No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
WLAN Troubleshooting Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Troubleshooting: Administrators' AAA Authentication Issues

Troubleshooting: Administrators' AAA Authentication Issues

Checking Whether Pre-Configuration Tasks Are Complete

Setting the Authentication Mode for Accessing User Interfaces to AAA

  1. Run the display user-interface command to check whether the authentication mode for accessing user interfaces is AAA.

    In the command output, if the value of Auth is A, AAA authentication is used. If the authentication mode is not AAA, go to step 2.
    <HUAWEI> display user-interface
  Idx  Type     Tx/Rx      Modem Privi ActualPrivi       Auth  Int
  0    CON 0    9600          -     3     -              P     -
+ 34   VTY 0                  -     3     3              A     -
+ 35   VTY 1                  -     1     2              A     -
...

  2. Set the authentication mode for accessing user interfaces to AAA. The following uses VTY 1 as an example.

    [HUAWEI] user-interface vty 1 
[HUAWEI-ui-vty1] authentication-mode aaa

Configuring Protocols Supported by VTY User Interfaces

Skip this section if you log in to a switch through the console port, web system, or FTP.

By default, a VTY user interface supports user login only through SSH. To allow for both SSH and Telnet logins, you need to run the protocol inbound all command.

# Configure VTY 1 to support user logins through both SSH and Telnet.

[HUAWEI] user-interface vty 1 
[HUAWEI-ui-vty1] protocol inbound all

Starting Related Services

  1. Check whether related services have been started. If a service is not started, go to step 2.

    Table 6-4 Checking whether related services have been started

    Service Type

    Command

    Telnet

    display telnet server status

    STelnet

    display ssh server status

    FTP/SFTP

    display ftp-server

    HTTP/HTTPS

    display http server

  2. Start related services.

    • The Telnet protocol poses security risks. STelnet V2 is recommended.
    • The FTP protocol poses security risks. SFTP V2 is recommended for file management.
    • The HTTP protocol poses security risks. You are advised to log in to the web system using HTTPS.

    # Enable the Telnet server function.

    [HUAWEI] telnet server enable

    # Enable the STelnet server function.

    [HUAWEI] stelnet server enable

    # Enable the FTP server function.

    [HUAWEI] ftp server enable

    # Enable the SFTP server function.

    [HUAWEI] sftp server enable

    # Enable the HTTP server function.

    [HUAWEI] http server enable

    # Enable the HTTPS server function.

    [HUAWEI] http secure-server enable

Checking the AAA Authentication Method and Servers Used for Administrators

Before troubleshooting AAA authentication issues for an administrator, you need to check the authentication method (remote server authentication or local authentication) and AAA servers used for the administrator as follows:

  1. Check the domain to which the administrator belongs.
  2. Check the AAA schemes bound to the domain.
  3. Check the authentication, authorization, and accounting modes and policies.

Checking the Domain to Which the Administrator Belongs

Determine the authentication domain to which the administrator belongs according to whether the user name contains a domain name, as described in Table 6-5.

Table 6-5 Authentication domains to which the administrator may belong

User Name

Authentication Domain

Example

User name that does not contain a domain name

Global default administrative domain

If the user name is test, the administrator is authenticated in the global default administrative domain.

User name containing a domain name that has been configured on the switch

Domain in the user name

If the user name is test@huawei.com and the domain huawei.com has been configured on the switch, the administrator is authenticated in the domain huawei.com.

User name containing a domain name that is not configured on the switch

Global default administrative domain

If the user name is test@huawei.com but the domain huawei.com is not configured on the switch, the administrator is authenticated in the global default administrative domain.

By default, the global default administrative domain is default_admin. You can run either of the following command to change the domain:

[HUAWEI] domain huawei admin //In this example, configure huawei as the global default administrative domain.
[HUAWEI] undo domain admin //Restore the global default administrative domain to default_admin.

You can run the display aaa configuration command to check the current global default administrative domain.

[HUAWEI] display aaa configuration
  Domain Name Delimiter            : @
  Domainname parse direction       : Left to right
  Domainname location              : After-delimiter
  Administrator user default domain: huawei   //The global default administrative domain is huawei.
  Normal user default domain       : default
  ...

Checking the AAA Schemes Bound to the Domain

After checking the domain in use, run the display domain name name command to check the AAA schemes bound to the domain.

For example, run the following command to check the AAA schemes bound to domain default_admin:

<HUAWEI> display domain name default_admin
  Domain-name                         : default_admin                   
  Domain-index                        : 1
  Domain-state                        : Active
  Authentication-scheme-name          : authen    //Authentication scheme bound to the domain
  Accounting-scheme-name              : acc       //Accounting scheme bound to the domain
  Authorization-scheme-name           : author  //Authorization scheme bound to the domain
  Service-scheme-name                 : sch1
   RADIUS-server-template              : radius_template    //RADIUS server template bound to the domain
  Accounting-copy-RADIUS-template     : -
  HWTACACS-server-template            : tacacs_template  //HWTACACS server template bound to the domain

Checking the Authentication, Authorization, and Accounting Modes and Policies

After checking the AAA schemes bound to the domain, run the display authentication-scheme name, display authorization-scheme name, and display accounting-scheme name commands to check the authentication, authorization, and accounting modes and policies.

  • The authentication mode none is not supported for administrators. That is, the authentication-mode none command cannot be configured in the authentication scheme view for administrators.
  • By default, the authentication mode in an authentication scheme is local authentication, the authorization mode in an authorization scheme is local authorization, and the accounting mode in an accounting scheme is non-accounting.
  • Accounting is not supported on the local device but supported on a remote server.
  • When an accounting server and local authentication are configured, you need to run the accounting start-fail online command to configure the switch to keep users online if accounting start fails. This ensures that users can go online after local authentication is successful even if the accounting server does not respond to users' accounting requests.
  • When RADIUS authentication is configured, no authorization scheme needs to be configured. If an authorization scheme is configured, it does not take effect. This is because RADIUS authentication and authorization are performed together.
  • Run the following command to check the authentication mode configured in the authentication scheme authen.
    <HUAWEI> display authentication-scheme authen 
  Authentication-scheme-name    : authen
  Authentication-method               : HWTACACS   //The HWTACACS server performs authentication first.
  Authentication-method               : Local      //If the HWTACACS server does not respond, local authentication is performed.
  ...
  • Run the following command to check the authorization mode configured in the authorization scheme author.
    <HUAWEI> display authorization-scheme author
---------------------------------------------------------------------------
 Authorization-scheme-name   : author
 Authorization-method        : HWTACACS    //The HWTACACS server performs authorization first.
 Authorization-method        : Local       //If the HWTACACS server does not respond, local authorization is performed.
 Authorization-cmd level  0   : Disabled
 Authorization-cmd level  1   : Disabled
 Authorization-cmd level  2   : Disabled
 Authorization-cmd level  3   : Disabled
 Authorization-cmd level  4   : Disabled
 Authorization-cmd level  5   : Disabled
 Authorization-cmd level  6   : Disabled
 Authorization-cmd level  7   : Disabled
 Authorization-cmd level  8   : Disabled
 Authorization-cmd level  9   : Disabled
 Authorization-cmd level 10   : Disabled
 Authorization-cmd level 11   : Disabled
 Authorization-cmd level 12   : Disabled
 Authorization-cmd level 13   : Disabled
 Authorization-cmd level 14   : Disabled
 Authorization-cmd level 15   : Enabled  ( HWTACACS Local  )  //Commands executed by the 15-level administrator must be authorized by the HWTACACA server.
                                                                 Local authorization is performed if the HWTACACA server does not respond to the authorization request.
 Authorization-cmd no-response-policy    : Online
---------------------------------------------------------------------------
  • Run the following command to check the accounting mode and policy configured in the accounting scheme acc.
    <HUAWEI> display accounting-scheme acc 
  Accounting-scheme-name                : acc                          
  Accounting-method                     : HWTACACS  //The HWTACACS server performs accounting.
  Realtime-accounting-switch            : Disabled  
  Realtime-accounting-interval(min)     : -
  Start-accounting-fail-policy          : Online //Keep users online if accounting start fails.
  Realtime-accounting-fail-policy       : Online              
  Realtime-accounting-failure-retries   : 3

FAQs About AAA Authentication

The Administrator Cannot Enter the System View After Login or the User Level Is Incorrect

Possible Causes

The administrator level is incorrect.

The level of the system-view command used to enter the system view is 2. The administrator can enter the system view only when the user level is greater than or equal to 2. You can run the display user-interface command to view the administrator level. The ActualPrivi field in the command output indicates the actual user level.

You can run the display access-user command, instead of the display user-interface command, to check the levels of FTP and SFTP users.

<HUAWEI> display user-interface
  Idx  Type     Tx/Rx      Modem Privi  ActualPrivi Auth  Int
  0    CON 0    9600       -     15    -           P     -
+ 34   VTY 0               -      0    15          P     -
  35   VTY 1               -     15    -           P     -
  36   VTY 2               -     15    -           P     -
  37   VTY 3               -     15    -           P     -
  38   VTY 4               -     15    -           P     -
  50   VTY 16              -     0     -                 -
  51   VTY 17              -     0     -                 -
  52   VTY 18              -     0     -                 -
  53   VTY 19              -     0     -                 -
  54   VTY 20              -     0     -                 -

Rules for Setting the Administrator Level

To check whether the administrator level is correct, you need to know the rules for setting the administrator level, and then check whether the administrator is authorized with the correct level according to authentication and authorization modes.

The following administrator levels are listed in descending order of priority: user level sent by the server, user level configured in the AAA domain, and user level configured in VTY mode.

The administrator level that takes effect varies according to the authentication and authorization modes:

  • If non-AAA authentication (that is, non-authentication or password authentication) is used, the administrator level is the user level configured using the user privilege command in VTY mode.
  • If local authentication and authorization are used, the administrator level is the local user level configured using the local-user privilege level command.
  • If remote authentication and authorization are used, the following administrator levels are listed in descending order of priority:
    1. User level sent from the server to the switch after the authentication passes.
    2. User level configured using the admin-user privilege level command in the service scheme that is configured in the domain to which the user belongs.
    3. User level configured using the user privilege command in VTY mode.
  • If remote and local authentication and authorization are configured for a user, remote authentication and authorization are first configured, and then local authentication and authorization are configured. The following administrator levels are listed in descending order of priority:
    1. User level sent from the server to the switch after the authentication passes.
    2. Local user level configured using the local-user privilege level command.

Troubleshooting Procedure for Remote Authentication and Authorization

In remote authentication and authorization scenarios, perform the following operations to check whether the administrator level is correct:

  1. Check whether the authentication and authorization server sends the user level to the switch.

    For the RADIUS server:

    The RADIUS server sends the administrator level through Huawei-Exec-Privilege (26-29) in an Access-Accept packet. The value of the administrator level is in the range from 0 to 15.

    Packets are analyzed as follows:

    You can also enable the debugging function on the switch to check the administrator level according to the field HW-Exec-Privilege.

    <HUAWEI> debugging radius all
Sep  4 2019 12:41:52.500.5+08:00 HUAWEI RDS/7/DEBUG:
[RDS(Evt):] Receive a packet(IP:192.168.1.1,Port:1812,Code:authentication accept,ID:4 )
Sep  4 2019 12:41:52.500.6+08:00 HUAWEI RDS/7/DEBUG:
  RADIUS Received a Packet.
Sep  4 2019 12:41:52.500.7+08:00 HUAWEI RDS/7/DEBUG:
  Server Template: 0
  Server IP   : 192.168.1.1
  Server Port : 1812
  Protocol: Standard
  Code    : 2
  Len     : 32
  ID      : 4
  [HW-Exec-Privilege] [6 ] [15]  //If this attribute exists, the administrator level is sent. Otherwise, the administrator level is not sent.
                                       The administrator level is the number in the last square brackets. In this example, the administrator level is 15.

    For the HWTACACS server:

    TACACS packets are encrypted. Generally, the administrator level sent by the server is determined through the debugging function. Note that the administrator level sent by the TACACS server is carried in the authorization response packet, which is different from that sent by the RADIUS server. You can check the administrator level according to the field arg1 :priv-lvl=15.

    <HUAWEI> debugging hwtacacs all
Sep  4 2019 14:13:17.440.2+08:00 HUAWEI TAC/7/DEBUG:
version:c0  type:AUTHOR_REPLY
seq_no:2  flag:ENCRYPTED_FLAG
session_id:0x7b6cc9a1  length:18
status:AUTHOR_STATUS_PASS_ADD
server_msg len:0       data len:0
arg_cnt:1
arg1 len:11  
server_msg:
data:
arg1 :priv-lvl=15  //If this attribute exists, the administrator level is sent. Otherwise, the administrator level is not sent. In this example, the administrator level is 15.

  2. If the server does not send the administrator level, check whether the administrator level is configured in the domain to which the user belongs.

    First, determine the domain to which the administrator belongs according to Checking the Domain to Which the Administrator Belongs. Then check whether a service scheme is bound to the domain. Finally, check whether the administrator level is configured in the service scheme.

    The following uses the domain default_admin as an example. Check whether a service scheme is bound to the domain.

    • If the Service-scheme-name field displays -, no service scheme is bound to the domain, indicating that no administrator level is configured for the AAA server. Then go to step 3.
    • If the Service-scheme-name field has a value, a service scheme is bound to the domain. In this case, you need to check whether the administrator level is configured in the service scheme.
    <HUAWEI> display domain name default_admin
  Domain-name                         : default_admin                   
  Domain-index                        : 1
  Domain-state                        : Active
  Authentication-scheme-name          : authen    
  Accounting-scheme-name              : acc      
  Authorization-scheme-name           : author 
  Service-scheme-name                 : sch1
  RADIUS-server-template              : radius_template   
  Accounting-copy-RADIUS-template     : -
  HWTACACS-server-template            : tacacs_template

    Check whether the administrator level is configured in the service scheme.

    • If the service-scheme-adminlevel field displays -, no administrator level is configured. Then go to step 3.
    • If the service-scheme-adminlevel field has a value, the administrator level is configured.
    <HUAWEI> display service-scheme name sch1
  service-scheme-name           : sch1
  service-scheme-primary-dns    : -
  service-scheme-secondary-dns  : -
  service-scheme-adminlevel     : 15
  service-scheme-priority       : 0
  service-scheme-voicevlan      : enable
  access-limit-username-maxnum  : 10
  service-scheme-qosprofile     : -
  service-scheme-idlecut          : -

  3. If no administrator level is configured on the server or in the domain, the user level configured using the user privilege command in VTY mode is used.

    The default user level in VTY mode is 0.

    For example, run the following command to check the user level configured in VTY 1 to VTY 4:

    #
user-interface vty 1 4
 authentication-mode aaa
 user privilege level 15
 idle-timeout 0 0
 protocol inbound all
#

Troubleshooting Procedure for Local Authentication and Authorization

In local authentication and authorization scenarios, you can run the local-user name privilege level level command to configure the administrator level.

If privilege is not specified when a local user is created, the default user level is 0.

For example, run the following command to check the user level configured for the local user test:

<HUAWEI> display local-user username test
  The contents of local user(s):
  Password             : ****************
  State                : active
  Service-type-mask    : T
  Privilege level      : 15
  Ftp-directory        : -
  HTTP-directory       : -
  Access-limit         : Yes
  Access-limit-max     : 4294967295
  Accessed-num         : 0
  Idle-timeout         : -
  Original-password    : Yes
  Password-set-time    : 2019-09-29 14:33:48+08:00
  Password-expired     : No
  Password-expire-time : -
  Account-expire-time  : -

Troubleshooting Procedure for Remote Server and Local Authentication and Authorization

The troubleshooting procedure is similar to that in remote authentication and authorization and local authentication and authorization scenarios. However, local authentication and authorization are configured as the backup of remote authentication and authorization in such scenarios. Therefore, the administrator cannot obtain the user level configured in the service scheme bound to the domain. Perform the following operations to determine the administrator level:

  1. For details, see step 1 in remote authentication and authorization scenarios.
  2. For details, see Troubleshooting Procedure for Local Authentication and Authorization.

The Administrator Logs Out Immediately After a Successful Login

Fault Symptom

Symptom 1: The following information is displayed:

Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
 
Login authentication
 
 
Username:test
Password:
Info: The max number of VTY users is 10, and the number
      of current VTY users on line is 2.
      The current login time is 2019-09-04 19:46:48+08:00.
<HUAWEI>
Info: Receive a message from AAA of cutting user.

Symptom 2: In the display aaa online-fail-record all command output, the User online fail reason field displays Start accounting fail.

Possible Causes

There are two possible causes:

  1. Local authentication and accounting are configured for the administrator. However, the accounting function is not supported in local authentication. As a result, if the accounting start-fail online command is not configured in the accounting scheme, the administrator is logged out.
  2. In versions earlier than V200R019, both server-based authentication and local authentication are configured for the administrator; additionally, the accounting function is configured for the administrator. If the authentication server does not respond, local authentication is performed. However, the accounting function is not supported in local authentication. As a result, if the accounting start-fail online command is not configured in the accounting scheme, the administrator is logged out. V200R019 and later versions remove this limitation; that is, when local authentication is performed, the administrator can still go online even if the accounting function is configured.

Troubleshooting Procedure

  1. For possible cause 1, check the authentication domain of the administrator, check the accounting scheme bound to the domain, and then unbind the accounting scheme from the domain.
  2. For possible cause 2, check the authentication domain of the administrator, check the accounting scheme bound to the domain, and then change the policy for accounting-start failures in the accounting scheme to allowing users to go online in case of accounting-start failures.

For details about how to check the domain to which the administrator belongs and the accounting scheme bound to the domain, see Checking the AAA Authentication Method and Servers Used for Administrators.

Failed to Modify a Local User

Fault Symptom

When the local-user command is run in the AAA view to modify a local user, the message "Error: Low-level users are not allowed to create, delete, or modify high-level users." is displayed.

Possible Causes

After logging in to a device, the administrator can only view, create, modify, or delete local users of the same level or a lower level.

The administrator level can be viewed using the display user-interface command. The ActualPrivi field in the command output indicates the actual administrator level.

The level of the local user to be modified can be obtained from the configuration file using the display current-configuration | include local-user XX privilege level command.

Troubleshooting Procedure

Log in to the device as the administrator of the same level or a higher level as the local user to be modified.

The User Password Has Expired

Fault Symptom

When the administrator logs in to the device, the following message is displayed:

Warning: The password is already expired.

The password needs to be changed. Change now? [Y/N]:

Possible Causes

After the password policy for local administrators is enabled using the local-aaa-user password policy administrator command, the password expiration function is enabled by default, and the default password validity period is 90 days. The password must be changed after it expires.

Troubleshooting Procedure

1. Select Y as prompted and change the password.

2. The device provides the password expiration notification function. When the password is about to expire, change the password in time.

3. The default password validity period is 90 days. You can run the password expireday command to prolong the validity period or run the password expire 0 command to configure the password of local administrators to never expire.

The Administrator Fails to Log In to a Switch

Quickly Locating Causes of Login Failures

If an administrator fails to log in to the switch, run the display aaa online-fail-record all command and check the User online fail reason field in the command output to quickly locate the cause of the login failure. The following table lists the possible causes for login failures:
Table 6-6 Causes for login failures

Values of the User online fail reason Field

Meaning

Solution

Local authentication reject

Local authentication is rejected.

Local Authentication Is Rejected

Local username or password is wrong

The local user name or password is incorrect.

Local User Name or Password Is Incorrect

Unsupported access type

The access type of the local user does not match that of the administrator logging in to the switch.

The Access Type of the Local User Does Not Match That of the Administrator Logging In to the Switch

Local Authentication user block

The local authentication account is locked out.

Local Authentication Account Is Locked Out

Remote user is blocked

The remote authentication account is locked out.

Remote Authentication Account Is Locked Out

"The radius server is not reachable" or "The radius server is up but has no reply"

The RADIUS server does not respond.

The RADIUS Server Does Not Respond

"The tac authen server is not reachable" or "The tac author server is not reachable"

The HWTACACS server does not respond.

The HWTACACS Server Does Not Respond

"Radius authentication reject" or "TAC Authentication fail"

The server returns an Access-Reject packet.

Server Returns an Access-Reject Packet

Authorization data error

Authorization error. The possible cause is that the value of the Login-Service attribute delivered by the RADIUS server is incorrect.

Value of the Login-Service Attribute Delivered by the RADIUS Server Is Incorrect

Local Authentication user type not match

The access type of the AAA local authentication user does not match.

The Access Type of the AAA Local Authentication User Does Not Match

If an FTP or SSH user fails to log in, run the display aaa online-fail-record all command to check whether the output contains the User online fail reason field. If so, locate the fault using the method provided in the preceding table. If the field is not displayed, refer to FTP User Fails to Log In to the Switch and SSH User Fails to Log In to the Switch (Versions Earlier than V200R011C10) to troubleshooting the login failure for the FTP user and SSH user, respectively.

Local Authentication Is Rejected

Fault Symptom

The value of the User online fail reason field in the display aaa online-fail-record all command output is Local authentication reject.

Possible Causes

The local authentication password is incorrect.

Troubleshooting Procedure

Run the local-user command in the AAA view to change the password of the local user.

Local User Name or Password Is Incorrect

Fault Symptom

The value of the User online fail reason field in the display aaa online-fail-record all command output is Local username or password is wrong.

Possible Causes
  • The local user name does not exist.
  • The local user name or password is incorrect.
Troubleshooting Procedure
  1. Run the display local-user username command to check whether the local user name exists.
    • If the local user name does not exist, run the local-user command in the AAA view to configure a user name and password.
    • If the local user name exists, go to step 2.
  2. Run the local-user command in the AAA view to change the user name or password.

The Access Type of the Local User Does Not Match That of the Administrator Logging In to the Switch

Fault Symptom

The User online fail reason field in the display aaa online-fail-record all command output displays Unsupported access type.

Possible Causes

The access type of the local user configured on the switch does not match the access type of the administrator logging in to the switch.

Troubleshooting Procedure
  1. Run the display local-user username command to check the access type of the local user configured on the switch. The Service-type-mask field in the command output indicates the access type of the local user. The local user includes the following types:
    • T: Telnet user.
    • M: Terminal user, which usually refers to the console user.
    • S: SSH user
    • F: FTP user
    • W: Web user
    • B: IP session user
    • X: 802.1X user
    • A: All, indicating that all access types are available
    • H: HTTP user
    • D: X25-PAD user
    • P: PPP user
    • Combination type: For example, MH indicates either a terminal user or an HTTP user.
  2. Run the local-user username service-type type command in the AAA view to change the access type of the local user to that of the administrator.

The Access Type of the AAA Local Authentication User Does Not Match

Fault Symptom

The User online fail reason field in the display aaa online-fail-record all command output displays Local Authentication user type not match.

Possible Causes

The number of online users reaches the configured maximum number of VTY user interfaces. The user logs in to the device through the reserved user interface (VTY16-VTY20) of the web system, but the user is not configured as a web user.

Troubleshooting Procedure
  1. Check whether the local user is a web user, that is, whether the local-user user-type netmanager command is configured in the AAA view.
    • If not, run the local-user user-type netmanager command in the AAA view to configure the user as a web user.
    • If so, contact technical support.

Local Authentication Account Is Locked Out

Fault Symptom

The value of the User online fail reason field in the display aaa online-fail-record all command output is Local Authentication user block.

Possible Causes

The local authentication user account is locked out for a certain period because the number of consecutive password attempts within a certain period of time exceeds the configured limit.

Troubleshooting Procedure
  1. Run the display local-user state block command to check the locked local account.
    <HUAWEI> display local-user state block
  ----------------------------------------------------------------------------
  User-name                      State  AuthMask  AdminLevel  BlockTime
  ----------------------------------------------------------------------------
  test                           B      T         0           2019-04-10 01:55:11-00:00
  ----------------------------------------------------------------------------
  Total 1 user(s)
  2. Check whether the locked local account needs to be immediately activated.

    If so, run the local-user name state active command in the AAA view to activate the local account. After the local account is activated, the user needs to enter the correct user name and password for login. Otherwise, the local account will be locked out again if the number of password attempts reaches the limit.

  3. Run the display aaa configuration command to check whether the parameters related to the local account locking function are configured correctly.
    <HUAWEI> display aaa configuration

  Domain Name Delimiter            : @
  Domainname parse direction       : Left to right
  Domainname location              : After-delimiter
  Administrator user default domain: default_admin
  Normal user default domain       : default
  Domain                           : total: 129     used: 4
  Authentication-scheme            : total: 128     used: 1
  Accounting-scheme                : total: 128     used: 1
  Authorization-scheme             : total: 128     used: 1
  Service-scheme                   : total: 128     used: 2
  Recording-scheme                 : total: 64      used: 0
  Local-user                       : total: 1000    used: 8
  Local-user block retry-interval  : 5 Min(s)  //Indicates the retry interval, which is 5 minutes by default.
  Local-user block retry-time      : 3   //Indicates the maximum number of consecutive incorrect password attempts, which is 3 by default.
  Local-user block time            : 5 Min(s)   //Indicates the account lockout duration, which is 5 minutes by default.
...

    If the parameters are configured incorrectly, run the local-aaa-user wrong-password command in the AAA view to modify the parameters.

Remote Authentication Account Is Locked Out

Fault Symptom

The value of the User online fail reason field in the display aaa online-fail-record all command output is Remote user is blocked.

Possible Causes

The remote authentication user account is locked out for a certain period because the number of consecutive password attempts within a certain period of time exceeds the configured limit.

Solution
  1. Run the display remote-user authen-fail blocked command to check the locked remote authentication account.
    <HUAWEI> display remote-user authen-fail blocked
Interval: Retry Interval(Mins)
TimeLeft: Retry Time Left
BlockDuration: Block Duration(Mins)
---------------------------------------------------------------------------------------------------------
Username                   Interval  TimeLeft  BlockDuration  BlockTime                 UserType
---------------------------------------------------------------------------------------------------------
www@test                   0         0         65414          2018-04-23 17:22:09+08:00 administrator
---------------------------------------------------------------------------------------------------------
Total 1, 1 printed
    • If needed, run the remote-user authen-fail unblock command in the AAA view to activate the remote authentication account. After the remote account is activated, the user needs to enter the correct user name and password for login. Otherwise, the remote account will be locked out again if the number of password attempts reaches the limit.
    • If the remote account does not need to be activated, go to step 2.
  2. Check whether the locked remote account needs to be immediately activated.

    If needed, run the remote-user authen-fail unblock command in the AAA view to activate the remote account. After the remote account is activated, the user needs to enter the correct user name and password for login. Otherwise, the remote account will be locked out again if the number of password attempts reaches the limit.

  3. Run the display aaa configuration command to check whether the parameters related to the remote account locking function are configured correctly.
    <HUAWEI> display aaa configuration

  Domain Name Delimiter            : @
  Domainname parse direction       : Left to right
  Domainname location              : After-delimiter
  Administrator user default domain: default_admin
  Normal user default domain       : default
  Domain                           : total: 129     used: 4
  Authentication-scheme            : total: 128     used: 1
  Accounting-scheme                : total: 128     used: 1
  Authorization-scheme             : total: 128     used: 1
  Service-scheme                   : total: 128     used: 2
  Recording-scheme                 : total: 64      used: 0
  Local-user                       : total: 1000    used: 8
  Remote-admin-user block retry-interval : 5 Min(s)  //Indicates the retry interval, which is 5 minutes by default.
  Remote-admin-user block retry-time     : 30   //Indicates the maximum number of consecutive incorrect password attempts, which is 30 by default.
  Remote-admin-user block time           : 5 Min(s)  //Indicates the account lockout duration, which is 5 minutes by default.
...

    If the parameters are configured incorrectly, run the remote-aaa-user authen-fail command (for versions earlier than V200R019C00) or the administrator remote authen-fail command (for V200R019C00 and later versions) in the AAA view to modify the parameters.

    In versions earlier than V200R019C00, the remote-aaa-user authen-fail command enables the remote account locking function and controls the account locking function for both administrators and access users in remote authentication. In V200R019C00 and later versions, the administrator remote authen-fail command is only used to configure the account locking function for administrators in remote authentication.

The RADIUS Server Does Not Respond

Fault Symptom

The value of the User online fail reason field in the display aaa online-fail-record all command output is The radius server is not reachable or The radius server is up but has no reply.

Possible Causes

If the RADIUS server does not respond, run the debugging radius all command to identify the possible causes.

  • If the Receive a illegal packet(Authenticator error), please check share key config field is displayed in the debugging radius all command output, the possible cause is as follows:
    The shared key configured on the RADIUS server is inconsistent with that configured on the switch.
    <HUAWEI> debugging radius all
Sep  4 2019 19:30:01.330.1+08:00 HUAWEI RDS/7/DEBUG:
[RDS(Err):] Receive a illegal packet(Authenticator error), please check share key config.(ip:192.168.1.1 port:1812)
Sep  4 2019 19:30:06.320.1+08:00 HUAWEI RDS/7/DEBUG:
[RDS(Evt):] Packet resend timeout. (IP=192.168.1.1, Code=authentication request, ID=0)
Sep  4 2019 19:30:06.320.2+08:00 HUAWEI RDS/7/DEBUG:
[RDS(Err):] Pkt Send err: Send count full (Src Msg=authentication request)
Sep  4 2019 19:30:06.320.3+08:00 HUAWEI RDS/7/DEBUG:
[RDS(Evt):] Send a msg(Send Fail).
Sep  4 2019 19:30:06.320.4+08:00 HUAWEI RDS/7/DEBUG:
[RDS(Evt):] Authen sever up, no reply
  • If the Authen sever up, no reply and Packet resend timeout fields are displayed in the debugging radius all command output, the possible causes are as follows:
    • The IP address of the switch is not added to the RADIUS server or the added IP address is incorrect.
    • The link between the RADIUS server and the switch is faulty. For example, a firewall deployed on the intermediate network blocks the port numbers (default authentication port 1812 and accounting port 1813) of the RADIUS server.
      <HUAWEI> debugging radius all
Sep  4 2019 16:35:33.0.1+08:00 HUAWEI RDS/7/DEBUG:
[RDS(Evt):] Packet resend timeout. (IP=192.168.1.1, Code=authentication request, ID=3)
Sep  4 2019 16:35:33.0.2+08:00 HUAWEI RDS/7/DEBUG:
[RDS(Err):] Pkt Send err: Send count full (Src Msg=authentication request)
Sep  4 2019 16:35:33.0.3+08:00 HUAWEI RDS/7/DEBUG:
[RDS(Evt):] Send a msg(Send Fail).
Sep  4 2019 16:35:33.0.4+08:00 HUAWEI RDS/7/DEBUG:
[RDS(Evt):] Authen sever up, no reply
Troubleshooting Procedure

When the shared key configured on the RADIUS server is inconsistent with that configured on the switch:

Run the radius-server shared-key cipher key-string command in the RADIUS server template view to configure a shared key on the switch. Configure a shared key on the RADIUS server. Ensure that the shared key configured on the RADIUS server is the same as that configured on the switch.

