Troubleshooting Aaa & Radius & Hwtacacs Configuration; Troubleshooting The Radius Protocol - H3C S3610 Series Operation Manual

Operation Manual – AAA & RADIUS & HWTACACS
H3C S3610&S5510 Series Ethernet Switches
#Create local user telnet.
[Sysname] local-user telnet
[Sysname-luser-telnet] service-type telnet
[Sysname-luser-telnet] password simple telnet
[Sysname-luser-telnet] quit
# Enable Telnet.
[Sysname] telnet server enable
# Configure AAA scheme for the ISP domain
[Sysname] domain test
[Sysname-isp-test] authentication login local
[Sysname-isp-test] authorization login hwtacacs-scheme hwtac
[Sysname-isp-test] accounting login radius-scheme cams
[Sysname-isp-test] quit
# Configure default AAA schemes, in which user type is not checked.
[Sysname] domain test
[Sysname-isp-test] authentication default local
[Sysname-isp-test] authorization default hwtacacs-scheme hwtac
[Sysname-isp-test] accounting default radius-scheme cams
1.8 Troubleshooting AAA & RADIUS & HWTACACS
Configuration

1.8.1 Troubleshooting the RADIUS Protocol

The RADIUS protocol is at the application layer in the TCP/IP protocol suite. This
protocol prescribes how the switch and the RADIUS server of the ISP exchange user
information with each other.
Symptom 1: User authentication/authorization always fails.
Possible reasons and solutions:
The user name is not in the userid@isp-name format, or no default ISP domain is
specified on the switch — Use the correct user name format, or set a default ISP
domain on the switch.
The user is not configured in the database of the RADIUS server — Check the
database of the RADIUS server, make sure that the configuration information
about the user exists.
The user input an incorrect password — Be sure to input the correct password.
The switch and the RADIUS server have different shared keys — Compare the
shared keys at the two ends, make sure they are identical.
Chapter 1 AAA & RADIUS & HWTACAC
1-49
S Configuration