266
C
21: AAA C
HAPTER
Troubleshooting AAA
ONFIGURATION
This method is similar to the remote authentication method described in "Remote
RADIUS Authentication of Telnet/SSH Users". However, you need to
Change the server IP address, and the UDP port number of the authentication
■
server to 127.0.0.1, and 1645 respectively in the configuration step "Configure
a RADIUS scheme" in "Remote RADIUS Authentication of Telnet/SSH Users".
Enable the local RADIUS server function, set the IP address and shared key for
■
the network access server to 127.0.0.1 and aabbcc, respectively.
Configure local users.
■
The RADIUS protocol operates at the application layer in the TCP/IP protocol suite.
This protocol prescribes how the switch and the RADIUS server of the ISP
exchange user information with each other.
Symptom 1: User authentication/authorization always fails.
Possible reasons and solutions:
The user name is not in the userid@isp-name or userid.isp-name format, or the
■
default ISP domain is not correctly specified on the switch - Use the correct user
name format, or set a default ISP domain on the switch.
The user is not configured in the database of the RADIUS server - Check the
■
database of the RADIUS server, make sure that the configuration information
about the user exists.
The user input an incorrect password - Be sure to input the correct password.
■
The switch and the RADIUS server have different shared keys - Compare the
■
shared keys at the two ends, make sure they are identical.
The switch cannot communicate with the RADIUS server (you can determine by
■
pinging the RADIUS server from the switch) - Take measures to make the
switch communicate with the RADIUS server normally.
Symptom 2: RADIUS packets cannot be sent to the RADIUS server.
Possible reasons and solutions:
The communication links (physical/link layer) between the switch and the
■
RADIUS server is disconnected/blocked - Take measures to make the links
connected/unblocked.
None or incorrect RADIUS server IP address is set on the switch - Be sure to set
■
a correct RADIUS server IP address.
One or all AAA UDP port settings are incorrect - Be sure to set the same UDP
■
port numbers as those on the RADIUS server.
Symptom 3: The user passes the authentication and gets authorized, but the
accounting information cannot be transmitted to the RADIUS server.
Possible reasons and solutions:
The accounting port number is not properly set - Be sure to set a correct port
■
number for RADIUS accounting.