RADIUS Authentication Fails Because an Incorrect NAS IP Address Is Bound to the RADIUS Server

Publication Date:  2012-07-27 Views:  285 Downloads:  0
Issue Description
 S9300 version:
V100R001C02B125+V100R001C02SPH007
Networking:
PC------Intermediate network-----S9300-------IP bearer network------Radius server
Problem symptom:
RADIUS authentication fails on the S9300. 

 

 
Alarm Information
 Null 

 
Handling Process

 1. Through testing, the S9300 can successfully ping the RADIUS server without packet loss. This indicates that the route is reachable.
2. The configuration is as follows:
<WZ-CX-S9312-1>display radius-server configuration
-------------------------------------------------------------------
Server-template-name : system
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : wzwg
Timeout-interval(in second) : 5
Primary-authentication-server : 60.12.128.82:1645:LoopBack-1
Primary-accounting-server : 0.0.0.0:0:LoopBack0
Secondary-authentication-server : 0.0.0.0:0:LoopBack0
Secondary-accounting-server : 0.0.0.0:0:LoopBack0
Retransmission : 3
Domain-included : NO
-------------------------------------------------------------------
<WZ-CX-S9312-1>display domain default
-------------------------------------------------------------------
Domain-name : default
Domain-state : Active
Authentication-scheme-name : default
Accounting-scheme-name : default
Authorization-scheme-name : default
Web-IP-address : -
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
Idle-data-attribute (time,flow) : 0, 60
User-access-limit : 384
Online-number : 2
RADIUS-server-template : system
HWTACACS-server-template : -
-------------------------------------------------------------------
The authentication scheme, RADIUS server template, and domain are configured correctly.
3. Enable debugging on the S9300. It is found that only a RADIUS server packet with code 1 is sent but no response packet with code 2 or 3 is received.
<WZ-CX-S9312-1>debug radius packet
*0.4031110899 WZ-CX-S9312-1 RDS/7/debug2:
Radius Sent a Packet
Server Template: 0
Server IP : 60.12.128.82
Protocol: Standard
Code : 1
Len : 218
ID : 14
…………
[NAS-IP-Address(4) ] [6 ] [221.12.71.154]
The NAS IP address is the optimal route address by default. According to the preceding information, the NAS IP address, that is, IP address of the uplink outbound interface, is 221.12.71.154. It is inferred that the NAS IP addresses at both ends are different.
4. It is confirmed that the RADIUS server is bound to the S9300 loopback address. Therefore, the NAS IP address of the S9300 is changed to the loopback address. The changed configuration is as follows:
radius-server template system
radius-server authentication 60.12.128.82 1645 source LoopBack 0
After the change, RADIUS authentication succeeds and the problem is solved. 

 

Root Cause
 1. The link is faulty or the route is unreachable.
2. The configuration is incorrect.
3. An incorrect NAS IP address of the S9300 is bound to the RADIUS server.
4. The S9300 is faulty or the version is incorrect. 

 

 
Suggestions
 The S9300 RADIUS authentication is as follows:
radius-server template system
radius-server shared-key wzwg
radius-server authentication 60.12.128.82 1645 source LoopBack 0
undo radius-server user-name domain-included

#
aaa
local-user wznetcom password cipher S""O/9EHNHWQ=^Q`MAF4<1!!
local-user wznetcom service-type ftp telnet ssh
local-user wznetcom level 1
local-user wznetcom ftp-directory cfcard:/
authentication-scheme default
authentication-mode radius local
#
authorization-scheme default
#
accounting-scheme default
#
domain default
radius-server system

user-interface vty 0 14
authentication-mode aaa 

 

 

END