RADIUS Authentication of FTP Users Fails

Publication Date:  2012-07-27 Views:  268 Downloads:  0
Issue Description

As shown in Figure 12-3, to access the NAS, the FTP users should pass the RADIUS authentication.

Figure 12-3  Networking of RADIUS authentication


After the configurations are complete, it is found that the legal remote user user001@userdomain is denied to access the NAS through FTP (RADIUS authentication is enabled on the NAS.)

Alarm Information
None.
Handling Process
  1. Check whether user login information is available on the RADIUS server.
  2. If there is no user login information on the RADIUS server, run the debugging radius packet command on the NAS to enable the RADIUS debugging and check whether the NAS sends authentication request packets.
  3. If the NAS does not send authentication request packets, check the AAA and RADIUS server template configurations on the NAS to ensure that the RADIUS authentication request packets sent from the NAS upon user login can be observed.
  4. If there is still no user login information on the RADIUS server, check the address and port configurations on the RADIUS server to ensure that the RADIUS server and the NAS can ping through each other and the port configuration should be the same as that in the RADIUS server template on the NAS.
  5. After the NAS and the RADIUS server can communicate, check the RADIUS server to find why the authentication fails. The possible causes are as follows:
    • The NAS address is not added.

    • The shared key set on the NAS is incorrect.

    • The user name is incorrect.

    • The passwords are not identical.

  6. If the authentication succeeds but the authorization fails, check whether the corresponding authorization information is configured on the RADIUS server for the user.
Root Cause
  • Check results show there is no user login information on the RADIUS server. This indicates that there is no communication between the NAS and the RADIUS server and there may be problems in the NAS configurations.
  • Run the debugging radius packet command in the NAS user view to enable the RADIUS debugging. Check whether output information is available.
  • Check the AAA configurations. Check whether the RADIUS server template is configured for the userdomain domain. Configure the RADIUS server template correctly and then display the debugging information on the NAS to check whether reply packets are received.
  • Check whether the authentication port configured on the RADIUS server is the same as that configured in the RADIUS server template on the NAS.
  • Check whether the password configured on the RADIUS server is the same as that on the NAS.
  • Check whether the RADIUS server delivers the FTP directory attribute. That is, display the configurations of user001 to check whether the delivered FTP directory attribute is added.
Suggestions

If RADIUS authentication fails, perform the following steps to solve the problem:

  1. Check whether the NAS and the RADIUS server can communicate with each other.

  2. Check whether the authentication succeeds.

  3. Check whether the authorization succeeds.

Check the debugging information on the NAS and the output on the RADIUS server to locate the fault.

END