Perform the following troubleshooting procedure if other faults occur.

  1. Check whether the IP address of the switch is added to the RADIUS server or whether the added IP address is correct.

    The IP address of the switch added to the RADIUS server must be the source IP address of the authentication request packets sent by the switch. The source IP address can be configured using a command in the RADIUS server template view. If the source IP address is not configured, the default value is used. That is, the IP address of the outbound interface for authentication request packets is used as the source IP address. To check the source IP address, perform the following steps:

    1. Run the display radius-server configuration template name command to check whether the source IP address is configured using the corresponding command. The Source IP field in the command output indicates the source IP address.
      • If the field is found in the output, the source IP address is configured using the corresponding command. Ensure that the source IP address configured on the RADIUS server must be the same as that in the command output.
      • If the field is not found in the output, the default value is used as the source IP address. Go to step 2 to check the specific value.
      <HUAWEI> display radius-server configuration template test_template
  ------------------------------------------------------------------------------
  Server-template-name          :  test_template
  Protocol-version              :  standard
  Traffic-unit                  :  B
  Shared-secret-key             :  %^%#bc<!/;OBSWm[r"*.7LDG+S@fC8VLL"2ul$Gje-lM%^%#
  Group-filter                  :  class
  Timeout-interval(in second)   :  5
  Retransmission                :  3
  EndPacketSendTime             :  3
  Dead time(in minute)          :  5
  Domain-included               :  Original
  NAS-IP-Address                :  -
  Calling-station-id MAC-format :  xxxx-xxxx-xxxx
  Called-station-id MAC-format  :  XX-XX-XX-XX-XX-XX
  NAS-Port-ID format            :  New
  Service-type                  :  -
  NAS-IPv6-Address              :  ::
  Server algorithm              :  master-backup
  Detect-interval(in second)    :  60
  Authentication Server 1       :  192.168.1.1     Port:1812  Weight:80  [UP]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: 192.168.1.101
  Accounting Server     1       :  192.168.1.1     Port:1813  Weight:80  [UP]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  ------------------------------------------------------------------------------
    2. If the default value is used as the source IP address, that is, the IP address of the outbound interface for authentication request packets, you need to check the routing table for the source IP address. For example, assume that the IP address of the RADIUS server is 192.168.1.1, and the next-hop address in the routing table is 192.168.1.101, which can be used as the source IP address of the authentication request packets. Ensure that the IP address configured on the RADIUS server is the same as the next-hop address.
      <HUAWEI> display ip routing-table 192.168.1.1 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
 
    192.168.1.0/24  Direct  0    0           D   192.168.1.101   Vlanif4094

  2. If the IP address of the switch configured on the RADIUS server is correct, analyze packets on both the switch and RADIUS server to check whether the intermediate link is faulty. The possible link failure is that a firewall deployed on the intermediate network blocks the port numbers (default authentication port 1812 and accounting port 1813) of the RADIUS server.

The HWTACACS Server Does Not Respond

Fault Symptom

The value of the User online fail reason field in the display aaa online-fail-record all command output is The tac authen server is not reachable or The tac author server is not reachable.

Possible Causes

If the HWTACACS server does not respond, run the debugging hwtacacs all and debugging aaa all commands to identify the possible causes.

  • If the Failed to check the authentication reply packet. Maybe the shared key of the device and the server is dismatch field is displayed in the debugging hwtacacs all command output, the possible cause is as follows:
    The shared key configured on the HWTACACS server is inconsistent with that configured on the switch.
    <HUAWEI> debugging hwtacacs all
Sep  4 2019 19:37:56.860.2+08:00 HUAWEI TACACS/7/Event:statistics: transmit flag: RECVPACKET, server flag: authentication, packet flag: 0x62
Sep  4 2019 19:37:56.860.3+08:00 HUAWEI TACACS/7/Event:Failed to check the authentication reply packet. Maybe the shared key of the device and the server is dismatch. Please check the server's log and configuration.
Sep  4 2019 19:37:56.860.4+08:00 HUAWEI TACACS/7/Event:Tac Receive incomplete message or wrong message.
Sep  4 2019 19:38:01.130.2+08:00 HUAWEI TACACS/7/Event:statistics: transmit flag: NORESPONSE, server flag: authentication, packet flag: 0xff
Sep  4 2019 19:38:01.130.3+08:00 HUAWEI TACACS/7/Event:Session is timeout when waiting for server's response.
Sep  4 2019 19:38:01.130.4+08:00 HUAWEI TACACS/7/Event:No useful authentication server. (GroupIndex=0)
Sep  4 2019 19:38:01.130.5+08:00 HUAWEI TACACS/7/Event:TAC find server [NoReply]: TemplateNum =0, ServerIpAddr =192.168.1.1
Sep  4 2019 19:38:01.130.6+08:00 HUAWEI TACACS/7/Event:Can not find a valid server when receive AuthenResponese packet Timeout.
  • If the TACACSAuthenNoReply field is displayed in the debugging aaa all command output, the possible causes are as follows:
    • The IP address of the switch is not added to the HWTACACS server or the added IP address is incorrect.
    • The link between the HWTACACS server and the switch is faulty. For example, a firewall deployed on the network between them blocks the port number (49 by default) of the HWTACACS server.
      <HUAWEI> debugging aaa all
Sep  4 2019 16:46:05.450.2+08:00 HUAWEI AAA/7/DEBUG:
 AAA_MAIN initiate TACACSAuthenNoReply event to AAA_AUTHEN module.
    CID:8 Result:0 Info:2388178836
Troubleshooting Procedure

When the shared key configured on the HWTACACS server is inconsistent with that configured on the switch:

Run the hwtacacs-server shared-key cipher key-string command in the HWTACACS server template view to configure a shared key on the switch. Configure a shared key on the HWTACACS server. Ensure that the shared key configured on the HWTACACS server is the same as that configured on the switch.

Perform the following troubleshooting procedure if other faults occur.

  1. Check whether the IP address of the switch is added to the HWTACACS server or whether the added IP address is correct.

