Troubleshooting aaa, Troubleshooting radius configuration, Troubleshooting hwtacacs configuration – H3C Technologies H3C S3100 Series Switches User Manual

2-36

Troubleshooting AAA

Troubleshooting RADIUS Configuration

The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocol

prescribes how the switch and the RADIUS server of the ISP exchange user information with each

other.

Symptom 1: User authentication/authorization always fails.

Possible reasons and solutions:

z

The user name is not in the userid@isp-name or userid.isp-name format, or the default ISP domain

is not correctly specified on the switch — Use the correct user name format, or set a default ISP

domain on the switch.

z

The user is not configured in the database of the RADIUS server — Check the database of the

RADIUS server, make sure that the configuration information about the user exists.

z

The user input an incorrect password — Be sure to input the correct password.

z

The switch and the RADIUS server have different shared keys — Compare the shared keys at the

two ends, make sure they are identical.

z

The switch cannot communicate with the RADIUS server (you can determine by pinging the

RADIUS server from the switch) — Take measures to make the switch communicate with the

RADIUS server normally.

Symptom 2: RADIUS packets cannot be sent to the RADIUS server.

Possible reasons and solutions:

z

The communication links (physical/link layer) between the switch and the RADIUS server is

disconnected/blocked — Take measures to make the links connected/unblocked.

z

None or incorrect RADIUS server IP address is set on the switch — Be sure to set a correct

RADIUS server IP address.

z

One or all AAA UDP port settings are incorrect — Be sure to set the same UDP port numbers as

those on the RADIUS server.

Symptom 3: The user passes the authentication and gets authorized, but the accounting information

cannot be transmitted to the RADIUS server.

Possible reasons and solutions:

z

The accounting port number is not properly set — Be sure to set a correct port number for RADIUS

accounting.

z

The switch requests that both the authentication/authorization server and the accounting server

use the same device (with the same IP address), but in fact they are not resident on the same

device — Be sure to configure the RADIUS servers on the switch according to the actual situation.

Troubleshooting HWTACACS Configuration

See the previous section if you encounter an HWTACACS fault.