No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

RADIUS Authentication issue on S5720 and ACS

Publication Date:  2017-08-28 Views:  503 Downloads:  0
Issue Description

When customer tested: <HUAWEI> test-aaa user1 userkey radius-template default chap - it works fine;

 

Also, customer test and he had connectivity between:

1.       Between switch and radius server;
2.       Between end device and switch;
3.       Between end device and radius server.

However, when logging in radius the authentication does not work unless customer configure the radius user also as ssh user in the switch. For example:
ssh user guest1
ssh user guest1 authentication-type all
ssh user guest1 service-type all

So, the user guest1 is configured in ACS. Without the above configuration, guest1 is not able to login. Configuring every single ACS user in the switch is of course not an option.

Alarm Information

May  3 2017 09:51:42+02:00 Huawei2121 %%01SSH/4/SSH_FAIL(s)[0]:Failed to login through SSH. (IP=10.0.0.43, VpnInstanceName= , UserName=guest1, Times=1, FailedReason=User password authentication failed)

Handling Process

Checked the current configuration for radius IP and aaa configuration - everything was ok.

#
radius-server template default
 radius-server shared-key cipher %^%#!U,JNdTepXt"1|Q90QQ4n,#hN;7;i#QH1aHF#%g9%^%#
 radius-server authentication 10.0.0.10 1812 weight 80
 undo radius-server user-name domain-included
radius-server authorization 10.0.0.10 shared-key cipher %^%#9R.f@>|dV:xcz+6b1O7CoH,^Lw4t'9)iZ+(l6iR/%^%#
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
aaa
 authentication-scheme default
  authentication-mode radius local
 authentication-scheme radius
  authentication-mode radius
 authorization-scheme default
 accounting-scheme default
 domain default
  authentication-scheme default
  authorization-scheme default
  radius-server default
 domain default_admin
  authentication-scheme default
 undo local-user admin
 local-user system password irreversible-cipher %^%#_pjs)vz'NXD6(&#gC9V2W&81P{ZCdX-wLO%Wu+S%Vuc45)bY:J2Ka!SH<[QV%^%#
 local-user system privilege level 15
 local-user system service-type ssh
#

Root Cause

May  3 2017 09:51:42+02:00 Huawei2121 %%01SSH/4/SSH_FAIL(s)[0]:Failed to login through SSH. (IP=10.0.0.43, VpnInstanceName= , UserName=guest1, Times=1, FailedReason=User password authentication failed)

authentication-type default password command is missing;

To configure password authentication for multiple SSH users, run the ssh authentication-type default password command to specify password authentication as the default authentication mode of SSH users. After this configuration is complete, you do not need to configure the authentication mode and service type for each SSH user, simplifying configuration and improving efficiency.

Solution

authentication-type default password command solved the issue.


  
  
  
  
  
  
  
  
  
  
  
 

 
 


END