L2TP LDAP AAA Authentication fails in new Firmware V4.70(AALA.0) - rollback to V4.65(AAKY.0) =OK!
Attention Zyxel lads 我的台湾朋友, this problem reproduceable on USG40 & USG60 with new Firmware update V4.70(AAKY.0)
Scenario
After Upgraded lab USG40 and USG60 lab routers from V4.65(AAKY.0) to V4.70(AAKY.0) over weekend and verification testing we found that........Problem Issue
All L2TP client connections that require AAA LDAP authentication ( group ldap) are consistently failed in L2TP "authentication failed" on both USG40 and USG60 at Firmware V4.70(AAKY.0)<local2.debug> usg40 msf-usg40-01 src="222.XX6.1XX.XXX:1701" dst="14.0.XXX.XXX:45716" msg="Message: PPP failure: Reason: Authentication failed" note="L2TP_LOG" user="unknown" devID="1c740dfec31c" cat="L2TP"
Refine:
It is only the L2TP client accounts requiring LDAP PAP authentication that are fail authentication.- all Local accounts [ the don't rely on AAA LDAP authentication ] in these routers are authenticated against the router's password = work correctly.
Reproduceable:
Yes, on USG40 and USG60 and only at firmware update V4.70(AAKY.0)Workaround: (hmmm ...)
- add LDAP users as LOCAL users in router - (works but wont be doing that!)
- rollback USG40, USG60 routers to firmware V4.65(AAKY.0) - then L2TP AAA LDAP works 100% again!.
V4.70(AAKY.0) firmware for L2TP PPP subcomponent is not processing handoff to AAA LDAP correctly.
Controls:
- LDAP server access available from USG40/ USG60 for both firmware levels : V4.65(AAKY.0) to V4.70(AAKY.0 .. example test LDAP account 'casper' resolves correctly to the external LDAP server from the USG routers themselves:
Router> test aaa server ldap host ldapserver.lab.studio port 389 base-dn dc=ldapserver,dc=lab,dc=studio bind-dn uid=diradmin_msf,cn=users,dc=ldapserver,dc=lab,dc=studio password XXXXXXXXXXXXXXXXXXXX login-name-attribute uid account casperresolves correctly to the external LDAP server as:
<div>dn: uid=casper,cn=users,dc=ldapserver,dc=lab,dc=studio</div><div>cn: casper</div><div>uid: casper</div><div>uidNumber: 1027</div><div>sn: casper</div><div>objectClass: person</div><div>objectClass: inetOrgPerson</div><div>objectClass: organizationalPerson</div><div>objectClass: posixAccount</div><div>objectClass: shadowAccount</div><div>objectClass: top</div><div>objectClass: extensibleObject</div><div>gidNumber: 220</div><div>.... snip snip<span> 67122401325669019051132627070243663537895756704320186012999399913688</span><br></div><div> 48707 root@LDAPSERVER.LAB.STUDIO:10.0.99.201</div><div>authAuthority: ;Kerberosv5;;casper@LDAPSERVER.LAB.STUDIO;LDAPSERVER.LAB.STUDIO;</div><div>altSecurityIdentities: Kerberos:casper@LDAPSERVER.LAB.STUDIO</div><div>apple-generateduid: 47319A36-323C-4A6A-AFDE-FBF36F2B394A</div><div>description: mocked up LDAP user for LDAP L2TP testing</div><div>loginShell: /bin/bash</div><div>.... snip snip </div><div>homeDirectory: /Network/Servers/LDAPSERVER.LAB.STUDIO/Volumes/ssh_group_home/casper</div><div>Router></div>see attachments...
