FAQ-How to Troubleshoot that Radius Authentication at MA5200 Is Denied

Publication Date:  2012-07-27 Views:  109 Downloads:  0
Issue Description
Q: How to troubleshoot that radius authentication at MA5200 is denied? 
Alarm Information
Null
Handling Process
A:
That RADIUS authentication is denied refers to that MA5200 receives the response packet from RADIUS after it transmits RADIUS authentication request, and the response packet is code=3 which represents for denial of the authentication request. The typical debugging packets are as follows: 
* [0.7287560-] RDS-8-02033000:                                                  
  Radius Sent a Packet                                                          
  Server Group: 2                                                               
  Server IP   : 10.164.45.213                                                   
  Protocol: Standard                                                            
  Code    : 1                                                                   
  Len     : 279                                                                 
  ID      : 0                                                                   
  [User-name(1)                       ] [12] [user@huawei]                       
  [Challenge-Password(3)] [19] [013936cee9bc74a5350eb8e121a09711c2]                                                                               
  [CHAP-Challenge(60)] [18] [aa4558e27d60d01785eb07c6203c7b0d] 
  [NAS-Port(5)                        ] [6 ] [4096]                             
  [Service-Type                       ] [6 ] [2]                                
  [Framed-Protocol(7)                 ] [6 ] [1]                                
  [Calling-Station-Id(31)             ] [19] [00:06:5b:6c:aa:f9]                
  [NAS-Identifier(32)                 ] [9 ] [MA5200F]                          
  [NAS-Port-Type(61)                  ] [6 ] [15]                               
  [NAS-Port-Id(87)] [34] [slot=0;subslot=0;port=1;vlanid=0] 
  [NAS-Startup-Timestamp(26-59)       ] [6 ] [1091697485]                       
  [Ip-Host-Addr(26-60)] [35] [255.255.255.255 00:06:5b:6c:aa:f9]
  [Connect_ID(26-26)                  ] [6 ] [0]                                
  [Version(26-254)] [58] [Huawei SmartAX MA5200 Software Ver
sion 2.10 RELEASE 7127]                                                         
  [Domain-name(26-138)                ] [7 ] [huawei]                            
  [NAS-IP-Address(4)                  ] [6 ] [10.164.45.42]                     
 
\\MA5200 receives definite denial packets of code=3 once it transmits authentication request 
* [0.7287570-] RDS-8-02033000:                                                  
  Radius Recieved a Packet                                                      
  Server Group: 2                                                               
  Server IP   : 10.164.45.213                                                   
  Server Port : 1645                                                            
  Protocol: Standard                                                            
  Code    : 3                                                                   
  Len     : 36                                                                  
  ID      : 0                                                                   
  [Reply-Message(18)                  ] [14] [Access Limit]
The typical trace information on denial of authentication is as follows:
  --[2004/8/5 11:20:46-][   AAA][0006-5b6c-aaf9]:Send authentication request to RADIUS successfully(UserID = 0)                                                 
  --[2004/8/5 11:20:46-][RADIUS][0006-5b6c-aaf9]: Receive authen message from AAA  successfully                                                                 
  --[2004/8/5 11:20:46-][RADIUS][0006-5b6c-aaf9]:Send Auth req packet to radius server successfully(IP:10.164.45.213,Port:1645,ID:0 )                           
  --[2004/8/5 11:20:46-][RADIUS][0006-5b6c-aaf9]:Receive Auth reject packet from radius server successfully(IP:10.164.45.213,Port:1645,ID:0 )                   
  --[2004/8/5 11:20:46-][RADIUS][0006-5b6c-aaf9]:Send authen reject to AAA successfully                                                                         
 
Root Cause
Null
Suggestions
\\trace information prints clearly that a denial message is received from RADIUS, and the authentication fails because of RADIUS denial. 
 --[2004/8/5 11:20:46-][   AAA][0006-5b6c-aaf9]:Receive authentication reject from RADIUS successfully(UserID = 0)                                             
  --[2004/8/5 11:20:46-][   AAA][0006-5b6c-aaf9]:Fail to authentication because reject by RADIUS server(UserID = 0, Code = 743)
It is easy to troubleshoot the problem. Clear reasons will be returned when RADIUS denies the requests, and the attribute number of RADIUS is 18 and its name is reply-message. The format is as follows during printing by debugging:
  [Reply-Message(18)                  ] [14] [Access Limit]
The description returned by the attribute is the denial reasons. For instance, the Access Limit above stands for access limit; that is the ceiling number of users coming online at the same time through the same VLAN and the same account. Generally, the denial reasons can help troubleshoot the problem. 
Note: The reply messages returned by different RADIUS have a certain differences. If you have questions on the denial messages, contact the vendor of RADIUS equipment.  
When RADIUS denies the authentication of users, the RADIUS server may return the denial but not the reasons. For instance: 
  [Reply-Message(35)] [14] [RADIUS reject without any reasons]
The message indicates: No reason explains why RADIUS denies. If the problem occurs, we need to contact RADIUS equipment vendor for help in troubleshooting. Only RADIUS vendor knows why RADIUS denies, and it can help solve the problem. 

END