Wrong configuration of NE80E result in the radius authenticate can’t change between the primary/secondary

Publication Date:  2012-09-13 Views:  289 Downloads:  0
Issue Description
NE80E uses the primary/secondary radius server to authenticate the connect-in users, the configurations are as follows:
radius-server template wgzx1
radius-server shared-key sxnoc
radius-server authentication 218.xx.xxx.9 1812 source LoopBack 0
radius-server authentication 218.xx.xxx.8 1812 secondary
aaa
authentication-scheme default
  authentication-mode  radius  local
domain default
  radius-server wgzx1
user-interface vty 0 4
acl 2010 inbound
authentication-mode aaa
The user responses that after the radius server down, the radius command can’t be used to log on the equipment. 
Alarm Information
none
Handling Process
Change the configurations on NE80E as use the loopback0 to send the message to radius, and then the users can log on with the account of radius. The configurations after the change are:
radius-server template wgzx1
radius-server shared-key sxnoc
radius-server authentication 218.26.127.9 1812 source LoopBack 0
radius-server authentication 218.26.127.8 1812 source LoopBack 0 secondary
Check the status of radius, the status is state-up, disp radius-server confi, we can find the display are as follows: 
 Server-template-name             :  wgzx1
  Protocol-version                 :  standard
  Traffic-unit                     :  B
  Shared-secret-key                :  sxnoc
  Timeout-interval(in second)      :  5
  Primary-authentication-server    :  218.xx.xxx.9:1812:LoopBack0
  Primary-accounting-server        :  0.0.0.0:0:LoopBack0
  Secondary-authentication-server  :  218.xx.xxx.8:1812:LoopBack0
  Secondary-accounting-server      :  0.0.0.0:0:LoopBack0
  Retransmission                   :  3
  Domain-included                  :  NO
Root Cause
Check the configuration of the radius.  The NE80E uses loopback-1 to send the authentication messages to the secondary radius.
[ne80e]disp radius-server confi
Server-template-name             :  2
Protocol-version                 :  standard
Traffic-unit                     :  B
Shared-secret-key                :  huawei
Timeout-interval(in second)      :  5
Primary-authentication-server    :  218.xx.xxx.9:1812:LoopBack0
Primary-accounting-server        :  0.0.0.0:0:LoopBack0
Secondary-authentication-server  :  218.xx.xxx.8:1812:LoopBack-1
Secondary-accounting-server      :  0.0.0.0:0:LoopBack0
Retransmission                   :  3
Domain-included                  :  YES
Check the status of radius server in the mode of implication; found that the both primary/secondary servers are down.
[ne80e-hidecmd]disp radius-server item tem wgzx1
  Type       = auth-server
  State      = state-down
  AlarmFlag  = false
  STUseNum   = 1
  IPAddress  = 218.xx.xxx.9
  Type       = auth-server
  State      = state-down
AlarmFlag  = false
  STUseNum   = 1
  IPAddress  = 218.xx.xxx.8
Asked the user and known that the 218.xx.xxx.8, as the IP address of primary equipment, can log on normally. Look over the command manual; found that if the source address wasn’t appointed when we configured the radius server, the message will be send from the address of interface to the radius. And the radius takes the loopback0 as indicate when it adds the information of equipment, and consider the message from others source address as illegal, so it will not response. At this moment, the backup status is down on the NE80E. 
Suggestions
none

END