Delivering HWTACACS User Authentication Address Fails

Publication Date:  2012-07-27 Views:  274 Downloads:  0
Issue Description

As shown in Figure 12-4, to obtain IP addresses, users should pass the HWTACACS authentication.

Figure 12-4  Networking of HWTACACS authentication


After the configurations are complete, a valid remote user, namely user001@userdomain should obtain an IP address from the NAS through PPP address negotiation. However, no addresses are configured on the corresponding interface of the NAS to deliver. In this case, the NAS assigns an IP address to the user according to the authorization address configurations on the HWTACACS server.

Alarm Information
None.
Handling Process
  1. Check whether the remote user can communicate with the NAS if the HWTACACS server is not used. This can find whether there are problems in the communications between the NAS and the HWTACACS server.
  2. Access the NAS through Telnet. The results show that there are no problems in the communications between the NAS and the HWTACACS server. This indicates that there may be problems in the address delivered.
  3. Check whether the address to be delivered is correctly set in the configurations of the HWTACACS server.
Root Cause
  • Check whether the IP address can be delivered when the NAS delivers an IP address to the remote user directly on an interface without using the authorization addresses of the HWTACACS server. If the address is delivered successfully, it indicates that there may be problems in the communications between the NAS and the HWTACACS server.
  • Access the NAS as a Telnet user and use the HWTACACS server to perform authentication and authorization. If the address is delivered successfully, it indicates that there are no problems in the communications between the NAS and the HWTACACS server. The IP addresses delivered by the HWTACACS server after authorization may be incorrect.
  • The check results show that the IP address delivered by the HWTACACS server is not in the same network segment as the IP address of the NAS. Change the IP address segment to be delivered by the HWTACACS server and make sure that it is in the same network segment as the IP address of the NAS.
Suggestions

In this case, replacement method is used to quickly locate the fault.

If no problem occurs when the HWTACACS server is not used, it indicates that there are problems with the HWTACACS server. If the user can access the NAS through Telnet, the fault can be located quickly without checking each phase.

Experienced engineers are advised to use the replacement method to quickly locate faults.

END