    The IP address of the switch added to the HWTACACS server must be the source IP address of the authentication request packets sent by the switch. The source IP address can be configured using a command in the HWTACACS server template view. If the source IP address is not configured, the default value is used. That is, the IP address of the outbound interface for authentication request packets is used as the source IP address. To check the source IP address, perform the following steps:

    1. Run the display hwtacacs-server template name command to check whether the source IP address is configured using the corresponding command. The Source-LoopBack and Source-IP-address fields in the command output indicate the source IP address.
      • If the fields are found in the output, the source IP address is configured using the corresponding command. Ensure that the source IP address configured on the HWTACACS server must be the same as that in the command output.
      • If the fields are not found in the output, the default value is used as the source IP address. Go to step 2 to check the specific value.
      <HUAWEI> display hwtacacs-server template template0
  ---------------------------------------------------------------------------
  HWTACACS-server template name        : template0
  Primary-authentication-server        : 10.1.1.1:49 Vrf:- Status:UP 
  Primary-authentication-ipv6-server   : -:0 Vrf:- Status:-
  Primary-authorization-server         : -:0 Vrf:- Status:-
  Primary-authorization-ipv6-server    : -:0 Vrf:- Status:-
  Primary-accounting-server            : -:0 Vrf:- Status:-
  Primary-accounting-ipv6-server       : -:0 Vrf:- Status:-
  Secondary-authentication-server      : -:0 Vrf:- Status:-
  Secondary-authentication-ipv6-server : -:0 Vrf:- Status:-
  Secondary-authorization-server       : -:0 Vrf:- Status:-
  Secondary-authorization-ipv6-server  : -:0 Vrf:- Status:-
  Secondary-accounting-server          : -:0 Vrf:- Status:-
  Secondary-accounting-ipv6-server     : -:0 Vrf:- Status:-
  Third-authentication-server          : -:0 Vrf:- Status:-
  Third-authentication-ipv6-server     : -:0 Vrf:- Status:-
  Third-authorization-server           : -:0 Vrf:- Status:-
  Third-authorization-ipv6-server      : -:0 Vrf:- Status:-
  Third-accounting-server              : -:0 Vrf:- Status:-
  Third-accounting-ipv6-server         : -:0 Vrf:- Status:-
  Current-authentication-server        : : 10.1.1.1:49 Vrf:- Status:UP
  Current-authentication-ipv6-server   : -:0 Vrf:- Status:-
  Current-authorization-server         : -:0 Vrf:- Status:-
  Current-authorization-ipv6-server    : -:0 Vrf:- Status:-
  Current-accounting-server            : -:0 Vrf:- Status:-
  Current-accounting-ipv6-server       : -:0 Vrf:- Status:-
  Source-IP-address                    : -
  Source-LoopBack                      : -
  Source-IPv6-address                  : -
  IPv6 Source-LoopBack                 : -
  Shared-key                           : -
  Quiet-interval(min)                  : 5
  Response-timeout-Interval(sec)       : 5
  Domain-included                      : Original
  Traffic-unit                         : B
  ---------------------------------------------------------------------------
    2. If the default value is used as the source IP address, that is, the IP address of the outbound interface for authentication request packets, you need to check the routing table for the source IP address. For example, assume that the IP address of the HWTACACS server is 192.168.1.1, and the next-hop address in the routing table is 192.168.1.101, which can be used as the source IP address of the authentication request packets. Ensure that the IP address configured on the HWTACACS server is the same as the next-hop address.
      <HUAWEI> display ip routing-table 192.168.1.1 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
 
    192.168.1.0/24  Direct  0    0           D   192.168.1.101   Vlanif4094

  2. If the IP address of the switch configured on the HWTACACS server is correct, analyze packets on both the switch and HWTACACS server to check whether the intermediate link is faulty. The possible link failure is that a firewall deployed on the intermediate network blocks the port number (49 by default) of the HWTACACS server.

    HWTACACS packet characteristics:
    • HWTACACS packets are encrypted and can be decrypted using Wireshark.

      Method: Open Wireshark, click Edit, Preferences, Protocols, and TACACS+, and set TACACS+ Encryption Key.

      Enter the shared key configured on the device to decrypt TACACS+ packets.

    • HWTACACS packets are TCP packets. The server-side port number is 49, and the device-side port number is a random value.

    • The following example configures traffic statistics collection. (The following uses a switch as an example. For details, see the product documentation.)
      #
hwtacacs-server template srv
 hwtacacs-server authentication 192.89.17.8
 hwtacacs-server authorization 192.89.17.8
 hwtacacs-server shared-key cipher %$%$;0b:ETMF-'ObI+Qjhy9%Tof]%$%$
 undo hwtacacs-server user-name domain-included
#
acl number 3333  
 rule 5 permit tcp source 192.89.9.171 0 destination 192.89.17.8 0 destination-port eq tacacs 
 rule 10 permit tcp source 192.89.17.8 0 source-port eq tacacs destination 192.89.9.171 0 
#
traffic classifier 1 operator or
 if-match acl 3333
#
traffic behavior 1
 statistic enable
#
traffic policy 1
 classifier 1 behavior 1
#
interface Vlanif201
 ip address 192.89.9.171 255.255.255.0
#
interface GigabitEthernet6/0/1
 port link-type trunk
 port trunk pvid vlan 201
 port trunk allow-pass vlan 100 201
 traffic-policy 1 inbound
 traffic-policy 1 outbound
#
ip route-static 192.89.17.8 255.255.255.255 192.89.9.172
#
    • Check outbound traffic statistics.
      <S12708_31_31>display traffic policy statistics interface GigabitEthernet 6/0/1 outbound  verbose rule-base

 Interface: GigabitEthernet6/0/1
 Traffic policy outbound: 1
 Rule number: 2
 Current status: success
 Statistics interval: 300
---------------------------------------------------------------------
 Classifier: 1 operator or
 Behavior: 1
 Board : 6
 rule 5 permit tcp source 192.89.9.171 0 destination 192.89.17.8 0 destination-port eq tacacs (match-counter 0)
---------------------------------------------------------------------
 Passed           |      Packets:                             4  //The device sends an HWTACACS request.
                  |      Bytes:                             256
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
 Dropped          |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
 rule 10 permit tcp source 192.89.17.8 0 source-port eq tacacs destination 192.89.9.171 0 (match-counter 0)
---------------------------------------------------------------------
 Passed           |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
 Dropped          |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
    • Check inbound traffic statistics.
      <S12708_31_31>display traffic policy statistics interface GigabitEthernet 6/0/1 inbound verbose rule-base

 Interface: GigabitEthernet6/0/1
 Traffic policy inbound: 1
 Rule number: 2
 Current status: success
 Statistics interval: 300
---------------------------------------------------------------------
 Classifier: 1 operator or
 Behavior: 1
 Board : 6
 rule 5 permit tcp source 192.89.9.171 0 destination 192.89.17.8 0 destination-port eq tacacs (match-counter 0)
---------------------------------------------------------------------
 Passed           |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
 Dropped          |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
 rule 10 permit tcp source 192.89.17.8 0 source-port eq tacacs destination 192.89.9.171 0 (match-counter 0)
---------------------------------------------------------------------
 Passed           |      Packets:                             0  //No response is received from the HWTACACS server.
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
 Dropped          |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------

Server Returns an Access-Reject Packet

Fault Symptom

The value of the User online fail reason field in the display aaa online-fail-record all command output is Radius authentication reject or TAC Authentication fail.

Possible Causes and Troubleshooting Procedure

If the server returns an Access-Reject packet, you need to check the server logs to identify the cause of the failure and determine the troubleshooting method. For example, the fault may be caused by incorrect user name or password, or mismatch between the authentication and authorization policies configured on the server.

Value of the Login-Service Attribute Delivered by the RADIUS Server Is Incorrect

Fault Symptom

The value of the User online fail reason field in the display aaa online-fail-record all command output is Authorization data error.

Possible Causes

The switch does not the support the Login-Service attribute value delivered by the RADIUS server. The standard RADIUS attribute Login-Service (15) indicates the service type of an administrator. The switch supports the following Login-Service attribute values. Multiple attribute values can be delivered simultaneously.

  • 0: Telnet
  • 5: X25-PAD
  • 50: SSH
  • 51: FTP
  • 52: Terminal
Run the debugging radius all command and check the value of the Login-Service field in the command output to determine whether the attribute value delivered by the RADIUS server is supported by the switch.
<HUAWEI> debugging radius all
Sep  5 2019 11:21:21.920.6+08:00 HUAWEI RDS/7/DEBUG:
[RDS(Evt):] Receive a packet(IP:192.168.1.1,Port:1812,Code:authentication accept,ID:1 )
Sep  5 2019 11:21:21.920.7+08:00 HUAWEI RDS/7/DEBUG:
  RADIUS Received a Packet.
Sep  5 2019 11:21:21.920.8+08:00 HUAWEI RDS/7/DEBUG:
  Server Template: 0
  Server IP   : 192.168.1.1
  Server Port : 1812
  Protocol: Standard
  Code    : 2
  Len     : 38
  ID      : 1
  [HW-Exec-Privilege] [6 ] [15]
  [Login-Service] [6 ] [49]  //In this example, 6 indicates the length of the attribute and 49 indicates the attribute value.
Troubleshooting Procedure

Use either of the following methods to troubleshooting the problem:

  • Configure the RADIUS server not to deliver the Login-Service attribute or modify the delivered attribute value to a value supported by the switch.
  • Run the following commands in the RADIUS server template view to disable the Login-Service attribute in received packets.
    #
radius-server template t1
 radius-server attribute translate
 radius-attribute disable Login-Service receive
#

FTP User Fails to Log In to the Switch

Fault Symptom

The value of the User offline reason field in the display aaa abnormal-offline-record all command output is FTP with user login fail.

Possible Causes

FTP user login failures maybe caused by the following common configuration errors:

  • The FTP user level is incorrect. It must be 3 or higher.
  • The FTP root directory is not specified.
Troubleshooting Procedure

The FTP user level is incorrect.

For details, see The Administrator Cannot Enter the System View After Login or the User Level Is Incorrect.

The FTP root directory is not specified.

The FTP root directory must be specified for an FTP user to log in. The methods of specifying the FTP root directory vary, depending on authentication and authorization modes:

  • Local authentication and authorization:

    When you run the local-user command in the AAA view to create a local user, specify the FTP root directory using the ftp-directory parameter.

    Run the display local-user username name command. If the value of the Ftp-directory field in the command output is -, the FTP root directory is not specified.

    <HUAWEI> display local-user username test
  The contents of local user(s):
  Password             : ****************
  State                : active
  Service-type-mask    : -
  Privilege level      : 0
  Ftp-directory        : -
  HTTP-directory       : -
  Access-limit         : Yes
  Access-limit-max     : 4294967295
  Accessed-num         : 0
  Idle-timeout         : -
  Original-password    : Yes
  Password-set-time    : 2019-11-12 16:17:37 DST
  Password-expired     : No
  Password-expire-time : -
  Account-expire-time  : -
  Last login ip        : -
  Last login time      : -
  Login fail count     : 0
  • RADIUS server authentication and authorization:

    The attribute used by the RADIUS server to authorize the FTP root directory is the Huawei proprietary attribute HW-FTP-Directory (26-28), which is carried in the RADIUS Access-Accept packet.

    You can analyze packets to check whether the authorization information of the FTP root directory is carried in the RADIUS Access-Accept packets.

    You can also enable the debugging function on the switch to check whether the authorization information of the FTP root directory is carried in the packets. The value of the HW-FTP-Directory field is as follows:

    <HUAWEI> debugging radius all
Sep 27 2019 13:12:52.420.5+08:00 S5720LI_129_51 RDS/7/DEBUG:
[RDS(Evt):] Receive a packet(IP:189.44.129.149,Port:1812,Code:authentication accept,ID:252 )
Sep 27 2019 13:12:52.420.6+08:00 S5720LI_129_51 RDS/7/DEBUG:
  RADIUS Received a Packet.
Sep 27 2019 13:12:52.420.7+08:00 S5720LI_129_51 RDS/7/DEBUG:
  Server Template: 0
  Server IP   : 189.44.129.149
  Server Port : 1812
  Protocol: Standard
  Code    : 2
  Len     : 47
  ID      : 252
  [HW-FTP-Directory] [9 ] [flash:/] //If this attribute exists, it indicates that the authorization of the FTP root directory has been delivered, otherwise, it is not delivered.
                                          The FTP root directory delivered in this example is flash:/.
  [HW-Exec-Privilege] [6 ] [15]
  • HWTACACS server authentication and authorization

    The attribute of the FTP root directory authorized by the HWTACACS server is ftpdir, which is carried in the HWTACACS Authorization Response packets.

    You can enable the debugging function on the switch to check whether the authorization information of the FTP root directory is carried in the packets. The value of the ftpdir field is as follows:

    <HUAWEI> debugging hwtacacs all
Sep 27 2019 12:04:26.60.2+08:00 S5720LI_129_51 TAC/7/DEBUG:
version:c0  type:AUTHOR_REPLY
seq_no:2  flag:ENCRYPTED_FLAG
session_id:0xf16cc08d  length:33
status:AUTHOR_STATUS_PASS_ADD
server_msg len:0        data len:0
arg_cnt:2
arg1 len:14  arg2 len:11
server_msg:
data:
arg1 :ftpdir=flash:/  arg2 :priv-lvl=15  //If the ftpdir attribute exists, it indicates that the authorization of the FTP root directory has been delivered, otherwise, it is not delivered. The FTP root directory delivered in this example is flash:/.

SSH User Fails to Log In to the Switch (Versions Earlier than V200R011C10)

Possible Causes

The possible cause is that password authentication is not configured as the authentication mode for SSH users.

In versions earlier than V200R011C10, no default SSH authentication mode is configured on the switch. In V200R011C10 and later versions, password authentication is configured as the default authentication mode for SSH users.

Troubleshooting Procedure
  1. Run the display ssh user-information name command and check whether an authentication mode is configured for the SSH login user. If the value of Authentication-type field is -, password authentication is not configured for the SSH user.
    <HUAWEI> display ssh user-information test
       User Name            : test
       Authentication-type  : -
       User-public-key-name : -
       User-public-key-type : -
       Sftp-directory       : -
       Service-type         : stelnet
       Authorization-cmd    : No
  2. If password authentication is not configured for the SSH user, run the display current-configuration | include ssh authentication-type default password command to check whether the ssh authentication-type default password command is configured in the system view. If there is no command output, the ssh authentication-type default password command is not configured.

Use either of the following methods to configure password authentication for SSH users.

Method 1: In the system view, configure password authentication as the default authentication mode for SSH users.

[HUAWEI] ssh authentication-type default password

Method 2: Configure password authentication for a single SSH user. The following uses SSH user test as an example.

[HUAWEI] ssh user test authentication-type password
[HUAWEI] ssh user test service-type stelnet

Failed to Log In to the HSB Standby AC Through Telnet in RADIUS Authentication

Fault symptom: A Telnet login to the active AC (AC1) succeeds, but a Telnet login to the standby AC (AC2) fails.

