H3C S7500 Series Ethernet Switches Operation Manual

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

561

562

563

564

565

566

567

568

569

570

Operation Manual – AAA & RADIUS & HWTACACS & EAD

H3C S7500 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACACS

Configuration

1-45

[H3C-isp-hwtacacs] scheme hwtacacs-scheme hwtac

1.8 Troubleshooting AAA & RADIUS & HWTACACS

Configuration

1.8.1 Troubleshooting the RADIUS Protocol

The RADIUS protocol is at the application layer in the TCP/IP protocol suite. This

protocol prescribes how the switch and the RADIUS server of the ISP exchange user

information with each other; therefore, it is likely that RADIUS configuration will become

faulty.

Symptom 1: User authentication/authorization always fails.

Possible reasons and solutions:

z The entered user name is not in the userid@isp-name format, or no default ISP

domain is specified on the switch — Use the correct user name format, or set a

default ISP domain on the switch.

z The user is not configured in the database of the RADIUS server — Check the

database of the RADIUS server; verify that the configuration information about the

user exists.

z The user input an incorrect password — Verify that the correct password is input.

z The switch and the RADIUS server have different shared keys — Compare the

shared keys at the two ends and verify that they are identical.

z The switch cannot communicate with the RADIUS server (you can determine by

pinging the RADIUS server from the switch) — Take measures to make the switch

communicate with the RADIUS server normally.

Symptom 2: RADIUS packets cannot be sent to the RADIUS server.

Possible reasons and solutions:

z The communication links (physical/link layer) between the switch and the RADIUS

server is disconnected/blocked — Take measures to make the links

connected/unblocked.

z None or incorrect RADIUS server IP address is set on the switch — Be sure to set

a correct RADIUS server IP address.

z One or all AAA UDP port settings are incorrect — Be sure to set the same UDP

port numbers as those on the RADIUS server.

Symptom 3: The user passes the authentication and gets authorized, but the

accounting information cannot be transmitted to the RADIUS server.

Possible reasons and solutions:

z The accounting port number is not properly set — Be sure to set a correct port

number for RADIUS accounting.

z The switch requests that both the authentication/authorization server and the

accounting server use the same device (with the same IP address), but in fact they