Operational Overview - L2TP AAA LDAP and Local Authentication = FAILURE
1. Basic stuff, all L2TP-over-IPSEC VPN connections pass through Phase 1 VPN Gateway then to Phase 2 VPN Connection and the tunnel is successuly built :msg="Dynamic Tunnel [Client01_L2TP_usg40_GATEWAY:Client01_L2TP_usg40_CONNECTIO:0x0e359c53] built successfully" note="IKE_LOG" user="unknown" devID="1cffffffffff" msg="Looking up IPSec SA for the L2TP tunnel" note="L2TP_LOG" user="unknown" devID="1cffffffffff" cat="L2TP" msg="Fetching IPSec SA rule #354" note="L2TP_LOG" user="unknown" devID="1cffffffffff" cat="L2TP" msg="Creating outbound L2TP control traffic rule (depends on rule #354)" note="L2TP_LOG" user="unknown" devI msg="L2TP control rule created: index: #362" note="L2TP_LOG" user="unknown" devID="1cffffffffff" cat="L2TP" msg="Tunnel Request Complete" note="L2TP_LOG" user="unknown" devID="1cffffffffff" cat="L2TP" msg="[Client01_L2TP_usg40_CONNECTIO(#3)]created incoming IPsec flow, idx: 24981" note="IPSec" user="unknown"2. .. however as L2TP PAP processing is subsequently invoked that SHOULD be passed to the external LDAP server,
msg="peer requests authentication protocol PAP" note="L2TP_LOG" .....3. the LDAP request result (was it even called??) is deemed to have failed authentications as:
<div>msg="Remote L2TP peer 14.0.XXX.XXX:49299" note="L2TP_LOG" user="unknown" devID="1cfff</div><div>msg="Remote tunnel ID 26 session ID 3856" note="L2TP_LOG" user="unknown" devID="1</div><div>msg=" User-name: <b>casper</b>" note="IKE_LOG" user="unknown" devID="1cffffffffff" cat="IKE</div>unauthenticated resulter here---->
msg="Message: PPP failure: Reason: Authentication failed" note="L2TP_LOG" user="un
then the tunnel is destroyed ... etc etc
msg="IPsec SA destroyed: ESP Inbound SPI: [9ee7dec7] Outbound SPI:
Attachments and Diags:I have attached these logs and listings from the USG40 router .. the same basically for the USG60 router...
- show version_l2tp-over-ipsec_aaa group server ldap.log
- test aaa server ldap host.log
- USG_V4.70-AALA.0_L2TP_IPSEC_PH2_authentication_failure.log
.. Lastly
We will not be upgrading to any other (including clients routers) to Firmware V4.70-AALA.0 until this is resolved due to the reliance of some routers we manager that use L2TP AAA LDAP authencation.
- This circumstance is easy to reproduce.
- When available will also try on a USG20WVPN and a USG110 at thei respective updated firmware levels.. ..these will likley be the same and not work wi the above.
Please let me know what other diagnostics you may require of us.
As always and from previous resopnsive and excellent support back prior to 2018, I look forward to the prompt support from you engineering blokes at Zyxel TW 我的台湾朋友
Kind Regards
Warwick
Hong Kong
1
Comments
-
@warwickt thanks. I am not able to help you in any way for the issue you're encountering, and I hope that more expert persons than me will see soon this post for providing you hints for resolving.But I cannot avoid to congratulate to you for a "do like that" post for explaining your environment, your problem, the data you gather, the way you format the text for allowing a better comprehension and lookup for the info and data.I hope that your post will be considered for an award for "When you're asking somethink, ask as warwick did"3
-
Hi @warwickt,
Thanks for detailed information to speed up issue clarification.
The issue also can be reproduced in lab.
We are working on it, will get back to you as soon as possible.1 -
Hi Zyxel_Cooldia thanks for the DM and the followup as expected form your excellent support service.
Thanks also for the confirmation that this can be reproduces in your Zyxel labs..
We've also looked at a packet traces from the usg appliance the LAN LDAP servers on same the LAN and also over a VTI for- a test aaa command vs
- an L2TP AAA LDAp request
Please refer to my DM and please advise accordingly at your earliest convenience.\
Many Thanks
Warwick
Hong Kong0 -
你好, G'day, Hallo fellow Zyxel forum denizens!
Update and Fix:
I'm pleased to advise that thanks to the excellent bunch of blokes at Zyxel TW SW Engineering and Tech Support (Zyxel_Cooldia) have resolved this AAA LDAP Authentication issue that I reported above for firmware V4.70-AAKY.0 in Zyxel USG40 and USG60 appliances.
One assumes Zyxel will roll this fix with the next release of firmware.
We tested this against these OpenLDAP Servers LOCAL and over an LDAP servers addressible over internal VTI links openldap24 (FreeBSD12.2 / 13 ; & Linux(Debian 10))openldap26 (latest as at 2021-12) - FreeBSD 12.2 & 13OpenLDAP: slapd 2.4.28 for MacOS Server (10.12.6 Server - ye old OpenDirectory)I suggest if you have this annoying issue, either
- rollback to the V4.65 firmware
- or contact Zyxel_Cooldia for access to the Zyxel weekly firmware accumulated patches that ought to contain a fix for this issue.
Lastly a HUGE THANK-YOU to Zyxel_Cooldia for his enthusiatic and highly profession attention to this request and his most splendid organistaion and DM communication . (Thanks Mate!)
(For those that care): we noticed an extra set of 'debug' for category 'L2TP" .... nice one!
Warwick
Hong Kong
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight