Manage users can not log in the S9300 switch after the upgrade from V100R001C02B125 to V100R002C00SPC200

Publication Date:  2012-12-13 Views:  249 Downloads:  0
Issue Description
The version of S9300 current network is V100R001C02B125, and the device to log on first radius authentication and then local authentication. Version upgrade operation (upgraded to V100R002C00SPC200) of the device, the device via the console port and remote Telnet can’t log in ,and the device prompted to enter a user name and password authentication failure, as follows:
Username:cmcc
Password:
Error: Failed to authenticate.
Alarm Information
None.
Handling Process
After adding the binding radius server equipment in domain, the device can log in normally. Recognized as two versions for the logged-in user's default authentication domain is different, this cause can’t log in after the upgrade.
In some networks, for login of equipment may use radius certification .Before upgrade equipment need to make relevant preparations for the version differences, to avoid trouble.
Root Cause
1. Because other devices of the same authentication method can log, so exclude the radius authentication system failure.
2. Confirm the login name and password same with the radius server, and found that the radius server did not receive the device login account and password information, and means that the device is likely to be no entering radius authentication process.
3. From equipment can display error message quickly after inputting password ,can also be seen that the device does not exist radius login no response (requires a certain amount of time timeout ) then change to local authentication. It is different with equipment existing network configuration is expected.
4. Carefully compare equipment configuration before and after the upgrade, a little different in the AAA portion. Before the upgrade for the logged-in user default is done certification under the domain default domain. After upgrading there is one more default-admin domain, suspected to be related with this change.(Configuration see attachment).
5. Proven indeed there is a change that manage user's default authentication domain before and after the upgrade. New authentication domain is default-admin. This domain does not bind below the radius server. Not configured user information, so the login user has error during local authentication.

Suggestions
None.

END