The configuration is as follows when the fault occurs:

Active AC1

#
radius-server source ip-address 12.12.12.88
#
radius-server template 12.6
 radius-server shared-key cipher %^%#EVP>/*Q)."5~U{"n9A[Sax{|H,nQQ#8rrUBm!ZFW%^%#
 radius-server authentication 12.12.12.6 1812 weight 80
 radius-server accounting 12.12.12.6 1813 weight 80
#
aaa
 authentication-scheme radius
  authentication-mode radius
 domain default_admin
  authentication-scheme radius
  radius-server 12.6
#
interface Vlanif201
 ip address 12.12.12.81 255.255.255.0
 vrrp vrid 11 virtual-ip 12.12.12.88
 vrrp vrid 11 track admin-vrrp interface Vlanif2330 vrid 61 unflowdown
#

Standby AC2

#
radius-server source ip-address 12.12.12.88
#
radius-server template 12.6
 radius-server shared-key cipher %^%#EVP>/*Q)."5~U{"n9A[Sax{|H,nQQ#8rrUBm!ZFW%^%#
 radius-server authentication 12.12.12.6 1812 weight 80
 radius-server accounting 12.12.12.6 1813 weight 80
#
aaa
 authentication-scheme radius
  authentication-mode radius
 domain default_admin
  authentication-scheme radius
  radius-server 12.6
#
interface Vlanif201
 ip address 12.12.12.82 255.255.255.0
 vrrp vrid 11 virtual-ip 12.12.12.88
 vrrp vrid 11 track admin-vrrp interface Vlanif2330 vrid 61 unflowdown
#

A Telnet login to the standby AC2 fails.

Username:skl123
Password:
Error: Authentication fail

The login fails because the RADIUS server is unreachable.

<AC2>display aaa online-fail-record all
  ------------------------------------------------------------------------------
  User name               : skl123
  Domain name             : default_admin
  User MAC                : -
  User access type        : Telnet
  User IP address         : 125.64.17.87
  User IPV6 address       : -
  User ID                 : 3
  User login time         : 2021/04/29 15:24:38
  User online fail reason : The radius server is not reachable
  Authen reply message    : Authentication fail
  User name to server     : skl123
  ------------------------------------------------------------------------------

Possible Causes

The standby AC2 uses the VRRP virtual IP address as the RADIUS source IP address. The RADIUS response packet is sent to the active AC1, and the standby AC2 cannot receive the response packet.

Solution:

Set the RADIUS source IP address of AC1 and AC2 to the actual interface IP address.

The configuration used to solve the problem is as follows:

Active AC1

#
radius-server source ip-address 12.12.12.81
#
radius-server template 12.6
 radius-server shared-key cipher %^%#EVP>/*Q)."5~U{"n9A[Sax{|H,nQQ#8rrUBm!ZFW%^%#
 radius-server authentication 12.12.12.6 1812 weight 80
 radius-server accounting 12.12.12.6 1813 weight 80
#
aaa
 authentication-scheme radius
  authentication-mode radius
 domain default_admin
  authentication-scheme radius
  radius-server 12.6
#
interface Vlanif201
 ip address 12.12.12.81 255.255.255.0
 vrrp vrid 11 virtual-ip 12.12.12.88
 vrrp vrid 11 track admin-vrrp interface Vlanif2330 vrid 61 unflowdown
#

Standby AC2

#
radius-server source ip-address 12.12.12.82
#
radius-server template 12.6
 radius-server shared-key cipher %^%#EVP>/*Q)."5~U{"n9A[Sax{|H,nQQ#8rrUBm!ZFW%^%#
 radius-server authentication 12.12.12.6 1812 weight 80
 radius-server accounting 12.12.12.6 1813 weight 80
#
aaa
 authentication-scheme radius
  authentication-mode radius
 domain default_admin
  authentication-scheme radius
  radius-server 12.6
#
interface Vlanif201
 ip address 12.12.12.82 255.255.255.0
 vrrp vrid 11 virtual-ip 12.12.12.88
 vrrp vrid 11 track admin-vrrp interface Vlanif2330 vrid 61 unflowdown
#

Typical Configuration

RADIUS Authentication and Authorization + Local Authentication

Key configuration:

  • Set the authentication mode to RADIUS and local authentication.
  • Accounting is not recommended for administrator authentication. If accounting is required for administrators, the policy for accounting-start failures must be set to online.
  • Create a local user.
#
aaa
authentication-scheme radius_local
  authentication-mode radius local //Local authentication is performed if the RADIUS server does not respond to the authentication request.
domain default_admin
  authentication-scheme radius_local
  radius-server default
local-user test password irreversible-cipher xxx
 local-user test privilege level 15
 local-user test service-type ssh //An account that is the same as that on the RADIUS server needs to be configured on the local device to ensure that local authentication can be performed if the switch does not receive any response from the RADIUS server.
#

HWTACACS Authentication and Authorization + Local Authentication

Key configuration:

  • Set the authentication mode to HWTACACS and local authentication.
  • Accounting is not recommended for administrator authentication. If accounting is required for administrators, the policy for accounting-start failures must be set to online.
  • Create a local user.
  • (Optional) Enable command-line-based authorization.
  • (Optional) Enable command-line-based auditing.
#
aaa
 authentication-scheme tacacs_local
  authentication-mode hwtacacs local //Local authentication is performed if the HWTACACS server does not respond to the authentication request.
 authorization-scheme tacacs_local
  authorization-mode hwtacacs local //Local authentication is performed if the HWTACACS server does not respond to the authentication request.
  authorization-cmd 15 hwtacacs local //Command-line-based authorization is performed only for the level-15 administrator.
recording-scheme tacacs //Command-line-based auditing is performed.
recording-mode hwtacacs default //Command-line-based auditing is performed.
  cmd recording-scheme tacacs //Command-line-based auditing is performed.
 domain default_admin
  authentication-scheme tacacs_local
  authorization-scheme tacacs_local
  hwtacacs-server default
local-user test password irreversible-cipher xxx
 local-user test privilege level 15
 local-user test service-type ssh  //An account that is the same as that on the HWTACACS server needs to be configured on the local device to ensure that local authentication can be performed if the switch does not receive any response from the HWTACACS server.

Collecting Information

Collect the following information:

  • Device log information. For authentication issues, check user access logs. The RESULT field indicates the authentication result. If the authentication fails, check the ERROCODE field.
    Sep 15 2020 19:40:17+08:00 S5720EI_129_49 %%01CM/5/USER_ACCESSRESULT(s)[494]:[USER_INFO_AUTHENTICATION]DEVICEMAC:fc-e3-3c-a8-0b-70;D
EVICENAME:S5720EI_129_49;USER:test;MAC:34-b3-54-62-51-77;IPADDRESS:88.1.1.2;TIME:1600170017;ZONE:UTC+0800;DAYLIGHT:false;ERRCODE:0;R
ESULT:success;AUTHENPLACE:RADIUS;CIB ID:18;INTERFACE:GigabitEthernet0/0/1;ACCESS TYPE:802.1x;VLAN:999;SelectRDSIP:-;SelectERRCODE:-;
RDSIP:12.12.12.1;Portal TYPE:-;AUTHID=1385235970;
  • Diagnostic information, which can be collected using the display diagnostic-information command.
  • User logout records, abnormal logout records, and login failure records
    • If a large number of users encounter exceptions, you are advised to run the display aaa offline-record all brief, display aaa abnormal-offline-record all brief, and display aaa online-fail-record all brief commands to collect information.
    • If only a few users encounter exceptions, you are advised to run the display aaa offline-record mac-address mac-address, display aaa abnormal-offline-record mac-address mac-address, and display aaa online-fail-record mac-address mac-address commands to collect information.
  • Debugging information, which can be collected using the debugging cm and debugging aaa all commands. After information is collected, run the undo debugging all command to disable the debugging function.
    • If RADIUS authentication is configured, run the debugging radius all command.
    • If HWTACACS authentication is configured, run the debugging hwtacacs all command.
    • To collect debugging information about SSH users, run the debugging ssh server all all command.
Translation
简体中文
Download
Updated: 2021-12-27

Document ID: EDOC1000060368

Views: 1170130

Downloads: 4271

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next
Huawei e+ App Huawei e+

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :