Aaa And Radius Protocol Fault Diagnosis And Troubleshooting - 3Com 5500-SI Configuration Manual
5500 series
Hide thumbs
Also See for 5500-SI:
- Datasheet (9 pages) ,
- Getting started manual (148 pages) ,
- Quick reference manual (59 pages)
Table of Contents
Advertisement
AAA and RADIUS
Protocol Fault Diagnosis
and Troubleshooting
Once the RADIUS scheme and domain have been set up, see Domain and RADIUS
scheme creation, then switch login is enabled.
By default, when you use the username admin to login, you are actually logging in as
"admin@local". If no domain is given, the "@local" is automatically added at the end
of the username. This states the user is a member of the local domain, and as a result
uses the local RADIUS server.
Based on the steps in section Domain and RADIUS scheme creation to login using the
external RADIUS server defined, you need to login as user@domain, eg joe@demo.
This will try to log you into the demo domain, which uses the external, rather than
the internal RADIUS server.
By default, the username sent to the RADIUS server for verification will be in the form
user@domain. To just send the username without the domain extension to the
RADIUS server. This is changed under the RADIUS scheme as follows:
[SW5500-radius-NewSchemeName]user-name-format without-domain
The RADIUS protocol of the TCP/IP protocol suite is located on the application layer. It
mainly specifies how to exchange user information between NAS and RADIUS server
of ISP. So it is likely to be invalid.
Fault One: User authentication/authorization always fails
Troubleshooting:
The username may not be in the
■
configured with a default ISP domain. Use the username in proper format and
configure the default ISP domain on NAS.
The user may have not been configured in the RADIUS server database. Check the
■
database and make sure that the configuration information of the user does exist
in the database.
The user may have input a wrong password. So make sure that the user inputs the
■
correct password.
The encryption keys of RADIUS server and NAS may be different. Check carefully
■
and make sure that they are identical.
There might be some communication fault between NAS and RADIUS server,
■
which can be discovered through pinging RADIUS from NAS. So ensure there is
normal communication between NAS and RADIUS.
Fault Two: RADIUS packet cannot be transmitted to RADIUS server.
Troubleshooting:
The communication lines (on physical layer or link layer) connecting NAS and the
■
RADIUS server may not work well. So ensure the lines work well.
The IP address of the corresponding RADIUS server may not have been set on NAS.
■
Set a proper IP address for RADIUS server.
UDP ports of authentication/authorization and accounting services may not be set
■
properly. So make sure they are consistent with the ports provided by RADIUS
server.
User Re-authentication at Reboot 435
format or NAS has not been
userid@isp-name
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
