Nas-ip and radius server binding differ lead to S9300 radius authentication failure

Publication Date:  2012-10-23 Views:  638 Downloads:  0
Issue Description
S9300 version information:
V100R001C02B125+V100R001C02SPH007
Topology:
PC------middle network-----S9300-------IP bearer network ------Radius Server
failure:
S9300 radius authentication failure
Alarm Information
NULL
Handling Process
1. After test, 9300 can ping Radius Server, and no lost, it means route is enable.
2. Check all configuration as follows:
<WZ-CX-S9312-1>display radius-server configuration  
  -------------------------------------------------------------------          
  Server-template-name             :  system                                   
  Protocol-version                 :  standard                                 
  Traffic-unit                     :  B                                        
  Shared-secret-key                :  wzwg                                     
  Timeout-interval(in second)      :  5                                        
  Primary-authentication-server    :  60.12.128.82:1645:LoopBack-1  
  Primary-accounting-server        :  0.0.0.0:0:LoopBack0                      
  Secondary-authentication-server  :  0.0.0.0:0:LoopBack0  
  Secondary-accounting-server      :  0.0.0.0:0:LoopBack0      
  Retransmission                   :  3                                        
  Domain-included                  :  NO                                       
  -------------------------------------------------------------------
<WZ-CX-S9312-1>display domain default                                          
  -------------------------------------------------------------------          
  Domain-name                     : default                                    
  Domain-state                    : Active                                     
  Authentication-scheme-name      : default                                    
  Accounting-scheme-name          : default                                    
  Authorization-scheme-name       : default                                    
  Web-IP-address                  : -                                          
  Primary-DNS-IP-address          : -                                          
  Second-DNS-IP-address           : -                                          
  Primary-NBNS-IP-address         : -                                          
  Second-NBNS-IP-address          : -                                          
  Idle-data-attribute (time,flow) : 0, 60                                      
  User-access-limit               : 384                                        
  Online-number                   : 2                                          
  RADIUS-server-template          : system                                     
  HWTACACS-server-template        : -                                          
  -------------------------------------------------------------------
3、Open debug information on S9300, radius that code=1 send packet, there is no code=2 or 3 return packet.
<WZ-CX-S9312-1>debug radius packet 
*0.4031110899 WZ-CX-S9312-1 RDS/7/debug2:                                      
  Radius Sent a Packet                                                         
  Server Template: 0                                                           
  Server IP   : 60.12.128.82                                                   
  Protocol: Standard                                                           
  Code    : 1                                                                  
  Len     : 218                                                                
  ID      : 14                                                                 
…………                          
  [NAS-IP-Address(4)                  ] [6 ] [221.12.71.154]     
nas-ip default the address of optimal route, there nas-ip is upstream outer interface address 221.12.71.154, it doubt that both side nas-ip differ cause that.
4、confirm that Radius Server binding address is lookback address of 9300, modify nas-ip address of S9300 to loolback address, modify configuration is as follows:
radius-server template system          
radius-server authentication 60.12.128.82 1645 source LoopBack 0
Test after modify, radius authentication is successful, failure is solved.
Root Cause
1. Link or route peoblem
2. Configuration prolem
3. nas-ip and radius server binding differ
4. Device or version reason
Suggestions
9300 configure radius authentication configuration:
radius-server template system                                                  
radius-server shared-key wzwg                                                 
radius-server authentication 60.12.128.82 1645 source LoopBack 0
undo radius-server user-name domain-included 

#                                                                              
aaa                                                                            
local-user wznetcom password cipher S""O/9EHNHWQ=^Q`MAF4<1!!                  
local-user wznetcom service-type ftp telnet ssh                               
local-user wznetcom level 1                                                   
local-user wznetcom ftp-directory cfcard:/                                    
authentication-scheme default                                                 
  authentication-mode  radius  local                                           
#                                                                             
authorization-scheme default                                                  
#                                                                             
accounting-scheme default                                                     
#                                                                             
domain default                                                                
  radius-server system  
 
  user-interface vty 0 14                                                        
authentication-mode aaa

END