Troubleshooting Aaa; Troubleshooting Radius Configuration - H3C S3100 8C SI Operation Manual

Operation Manual – AAA
H3C S3100 Series Ethernet Switches
III. Configuration procedure
# Add a Telnet user.
(Omitted here)
# Configure a HWTACACS scheme.
<Sysname> system-view
[Sysname] hwtacacs scheme hwtac
[Sysname-hwtacacs-hwtac] primary authentication 10.110.91.164 49
[Sysname-hwtacacs-hwtac] primary authorization 10.110.91.164 49
[Sysname-hwtacacs-hwtac] key authentication aabbcc
[Sysname-hwtacacs-hwtac] key authorization aabbcc
[Sysname-hwtacacs-hwtac] user-name-format without-domain
[Sysname-hwtacacs-hwtac] quit
# Configure the domain name of the HWTACACS scheme to hwtac.
[Sysname] domain hwtacacs
[Sysname-isp-hwtacacs] scheme hwtacacs-scheme hwtac

2.6 Troubleshooting AAA

2.6.1 Troubleshooting RADIUS Configuration

The RADIUS protocol operates at the application layer in the TCP/IP protocol suite.
This protocol prescribes how the switch and the RADIUS server of the ISP exchange
user information with each other.
Symptom 1: User authentication/authorization always fails.
Possible reasons and solutions:
The user name is not in the userid@isp-name or userid.isp-name format, or the
default ISP domain is not correctly specified on the switch — Use the correct user
name format, or set a default ISP domain on the switch.
The user is not configured in the database of the RADIUS server — Check the
database of the RADIUS server, make sure that the configuration information
about the user exists.
The user input an incorrect password — Be sure to input the correct password.
The switch and the RADIUS server have different shared keys — Compare the
shared keys at the two ends, make sure they are identical.
The switch cannot communicate with the RADIUS server (you can determine by
pinging the RADIUS server from the switch) — Take measures to make the switch
communicate with the RADIUS server normally.
Symptom 2: RADIUS packets cannot be sent to the RADIUS server.
Possible reasons and solutions:
2-36
Chapter 2 AAA Configuration