1786
C
93: AAA/RADIUS/HWTACACS C
HAPTER
Troubleshooting
AAA/RADIUS/HWTAC
ACS
Troubleshooting RADIUS
ONFIGURATION
[Router] interface ethernet 1/0
[Router-Ethernet1/0] ip address 10.1.1.2 255.255.255.0
Symptom1: User authentication/authorization always fails.
Analysis:
1 A communication failure exists between the NAS and the RADIUS server.
2 The username is not in the format of userid@isp-name or no default ISP domain is
specified for the NAS.
3 The user is not configured on the RADIUS server.
4 The password of the user is incorrect.
5 The RADIUS server and the NAS are configured with different shared key.
Solution:
Check that:
1 The NAS and the RADIUS server can ping each other.
2 The username is in the userid@isp-name format and a default ISP domain is
specified on the NAS.
3 The user is configured on the RADIUS server.
4 The password entered by the user is correct.
5 The same shared key is configured on both the RADIUS server and the NAS.
Symptom2: RADIUS packets cannot reach the RADIUS server.
Solution:
Analysis:
1 The communication link between the NAS and the RADIUS server is down (at the
physical layer and data link layer).
2 The NAS is not configured with the IP address of the RADIUS server.
3 The UDP ports for authentication/authorization and accounting are not correct.
Check that:
1 The communication links between the NAS and the RADIUS server work well at
both physical and link layers.
2 The IP address of the RADIUS server is correctly configured on the NAS.
3 UDP ports for authentication/authorization/accounting configured on the NAS are
the same as those configured on the RADIUS server.