t i o n s . D e v i c e s t h a t d o
not support RADIUS also cause
malfunctions.
Wrong configuration for RADIUS on
the devices leads to malfunctions.
To solve the RADIUS malfunctions,
perform the following steps:
1. Check whether the links between the
RADIUS server and the RADIUS client are through
with ping command.
2. Check whether the keys of the RADIUS
server and the RADIUS client are consistent with
related show commands.
3. Check the configuration of timers of the
RADIUS server and the routers or the switches.
4. Check the configuration of user dialing
software.
5. Check the RADIUS configuration carefully
to avoid wrong configuration.
6. If the malfunctions are caused by the
hardware or the docking of devices, turn to
technologists for help.■
www.zte.com.cn
13Data Products
Network TopologyA user has to pass RADIUS authentication
before he accesses to the network, as shown in
Figure 1. Related commands are configured on
UAS 10600. The user passes the authentication in
WEB mode.
Malfunction Situation
The conf igurat ion for DHCP+WEB was
configured on UAS 10600. When the user input
detailed IP address in the address bar of IE, a web
authentication interface popped-up. However, when
the user input the detailed name of a website, for
example, www.sina.com, the web authentication
interface failed to pop-up.
Malfunction AnalysisWhen the user input the IP address of a website,
it was not necessary for the system to implement
domain name resolution. The system redirected to
the destination web page directly. When the user
input the detailed name of a website, the system
had to implement domain name resolution and
redirect to the destination web page.
For the IP address obtained through DHCP,
it could not ping to any IP address successfully
before it passed the web authentication. Therefore,
special ACL should be used to help the IP
address obtained through DHCP to access to a
⊙ Huang Zhiyan/ZTE Corporation
DHCP+WEB Popping-Up Failure Processing
Key words: DHCP, WEB, UAS10600, DNS, RADIUS, authentication
destination IP address before it passed
the authentication. In this situation, permit
entries were configured. However, if the
DNS address was ignored, the domain
name could not be resolved correctly and
the redirection would fail.
The correct configuration for the special
ACL can be configured with special-acl permit <IP address> command.
SolutionThe correct configuration on UAS
10600 is shown below.
1. Configure the DHCP function.
i. Enable the DHCP function on
UAS 10600.
Figure 1. Network Topology
Maintenance Case
Maintenance Experience14
Maintenance CaseJune 2008 Issue 112
ZXUAS(config)#ip dhcp enable
ii. Configure the VBUI.
ZXUAS(config)#interface vbui2000
ZXUAS(config-if)#ip address 12.1.1.1 255.255.0.0
ZXUAS(config-if)#ip pool 6 dhcpw 12.1.1.9 12.1.1.201 dhcp-slot 6
Note: The parameter dhcp-slot should be configured for the IP address pool.
iii. Enable the DHCP Server function on the VBUI.
ZXUAS(config-if)#ip dhcp mode server
ZXUAS(config-if)#ip dhcp server gateway 12.1.1.1
iv. Configure fei_6/3.1 BRAS at the user side (with VLAN 50).
ZXUAS(config)#interface fei_6/3.1 bras
ZXUAS(config-subif)#encapsulation dot1q ip-over-ethernet
ZXUAS(config-subif)#bind vbui vbui2000
ZXUAS(config-subif)#dot1Q 50
The configuration for fei_6/3.1 BRAS at the user side (without any VLAN) is shown below.
ZXUAS(config)#interface fei_6/3.1 bras
ZXUAS(config-subif)#encapsulation ip-over-ethernet
ZXUAS(config-subif)#bind vbui vbui2000
ZXUAS(config-subif)#dot1Q none
Note: Set the network card on the user PC to obtain an IP address automatically with ipconfig/release commands and ipconfig/renew commands in CLI of the PC.
2. Configure the web authentication.
i. Configure the web authentication mode on the VBUI.
ZXUAS(config-if)#web authentication subscriber web force
Note: The command format is web authentication subscriber [none | web [force]]. In this
command, none means forbidding web authentication function, web means enabling web
authentication function, and web force means that enabling mandatory web authentication
function.
www.zte.com.cn
15Data Products
ii. Configure the WEB Server on the VBUI.
ZXUAS(config-if)#web server 172.168.1.56
/*IP address of the web authentication server*/
ZXUAS(config-if)#http-param uas uas uas
/*the third uas is the parameter for mandatory web authentication page*/
ZXUAS(config-if)#http-param user userip
ZXUAS(config-if-websvr)#url http://172.168.1.56
/*the mandatory web page for the DHCP+WEB users*/
iii. Configure the node IP in BRAS configuration mode.
ZXUAS(config-bras)#node-ip 172.168.1.6
iv. Configure the special ACL.
ZXUAS(config-bras)#special-acl 1
ZXUAS(config-special-acl-1)#permit 172.168.1.56
ZXUAS(config-special-acl-1)#permit <dns-ip>
v. Associate the VBUI with the special ACL.
