5 faqs, Q: how does aaa allocate addresses to ppp users, 6 faqs -26 – Panasonic 8000 User Manual
Page 37
Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".
Nortel Secure Router 8000 Series
Troubleshooting - VAS__________
1 AAA troubleshooting
1.5 FAQs
Q: Nortel devices and non-Nortel devices use the same TACACS server but the
authentication fails. Why?
A: The user class range set by the third party is different from that set by Nortel. The user
class range set by Nortel is from 0 to 3 and any value that exceeds 3 is incorrect, so the
authentication fails. To remove this fault, configure users for the products of the third party
and Nortel accordingly.
Q: A Telnet user who passes RADIUS authentication cannot enter the system
view? Why?
A: The user is not authorized by the RADIUS server.
•
If shiva (RADIUS software) is used as the RADIUS server, configure exec-privilege for
it; if another type of server is used, configure the extended exec-privilege for it. That is,
add the extended attribute (29) contained in the standard attribute (26) to the related
attribute dictionary.
•
For FTP users, if shiva is used as the RADIUS server, configure ftp-directory for it; if
another type of server is used, configure the extended ftp-directory. That is, add the
extended attribute (29) contained in the standard attribute (26) to the related attribute
dictionary.
Q: How does AAA allocate addresses to PPP users?
A: The address allocation rules are as follows:
•
To the unauthenticated user: If the interface is configured with an IP address, the NAS
allocates the address to the peer directly; if the interface is configured with an IP address
pool, the NAS allocates the address in the address pool to the peer.
•
To the authenticated default domain user: If the RADIUS server delivered the IP address,
the NAS allocates this address to the peer directly; if the RADIUS server delivered the IP
address pool ID, the NAS allocates the address in the global or domain address pool to
the peer. If the RAIDUS server has not delivered the address pool ID but the interface is
configured with an IP address pool, the NAS allocates the address in this global address
pool to the peer.
•
To the authenticated common domain user: If the RADIUS server delivered the IP
address, the NAS allocates the address to the peer directly. If the RADIUS server
delivered the IP address pool ID, the NAS allocates the address in the specified domain
address pool to the peer. If the RAIDUS server has not delivered the address pool ID but
the interface is configured with an IP address, the NAS allocates this address to the peer.
If the interface is configured with an IP address pool, the NAS allocates the address in
the domain address pool to the peer.
In the preceding three cases:
•
If all the addresses in the specified global address pool have been used, the NAS
traverses the entire address pool, starting from the first address pool configured.
•
If all the addresses in the specified domain address pool have been used, the NAS
traverses from the first domain address pool configured. Users in a domain prefer
addresses in the address pool of the domain in which they reside.
Issue 01.01 (30 March 2009)
Nortel Networks Inc.
1-19