Troubleshooting aaa, Troubleshooting radius configuration, Troubleshooting radius configuration -27 – H3C Technologies H3C WX3000 Series Unified Switches User Manual

25-27

Figure 27-3

Remote HWTACACS authentication and authorization of Telnet users

Internet

Telnet user

Authentication server

10. 110.91. 164

Configuration procedure

# Add a Telnet user.

(Omitted here)

# Configure a HWTACACS scheme.

<device> system-view

[device] hwtacacs scheme hwtac

[device-hwtacacs-hwtac] primary authentication 10.110.91.164 49

[device-hwtacacs-hwtac] primary authorization 10.110.91.164 49

[device-hwtacacs-hwtac] key authentication expert

[device-hwtacacs-hwtac] key authorization expert

[device-hwtacacs-hwtac] user-name-format without-domain

[device-hwtacacs-hwtac] quit

# Configure the domain name of the HWTACACS scheme to hwtac.

[device] domain hwtacacs

[device-isp-hwtacacs] scheme hwtacacs-scheme hwtac

Troubleshooting AAA

Troubleshooting RADIUS Configuration

The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocol
prescribes how the device and the RADIUS server of the ISP exchange user information with each
other.

Symptom 1

: User authentication/authorization always fails.

Possible reasons and solutions

:

z

The user name is not in the userid@isp-name or userid.isp-name format, or the default ISP domain
is not correctly specified on the device — Use the correct user name format, or set a default ISP
domain on the device.

z

The user is not configured in the database of the RADIUS server — Check the database of the
RADIUS server, make sure that the configuration information about the user exists.

z

The user input an incorrect password — Be sure to input the correct password.

z

The device and the RADIUS server have different shared keys — Compare the shared keys at the
two ends, make sure they are identical.