ZXUAS(config-if)#special-acl 1
Note: Set the network card on the user PC to obtain an IP address automatically with
ipconfig/release commands and ipconfig/renew commands in CLI of the PC. Now the PC
user can ping to the IP address of the web server and the addresses allowed in the special
ACL successfully. The PC user can not ping to other IP addresses successfully, including that
of VBUI.
3. Configure the domain and subscriber.
Experience SummaryFor the RADIUS authentication of DHCP+WEB user, the value of timeout parameter on the
DHCP server should be bigger than the value that multiplies the timeout parameter by max-retries
on BRAS. Otherwise, even if the user passes the authentication, the DHCP server still will prompt
that “BAS response timeout”.■
Maintenance Experience16
Maintenance CaseJune 2008 Issue 112
⊙ Zhang Dianjun/ZTE Corporation
RADIUS Non-Response Failure Processing
Malfunction SituationWhen a user dia led to send the
RADIUS authentication request, the
system always prompted the No.718 error
that indicated server response timeout. On
the RADIUS device, the system displayed
a lot of Duplicate_request alerts.
When engineers input debug radius user <username domain name> command
on the BRAS to trace the user, the result
showed that there were only request
messages with code=1 sent by the BRAS,
and there were no response messages.
Malfunction AnalysisTo find out the problem, the engineers
took the following steps.
1. The engineers monitored the
running information of RADIUS device.
They found that there were a lot of
Duplicate_request alerts. This indicated
that the RADIUS device thought that it
received multiple duplicate messages of
the same at a time, therefore it refused to
reply.
2. T h e e n g i n e e r s u s e d p i n g
<Radius-ip> command to check the links.
The result showed that it could ping to the
RADIUS device successfully. Therefore,
the links did not have any problem.
3. The eng ineers checked the
Key words: RADIUS non-response, BRAS, No.718 error, response timeout
configuration of BRAS, especially the values of
parameters timeout and max-retries. The value of
timeout was 10 seconds, and the value of max-
retries is 3.
4. The engineers checked the configuration
on the RADIUS device. They found that the value
of parameter timeout was 40 seconds, that is,
the RADIUS device dealt with the request sent
by the BRAS every 40 seconds. That was why
the malfunction occurred. The BRAS sent a first
request, after 10 second, the BRAS did not receive
any response message. The BRAS considered
it was timeout, because the value of timeout on
BRAS was 10 seconds. Therefore, the BRAS
retried to send the request for 3 times. That is to
say, the BRAS sent 4 requests within 40 seconds.
When the RADIUS device began to deal the
request, it found that there were 4 same requests
within 40 seconds. The RADIUS device considered
that there was problem about the network or the
users, and it refused to respond to the BRAS.
This made the RADIUS device generate a lot of
Duplicate_request alerts.
SolutionThe engineers changed the value of parameter
timeout on the RADIUS device to 10 seconds, and
it was the same to that on BRAS. Therefore, within
any 10 seconds, only one request was sent to the
RADIUS device by BRAS, and the RADIUS device
could deal with the request normally.■
www.zte.com.cn
17Data Products
⊙ Wang Tujian/ZTE Corporation
RADIUS Authentication Failure Processing
Key words: 2826S, RADIUS, authentication failure
Network TopologyIn a college, the students in six blocks (from B1
to B6) of dormitories should pass authentications
before they get online. The RADIUS servers
and BRAS hardware are provided by Amtium
Corporat ion. As the access layer devices,
ZXR10 2826S switches are configured DOT1X
port authentication function, which provides
authentication and accounting service together
with the authentication and accounting servers of
Amtium Corporation.
Amtium Corporation finishes the debugging
on the RADIUS accounting server and BRAS
device. The students install the authentication
and accounting client software programs on their
computers. The students register and activate their
accounts. After that, the DOT1X port authentication
function is enabled on the ZXR10 2826S switches.
Malfunction SituationAf ter a l l conf igura t ions were f in ished,
authentication timeout malfunction occurred
on the computers of some students in B1, B2
and B3. Excluding the problems of accounts
and passwords, and the problem of unsuitable
settings on the computers, the engineers checked
the configuration on the switches and they did
not find any problem. On the two switches in
the same block, configurations about DOT1X
port authentication were the same. However,
the students connecting to one switch (ZXR10
2826S-1) could pass the authentication
and get online; students connecting to
the other switch (ZXR10 2826S-2) failed
to pass the authentication. The system
prompted “authentication timeout”.
Malfunction AnalysisTo find out the problem, the engineers
took the following steps.
1. The engineers rep laced the
ZXR10 2826S-2 with a new switch ZXR10
2826S-3 and configured the switch. The
problem was not solved.
