3 Troubleshooting Functional Failures During Operation
3.3.3 Login authentication using RADIUS/TACACS+ is not possible
If a login cannot be authenticated by using RADIUS or TACACS+, check the following:
1.
Communication with the RADIUS or TACACS+ server
Use the
TACACS+ server has been established. If a connection has not been established,
see 3.6.1 Communication is not possible or is disconnected. If a local address is
specified in the configuration, use the
sure that a connection from the Switch to the RADIUS or TACACS+ server has been
established.
2.
Settings for the timeout value and the number of retries
For RADIUS authentication, depending on the
radius-server retransmit
settings, the maximum length of time required by the Switch to determine that the
Switch is unable to connect to the RADIUS server is calculated as follows:
<set-response-timeout-value-(in-seconds)>
<set-number-of-RADIUS-servers>.
For TACACS+ authentication, depending on the
tacacs-server timeout
time required by the Switch to determine that the Switch is unable to connect to the
TACACS+ server is calculated as follows:
<set-response-timeout-value-(in-seconds)>
If the time increases significantly, an application on a remote terminal, such as Telnet,
might have terminated due to a timeout. If this happens, change the RADIUS or
TACACS+ configuration settings or the timeout setting of an application running on a
remote terminal. In addition, Telnet or FTP might have failed even when a message
indicating successful RADIUS or TACACS+ authentication is output to the operation
log. In this case, an application running on a remote terminal might time out before
the application can connect to a running RADIUS or TACACS+ server of those
servers you specified in the configuration. Change the settings so that a running
RADIUS or TACACS+ server takes precedence, or decrease the value of
<response-timeout-value-(in-seconds)>
3.
Action to take when a login to the Switch is not possible
If you cannot log in to the Switch due to, for example, incorrect settings, log in from
the console and modify the settings. If login authentication has also been
implemented on the console by the
configuration command, perform a default restart and then log in.
Default restart
Push and hold the RESET button for at least five seconds.
Take care when performing a default restart. A startup due to the default restart does
not perform authentication by password, authentication when changing to
administrator mode (
password takes effect after the Switch restarts.
32
command to check if a connection from the Switch to the RADIUS or
ping
, and
configuration command settings, the maximum length of
command), or command authorization. The specified
enable
command from the local address to make
ping
radius-server host
radius-server timeout
×
<set-number-of-retries>
tacacs-server host
× <set-number-of-TACACS+-servers>.
× <number-of-retries>.
aaa authentication login console
,
configuration command
×
and