KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

371

372

373

374

375

376

377

378

379

380

RADIUS server fails to respond to a request for service, even though the server's IP address is

correctly configured in the switch

Use show radius to verify that the encryption key (RADIUS secret key) the switch is using is

correct for the server being contacted. If the switch has only a global key configured, it either must

match the server key or you must configure a server-specific key. If the switch already has a

server-specific key assigned to the server's IP address, it overrides the global key and must match

the server key.

Figure 198 Displaying encryption keys

HP Switch(config)# show radius

Status and Counters - General RADIUS Information

Deadtime(min) : 0

Timeout(secs) : 5

Retransmit Attempts : 3

Global Encryption Key : My-Global-Key

Dynamic Authorization UDP Port : 3799

Auth Acct DM/ Time

Server IP Addr Port Port CoA Window Encryption Key

--------------- ---- ---- --- ------ ---------------

10.33.18.119 1812 1813 119-only-key

Also, ensure that the switch port used to access the RADIUS server is not blocked by an 802.1X

configuration on that port. For example, show port-access authenticator <port-list>

gives you the status for the specified ports. Also, ensure that other factors, such as port security or

any 802.1X configuration on the RADIUS server are not blocking the link.

The authorized MAC address on a port that is configured for both 802.1X and port security either

changes or is re-acquired after execution of aaa port-access authenticator

<port-list> initialize

If the port is force-authorized with aaa port-access authenticator <port-list>

control authorized command and port security is enabled on the port, then executing

initialize causes the port to clear the learned address and learn a new address from the first

packet it receives after you execute initialize.

A trunked port configured for 802.1X is blocked

If you are using RADIUS authentication and the RADIUS server specifies a VLAN for the port, the

switch allows authentication, but blocks the port. To eliminate this problem, either remove the port

from the trunk or reconfigure the RADIUS server to avoid specifying a VLAN.

QoS-related problems

Loss of communication when using VLAN-tagged traffic

If you cannot communicate with a device in a tagged VLAN environment, ensure that the device

either supports VLAN tagged traffic or is connected to a VLAN port that is configured as Untagged.

Radius-related problems

The switch does not receive a response to RADIUS authentication requests

In this case, the switch attempts authentication using the secondary method configured for the type

of access you are using (console, Telnet, or SSH.)

376 Troubleshooting