2. The engineers checked related
configuration on the switch, as shown
below.
set port 1-24 security enableconf nasradius isp test defaultisp enableradius isp test sharedsecret amtium/*negotiate the shared key with Amtium*/radius isp test add accounting 10.150.12.101/*the IP address of the authentication server*/radius isp test add authentication 10.150.12.101/*the IP address of the accounting server*/radius isp test client 172.16.0.181/*configure the ISP name and the IP address of access switch*/aaa-control port 1-24 dot1x enableaaa-control port 1-24 accounting enableaaa-control port 1-24 port-mode auto
Maintenance Experience18
Maintenance CaseJune 2008 Issue 112
The configurations of DOT1X port
authentication were the same on the
other switches. Therefore the malfunction
was not caused by the hardware of the
switches. The engineers considered
that the problem was caused by the
interconnection with devices of Amtium
Corporation.
3. T h e e n g i n e e r s
captured packet information
o n t h e p o r t s o f Z X R 1 0
2826S-3. The result showed
that the switch sent Access-Request
messages to the accounting server of
Amtium Corporation, but the server did not
sent any response messages, as shown in
Figure 1.
v. The access switch sends an Accounting-
Request message.
vi. The server replies with an Accounting-
Response message.
4. The captured packet information on
the ports of ZXR10 2826S-1 showed that EAP
negotiation between ZXR10 2826S-1 and the
RADIUS was finished, as shown in Figure 2.
5. The engineers of Amtium Corporation
checked the alert information on their server. They
found that there was information prompting “AP
not support user auth type”, indicating that the
authentication types on the switch and the server
are not consistent. Therefore, they checked the
detailed configuration on the server and they found
that the shared key on the server corresponding to
some switches in B1, B2 and B3 were configured
to “antium”. However, the correct shared key
should be “amtium”. This made some switches
could not pass the authentication negotiation, and
users connecting to these switches failed to pass
the authentication.
SolutionThe engineers of Amtium Corporation changed
the wrong shared key. All students could pass the
authentication and get online. The malfunction was
solved.■
Figure 1. Authentication Timeout
The working flow in normal situation is
shown below:
i. The access switch sends an
Access-Request message.
ii. The server replies with an Access-
Challenge message.
iii. The access switch sends another
Access-Request message.
iv. The server replies with an Access-
Accept message.
Figure 2. Authentication Success
www.zte.com.cn
19Data Products
⊙ Shan Changliang/ZTE Corporation
Floating IP in RADIUS Authentication
Key words: RADIUS, Windows Cluster, debug, No.718 error, non-response, floating IP
Network TopologyIn a network, a UAS 10800E connects to
two RADIUS servers. The two RADIUS servers
form a dual-server with the Windows Cluster
technology. The IP addresses of the two servers
are 172.30.253.131 and 172.30.253.132, and
the floating IP address of the dual-server is
172.30.253.136. The RADIUS server IP address
configured on UAS 10800E is 172.30.253.136.
Malfunction SituationA PPPoE user connecting to UAS 10800E
should pass the RADIUS authentication. When
the user input correct user names and passwords,
the system prompted No.718 error, indicating that
there was no response on the remote computer.
Malfunction AnalysisTo find out the problem, the engineers took the
following steps:
1. The engineers checked the communication
between UAS 10800E and the RADIUS servers.
Result showed that the link was through, and there
was no problem.
2. The engineers checked the log on
the RADIUS servers, as shown in Figure 1.
Figure 1. Log on the RADIUS Servers
Maintenance Experience20
Maintenance CaseJune 2008 Issue 112
There was “Access ACK” information in the log, which meant that the user had passed the
authentication.
3. The engineers input debug aaa authen command on UAS 10800E to enable debugging
function. At the same time, the engineers told the user to dial up. The debugging result was
displayed, as shown below.
Dec 16 14:33:34: [5/9:1023:63/6/2/9639]: %AAA-7-AUTHEN:
aaa_idx 0: Received AUTHEN_REQUEST msg from PPPd for username kkl@edu with
external handle = 1320
Dec 16 14:33:34: [0000]: [5/9:1023:63/6/2/9639]: %AAA-7-AUTHEN: aaa_idx 100da5a5:
aaa_create_session_with_cct_handle: creating session for cct 5/9:1023:63/6/2/9639 index
269329829
Dec 16 14:33:34: [5/9:1023:63/6/2/9639]: %AAA-7-AUTHEN: aaa_idx 0: Assigned aaa_idx
269329829 to username kkl@edu
Dec 16 14:33:34: [0002]: [5/9:1023:63/6/2/9639]: %AAA-7-AUTHEN: aaa_idx 100da5a5:
Binding subscriber (kkl@edu) to context edu via well-formed username or last resort.
Dec 16 14:33:34: [0002]: [5/9:1023:63/6/2/9639]: %AAA-7-AUTHEN: aaa_idx 100da5a5:
Adding aaa_idx 269329829 to context edu
Dec 16 14:33:34: [0002]: [5/9:1023:63/6/2/9639]: %AAA-7-AUTHEN: aaa_idx 100da5a5:
Sending Authentication request to radius
Dec 16 14:33:34: %AAA-7-AUTHEN: aaa_idx 100da5a5: Sending DB_REQUEST to
radius.
Dec 16 14:33:34: %AAA-7-EXCEPT1: aaa_idx 0: rad_process_received_pkt: Server has been deleted, disregard packet
The above result showed that the RADIUS server still existed, but the UAS 10800E thought
that the RADIUS server was deleted.
4. The engineers captured the packet information on the RADIUS server. The result was
shown in Figure 2.
Figure 2. Packet Information
www.zte.com.cn
21Data Products
5. According to the configuration on UAS
10800E, the authentication request message
was sent to the dual-server with IP address
172.30.253.136. When the RADIUS server sent
the response message, the source IP address
it used was 172.30.253.131. It was the address
of the local server. When UAS 10800E received
the response message, it considered that the
message was not sent by the RADIUS server
and then it discarded the message. Therefore,
UAS 10800E did not th ink i t received any
response messages, so it generated No.178
error information.
SolutionsTo solve the malfunction, there are two
methods:
Change the configurat ion on the
RADIUS servers and make the
RADIUS servers use the floating IP
address as the source address of the
response messages.
Configure two IP addresses of RADIUS
servers on UAS 10800E and use the
polling algorithm, or primary/secondary
algori thm. The IP addresses are
172.30.253.131 and 172.30.253.132.■
Maintenance Experience22
Maintenance CaseJune 2008 Issue 112
⊙ Wang Yufeng/ZTE Corporation
Accounting Configuration for VPDN Service
Key words: L2TP, VPDN, code, RADIUS, accounting authentication
Network TopologyThe VPDN users should pass RADIUS
authentication before they get online.
The RADIUS server connects to the UAS
10600. The VPDN users connect to the
UAS 10600 through the PSTN/ISDN
network. The topology is shown in Figure 1.
Malfunction AnalysisTo find out the problem, the engineers took the
following steps:
1. The engineers checked the configuration
of domain on UAS 10600, as shown below.
domain 10
accounting-group 10
accounting-type radius
accounting-update ipcp-up
authentication-group 10
authentication-type radius
max-subscriber 32000
alias TC1.TC
alias hnfc.xs
alias tc1.tc
subscriber-template
ip address vrf
tunnel domain
According to the above result, the engineers
c o n f i r m e d t h a t t h e u s e r s u s e d R A D I U S
authentication and accounting to get online.
2. When the users tried to dial up, the
engineers input debug radius user TC73207115
tc1.tc command (TC73207115 was the subscriber
Figure 1. Network Topology
Malfunction SituationFor the first time, the VPDN users
could pass the RADIUS authentication.
When the users got offline and wanted
to get online again, they failed to pass
the RADIUS authentication. The system
prompted No.691 error information.
www.zte.com.cn
23Data Products
name, and tc1.tc is the domain name) on UAS 10600, as shown below.
code = 1 id = 109 length = 197
authenticator = 53 37 25 73 45 65 38 F1 DC 91 B4 9B BF F4 91 AE
type = 1 , length = 19 , value = 54 43 37 33 32 30 37 31 31 35 40 74 63 31 2E 74 63 :
code = 3 id = 157 length = 38
authenticator = 64 4A 32 97 90 68 4A 30 2F F4 0B 6F EF C8 6E EE
type = 18 , length = 18 , value = 54 6F 6F 20 6D 61 6E 79 20 61 63 63 65 73 73 21 : Max user number exceed!
According to the above result, the information “code=3, Max user number exceed” indicated
that the VPDN user was online, and the number of the online users were to the upper limit. The
engineers of ISP checked the information in IP Integrated Service Management Platform, and they
found that the user was online and the limit of online users was 1. Therefore, when the user got
offline, he failed to pass the authentication and get online again.
3. With the help of ISP engineers, the engineers cleared the user on the RADIUS server. The
engineers told the user to dial up again, they found that the user could pass the authentication and
get online successfully. They checked the debugging information on UAS 10600 again, as shown
below.
code = 1 id = 59 length = 197
authenticator = D7 FD 42 D9 EC 27 51 97 B8 8A DA 03 66 8D C5 A0
type = 1, length = 19 , value = 54 43 37 33 32 30 37 31 31 35 40 54 43 31 2E 54 43 :
code = 2 id = 59 length = 68
authenticator = 72 73 27 D7 CF A2 88 2D D7 6A CC FF 05 10 11 99
type = 69 , length = 21 , value = 01 89 4B BE 10 57 41 46 2F DB 3A EB E6 01 0D 98 90 05
EC : ..K..WAF/.:........
