Troubleshooting AAA
& RADIUS &
HWTACACS
Configuration
Troubleshooting the
RADIUS Protocol
Troubleshooting AAA & RADIUS & HWTACACS Configuration
[SW7750-hwtacacs-hwtac] primary authentication 10.1.1.1 49
[SW7750-hwtacacs-hwtac] primary authorization 10.1.1.1 49
[SW7750-hwtacacs-hwtac] key accounting expert
[SW7750-hwtacacs-hwtac] key authentication expert
[SW7750-hwtacacs-hwtac] key authorization expert
[SW7750-hwtacacs-hwtac] user-name-format without-domain
[SW7750-hwtacacs-hwtac] quit
# Configure the domain name of the HWTACACS scheme to hwtac.
[SW7750] domain hwtacacs
[SW7750-isp-hwtacacs] scheme hwtacacs-scheme hwtac
The RADIUS protocol is at the application layer in the TCP/IP protocol suite. This
protocol prescribes how the switch and the RADIUS server of the ISP exchange
user information with each other.
Symptom 1: User authentication/authorization always fails.
Possible reasons and solutions:
The user name is not in the userid@isp-name format, or no default ISP domain
■
is specified on the switch - Use the correct user name format, or set a default
ISP domain on the switch.
The user is not configured in the database of the RADIUS server - Check the
■
database of the RADIUS server, make sure that the configuration information
about the user exists.
The user input an incorrect password - Be sure to input the correct password.
■
The switch and the RADIUS server have different shared keys - Compare the
■
shared keys at the two ends, make sure they are identical.
The switch cannot communicate with the RADIUS server (you can determine by
■
pinging the RADIUS server from the switch) - Take measures to make the
switch communicate with the RADIUS server normally.
Symptom 2: RADIUS packets cannot be sent to the RADIUS server.
Possible reasons and solutions:
The communication links (physical/link layer) between the switch and the
■
RADIUS server is disconnected/blocked - Take measures to make the links
connected/unblocked.
None or incorrect RADIUS server IP address is set on the switch - Be sure to set
■
a correct RADIUS server IP address.
One or all AAA UDP port settings are incorrect - Be sure to set the same UDP
■
port numbers as those on the RADIUS server.
541