In above result, there were only messages with code=1 and code=2. There were no accounting
messages with code=4 and code=5. If the user was authenticated and accounted on UAS 10600,
there should be messages with code=1, code=2, code=4 and code=5. Therefore, the engineers
considered that UAS 10600 did not send accounting message with code=4 that indicated
accounting start to the RADIUS server
4. The engineers asked the user to get offline. Because there was no message indicating
accounting start, so there was no message with code=5 that indicated accounting stop on UAS
10600. When the user got offline, the RADIUS server did not know that the user got offline,
because it did not receive the accounting stop message. Therefore, the record that the user was
online was kept on the RADIUS server. When the user dialed in again, the RADIUS server thought
the user had been online and the online user limit was 1, so the user failed to dial up. The system
generated No.691 error information.
Maintenance Experience24
Maintenance CaseJune 2008 Issue 112
5. There was no accounting message sent to the RADIUS server, therefore the malfunction
occurred. The engineers checked the configuration of domain 10 on UAS 10600. The configuration
was all right for common users. However, for VPDN service users, there should be a command to
start accounting for VPDN service.
SolutionThe engineers added a command in the domain configuration on UAS 10600, as shown below:
domain 10
aaa accounting l2tp accounting-group 10
accounting-type radius
accounting-update ipcp-up
authentication-group 10
authentication-type radius
max-subscriber 32000
alias TC1.TC
alias hnfc.xs
alias tc1.tc
subscriber-template
ip address vrf
tunnel domain
After the configuration, the engineer cleared the VPDU user record on the RADIUS server.
When the user dialed in again, he could pass the authentication. There were messages with
code=1, code=2 and code=4 in the debugging information on UAS 10600. When the user got
offline, there was a message with code=5 sent to the RADIUS server. The user could get online
again normally after he got offline. The malfunction was solved.
Note: For the UAS 10600 of Version 2.0, the command to enable accounting for VPDN service
is l2tp-accounting class2.■
www.zte.com.cn
25Data Products
Network TopologyThe dial-up user connecting to UAS 10600
should pass the RADIUS authentication before
he gets online. The network topology is shown in
Figure 1.
Malfunction Situation
The user failed to pass the authentication
with a legal account. The engineers checked the
authentication state of the user. The result showed
that the RADIUS server had responded to the
authentication request from the user normally, and
the user was in online state.
⊙ Huang Zhiyan/ZTE Corporation
Frequent Dial-Up of Legal Users
Key words: authentication timeout, redial, PPP, RADIUS, UAS 10600
Figure 1. Network Topology
However, the dial-up client system
prompted that user could not access
normally with No.691 error information.
Maintenance Experience26
Maintenance CaseJune 2008 Issue 112
Malfunction AnalysisTo find out the problem, the engineers took the following steps.
1. The engineers traced the access procedure of the user with debug username <user-
account> <domain-name> UAS 10600, as shown below:
send authentication packet: 218.75.255.12:6030->202.103.100.116:1645 code = 1 id = 75 length = 178
authenticator = 74 0B 21 3E 4A F9 E5 FB 5C 62 46 0A 7D 1E 7E 59
type = 1 , length = 12 , value = 78 74 64 38 32 38 39 35 30 33 : xtd8289503
type = 2 , length = 18 , value = 09 79 6B 7E F1 14 70 BE D0 E5 C4 9E 16 A0 99 93 :
.yk~..p.........
type = 32 , length = 5 , value = 7A 74 65 : UAS10600
type = 4 , length = 6 , value = DA 4B FF 0C : .K..
type = 31 , length = 28 , value = 30 31 30 32 30 30 30 30 30 30 30 32 36 31 30 30 31 36
64 33 34 37 30 64 30 61 : 010200000002610016d3470d0a
type = 61 , length = 6 , value = 00 00 00 0F : ....
type = 5 , length = 6 , value = 12 00 02 61 : ...a
type = 87 , length = 32 , value = 65 74 68 20 31 2F 30 2F 32 3A 34 30 39 36 2E 36 30 39
20 30 2F 30 2F 30 2F 30 2F 30 2F 30 : eth 1/0/2:4096.609 0/0/0/0/0/0
type = 6 , length = 6 , value = 00 00 00 02 : ....
type = 7 , length = 6 , value = 00 00 00 01 : ....
type = 44 , length = 33 , value = 37 30 30 31 30 31 30 39 34 35 35 31 70 70 70 30 30 31
36 64 33 34 37 30 64 30 61 33 36 34 31 : 700101094551ppp0016d3470d0a3641
receive authentication packet: 202.103.100.116:1645->218.75.255.12:6030 req_id:1611
code = 2 id = 75 length = 38
authenticator = 4B A7 BB B2 68 48 BE AF B2 7E 27 A0 B6 17 8C D9
:: radius event:Receive Packet from Server
The above result showed that the RADIUS had responded to the authentication request; the
user had passed the authentication and could access.
2. The engineers checked the online information of the user on UAS 10600, as shown below.
UAS10600#show sub ppp name xtd8289503
-------------------------------------------------------------------------------------------------------------------------
slot/port: 1/2 VlanID/ScdVlan: 609/65535 PVC: 65535/65535
LCP State: opened Auth State: success IPCP State: opened
SessionID: 125 IP Address: 220.172.198.47 ACL: 65535
Location: /ANID:/rack:255/frame:0/slot:0/subslot:0/port:0/OP-flag:0/XPI:0/XCI:0
MAC: 00:16:d3:47:0d:0a Vpn_ID: 0
Down Band Width: 4294967295 Up Band Width 4294967295
Subscriber: xtd8289503
www.zte.com.cn
27Data Products
The user dialed up through a modem. The fast speed may cause the UAS 10600 to respond to
the authentication request continually, which led to high CPU usage ratio.
3. After the authentication request reached UAS 10600, UAS 10600 sent an authentication
request to the RADIUS server and received the reply from the RADIUS server. Then UAS 10600
triggered the IPCP process to distribute an IP address and DNS information to the user. In this
way, the user could get online normally.
The user could negotiate user name and password with UAS 10600. This indicated that the
PPP discovery and LCP negotiation were normal.
Generally, the values of timeout on NAS and RADIUS server were in the unit of second. The
data packets could be received within several seconds and would not be timeout. Therefore, the
RADIUS server and UAS 10600 pass the authentication request from the user.
According to the protocol regulation, the client could trigger the redialing mechanism when the
NAS information was timeout. The NAS information had to travel through the Metropolitan Area
Network (MAN) before it reached the RADIUS server. There may be time delay. The RADIUS
server responded to the authentication request and sent reply message to UAS 10600, and 10600
forwarded the message to the user. Before the user received the reply message from the NAS,
the dialing terminal was timeout. Therefore, the dialing terminal considered that authentication was
timeout and it resent authentication requests continually.Solution
The engineers set the value of timeout on the dialing terminal a little bigger to make sure that
the dialing terminal could receive the reply message from the NAS before it was timeout.
Experience SummaryThe parameter values of the dialing software in Microsoft system are described as follows:
Timeout: 3 seconds
Retry times: 10 times
If the system retries for 10 times and there is no response, the dialing terminal will initiate from
PPP discovery.■
Maintenance Experience28
Maintenance CaseJune 2008 Issue 112
⊙ Yu Lu/ZTE Corporation
RADIUS Authentication Failure Caused by Key
Key words: RADIUS, simple text, cryptograph, UAS 10800E, PPPoE
Network TopologyIn a network, there are two types of
users: PPPoE users and RADIUS users.
The topology is shown in Figure 1.
No.619 error information.
Malfunction AnalysisBefore the configuration change, the services in
PPPoE domain and primary RADIUS domain were
normal. After the configuration change, the service
in the primary RADIUS domain was still normal,
while the service in the new RADIUS domain was
not normal. This indicated that the communication
between UAS 10800E and the RADIUS server was
normal.
According to the No.718 and No.619 error
information, the engineers checked the RADIUS
configuration for the new RADIUS domain, as
shown below:
radius accounting server 222.34.129.117
encrypted-key jlipbillradius server 222.34.129.117 encrypted-key
jlipbill
T h e e n g i n e e r s c h e c k e d t h e R A D I U S
configuration for the primary RADIUS domain, as
shown below:
radius accounting server 222.34.129.117
encrypted-key 08F7690E54FD2FB5radius
server 222.34.129.117 encrypted-key
08F7690E54FD2FB5
Figure 1. Network Topology
Malfunction SituationThe PPPoE users were required
to pass the RADIUS authentication.
Therefore, the configuration for the PPPoE
users on UAS 10800E was changed to
RADIUS authentication. After the change,
the users could not pass the authentication
and the system prompted No.718 and
www.zte.com.cn
29Data Products
SolutionThe key for the new RADIUS domain was a cryptograph, while the key for the primary RADIUS
domain was a simple text. The engineers checked the RADIUS server. They found that the server
did not support the cryptograph. Therefore, the engineers changed the key for the new RADIUS
domain to a simple text. The service in the new RADIUS domain became normal. The malfunction
was solved.
Experience SummaryUAS 10800E supports the cryptograph in RADIUS authentication. The configuration
commands are as follows:
[local]jl-10800(config)#con
[local]jl-10800(config)#context pppoe
[local]jl-10800(config-ctx)#radius server 222.34.129.117 ?encrypted-key encrypted
server key /*cryptograph*/key Set the server key /*simple text*/
[local]jl-10800(config-ctx)#radius server 222.34.129.117 encrypted-key jlipbill
[local]jl-10800(config-ctx)#radius server 222.34.129.117 key jlipbill
■
Maintenance Experience30
Maintenance CaseJune 2008 Issue 112
Network TopologyAs shown in Figure 1, the users use fast dialing software to dial up. The users have to pass the
authentication before getting online.
⊙ Wang Yufeng/ZTE Corporation
One MAC Address Taking Up Multiple IP Addresses
Key words: UAS 10600, MAC, RADIUS, aging, fast redialing, fast authentication
Malfunction SituationWhen a user succeeded to dial up with the fast dialing software, the engineers checked the
state of the user. The result showed that one MAC address took up multiple IP addresses, as
shown below.
Figure 1. Network Topology
www.zte.com.cn
31Data Products
xsdx-10600#show sub ppp name [email protected]
-------------------------------------------------------------------------------------------------------------------------
slot/port: 4/16 VlanID/ScdVlan: 65535/65535 PVC: 65535/65535
LCP State: opened Auth State: success IPCP State: opened
SessionID: 3885 IP Address: 220.170.221.37 ACL: 65535
Location: /ANID:/rack:255/frame:0/slot:0/subslot:0/port:0/OP-flag:0/XPI:0/XCI:0
MAC: 00:16:d4:ed:b1:7a Vpn_ID: 0
Down Band Width: 10240 Up Band Width 10240
Subscriber: [email protected]
------------------------------------------------------------------------------------------------------------------------
slot/port: 4/16 VlanID/ScdVlan: 65535/65535 PVC: 65535/65535
LCP State: opened Auth State: success IPCP State: opened
SessionID: 3891 IP Address: 220.170.221.39 ACL: 65535
Location: /ANID:/rack:255/frame:0/slot:0/subslot:0/port:0/OP-flag:0/XPI:0/XCI:0
MAC: 00:16:d4:ed:b1:7a Vpn_ID: 0
Down Band Width: 10240 Up Band Width 10240
Subscriber: [email protected]
------------------------------------------------------------------------------------------------------------------------
slot/port: 4/16 VlanID/ScdVlan: 65535/65535 PVC: 65535/65535
LCP State: opened Auth State: success IPCP State: opened
SessionID: 3897 IP Address: 220.170.221.42 ACL: 65535
Location: /ANID:/rack:255/frame:0/slot:0/subslot:0/port:0/OP-flag:0/XPI:0/XCI:0
MAC: 00:16:d4:ed:b1:7a Vpn_ID: 0
Down Band Width: 10240 Up Band Width 10240
Subscriber: [email protected]
------------------------------------------------------------------------------------------------------------------------
total is: 3, up is :3, down is : 0
In the authentication and accounting interface of ISP, the three IP addresses were all accounted.
Five minutes later, only the last piece of authentication and accounting information was left.
Malfunction AnalysisThe principle of fast dialing is described as follows:
Suppose that the max-session of a local account is set to 1. When the user redials, the system
will check whether the max-session is matched. If the user was online, the redialing fails. The
user has to wait for about 5 minutes until the account is aged.
Suppose that the max-session of a local account is set to 2 (or more). When the network line
of a PC was unplugged, and the user dials up immediately, the redial will success. The session
id and IP address are changed.
According to principle, the malfunction occurred because one account was allowed to be used
on multiple PCs at the same time. This was similar to the second point of the fast dialing principle.
Maintenance Experience32
Maintenance CaseJune 2008 Issue 112
If a user used fast dialing software, it equaled to repeating unplugging and plugging the network
line on a PC.
Fast dialing software supports multiple processes. For fast dialing, the situation that multiple
same users are online is allowed. This made that UAS 10600 did not have enough time to age
the processes. Therefore, each fast dialing could pass the RADIUS authentication and obtain a
session id and an IP address from UAS 10600. If ppp keepalive timer 60 count 10 command
was input in UAS 10600 to clear the user, UAS 10600 would send messages of abnormal off-line
to the RADIUS server.
The engineers checked the configuration of UAS 10600, as shown below.
vfi bjtest103
vcid 2000
pwtype ethernet-vlan
interface loopback1
ip address 218.76.67.244 255.255.255.255
The above result showed that the fast authentication function was not enabled on UAS 10600,
which caused the malfunction.
SolutionThe engineers enabled the fast authentication function on UAS 10600, as shown below.
10600(config-bras)#ppp fast-dial enable
The engineers tested the configuration with fast dialing software and checked the configuration
with show sub ppp name [email protected] command, as shown below.
xsdx-10600#sho sub ppp name [email protected]
-------------------------------------------------------------------------------------------------------------------------
slot/port: 4/16 VlanID/ScdVlan: 65535/65535 PVC: 65535/65535
LCP State: opened Auth State: success IPCP State: opened
SessionID: 3885 IP Address: 220.170.221.45 ACL: 65535
Location: /ANID:/rack:255/frame:0/slot:0/subslot:0/port:0/OP-flag:0/XPI:0/XCI:0
MAC: 00:16:d4:ed:b1:7a Vpn_ID: 0
Down Band Width: 10240 Up Band Width 10240
Subscriber: [email protected]
-------------------------------------------------------------------------------------------------------------------------
total is: 1, up is :1, down is : 0
In the authentication and accounting interface of ISP, there was only one piece of
authentication and accounting information. The user could get online normally. The malfunction
was solved.
www.zte.com.cn
33Data Products
Experience SummaryFor UAS10600 of Version 2.0, the command to enable the fast authentication function is
different from the command used in this case, as shown below:
domain 1 /*in domain 1*/
accounting-group 1
accounting-type radius
authentication-group 1
authentication-type radius
ip vrf internet_vpn
max-subscriber 32000
ppp web-force timer 5 count 0
account-share enable
quick-redial enable/*enabling fast authentication function*/
alias sy-pppoe
subscriber-template
ip address vrf
Note: Pay attention to the version when using command to enable the fast authentication
function. For UAS10600 of Version 2.8, if the fast authentication function is enabled, when users
of different PCs dial up, the later user will cover the earlier user, and only one user can get online
normally.■
Maintenance Experience34
Maintenance CaseJune 2008 Issue 112
Network TopologyVPDN service is used for a water
supply corporation. A ZXR10 1800 router
is used as an LNS device. The user at
Chengdong connects to the network
⊙ Du Yongbao/Anhui Filiale, China Telecom
VPDN Malfunction Processing
Key words: MTU, MSS, server, transmission timeout
through ADSL. HW 5200G is used as the LAC
device. The server connecting to the LNS uses
dual network cards. The network card connecting
to Chengdong is a new card, and it is in network
segment 192.168.100.0 . The network card
connecting to user hosts is in network segment
100.100.100.0. The network topology is shown in
Figure 1.
Fault Situation
The IP address for the network card connecting
to Chengdong was 192.168.100.2, with mask
255.255.255.0 and gateway 192.168.100.1. The
user at Chengdong obtained the IP address through
DHCP and dialed up to get online. The user could
dial up and ping to the server successfully. When
the user used the water accounting system and
entered the server interface, he failed to get the
user information after inputting user account.Figure 1. Network Topology
www.zte.com.cn
35Data Products
Fault AnalysisTo find out the problem, the engineers took the following steps.
1. The engineers checked the configuration on ZXR10 1800 router, as shown below.
ZXR10(config)#vpdn enable
ZXR10(config)#ip local pool zlsc 192.168.200.1 192.168.200.254 255.255.255.0
ZXR10(config)#vpdn default vpdn-group 1
ZXR10(config)# vpdn-group 1
ZXR10(vpdn-group-config)#service-type lns
ZXR10(vpdn-group-config)#lcp renegotiation on-mismatch
ZXR10(vpdn-group-config)#virtual-template 1
ZXR10(vpdn-group-config)#l2tp tunnel password qjzlsc
ZXR10(vpdn-group-config)#source-ip 202.100.192.20
ZXR10(vpdn-group-config)#exit
ZXR10(config)#interface virtual-template1
ZXR10(config-if)#ip unnumbered fei_0/1
ZXR10(config-if)#peer default ip pool zlsc
ZXR10(config-if)#ppp authentication pap
ZXR10(config-if)#ppp pap sent-username zlsc password zlsc
ZXR10(config-if)#exit
ZXR10(config)#interface fei_0/1
ZXR10(config-if)#ip address 202.100.192.20 255.255.255.0
ZXR10(config-if)#no negotiation auto
ZXR10(config-if)#speed 100ZXR10(config-if)#exit
ZXR10(config)#interface fei_0/2
ZXR10(config-if)#ip address 192.168.100.1 255.255.255.0
ZXR10(config-if)#negotiation auto
ZXR10(config-if)#exit
ZXR10(config)#username hyd password hyd
ZXR10(config)#user-group special zlsc zlsc zlsc
ZXR10(config)#user-vpdn-group user-group zlsc vpdn-group 1ZXR10(config)#user-
authentication-type localZXR10(config)#user-authorization-type localZXR10(config)#ip
route 0.0.0.0 0.0.0.0 202.100.192.1ZXR10(config)#write
The above result showed that there was no problem.
2. The engineers checked the server and they found that there was no problem.
3. The engineers installed an FTP program and a Pigeon program. The user name and
password were set on the PC at Chengdong for FTP. When the user downloaded a file of 1M,
it costs much time and the system prompted that there was no response. When the user used
the Pigeon program to chat, the service was normal. Therefore, the engineers installed DrTCP
Maintenance Experience36
Maintenance CaseJune 2008 Issue 112
program on the PC and set the MTU to 1000. After these operations, the malfunction was still on.
4. The engineers removed the LNS device and configured a VPN server on the server
directly. The engineers could download programs from the server through dial-up service with a
PC. The engineers recovered the LNS device and added ip tcp adjust-mss 1000 command on
related interface. The malfunction disappeared.
SolutionThe engineers added ip tcp adjust-mss 1000 command on related interface.
Experience SummarySuch a malfunction usually caused by MTU and Maximum Segment Size (MSS). MSS is
the maximum data segment that a TCP packet can transmit at a time. For best transmission
performance, the value of MSS should be negotiated when a TCP connection is established. Both
communication ends use the smaller MSS value as the MSS for the TCP connection.■