No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
RADIUS Authentication Fails

RADIUS Authentication Fails

Common Causes

This fault is commonly caused by one of the following:
  • The user name or password is incorrect. For example, the user name does not exist, or the user name format (with or without the domain name) is different from the format configured on the Remote Authentication Dial In User Service (RADIUS) server.
  • The RADIUS configuration on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 is incorrect, including the authentication mode and the RADIUS server template.
  • The port number and shared key configured on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 are different from those on the RADIUS server.
  • The number of online users reaches the maximum value.

Troubleshooting Flowchart

A user fails to pass the Authentication Dial In User Service (RADIUS) authentication.

The troubleshooting roadmap is as follows:
  • Check whether the link between the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 and the RADIUS server is working.
  • Check whether the number of authenticated users has reached the maximum.
  • Check the RADIUS configuration on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600, including the domain name, domain status, RADIUS server template, authentication mode, and accounting mode.
  • Check whether the user name, password, and user access type configured on the RADIUS server are correct and whether the router IP address, port number, shared key, and domain name carry method and resolution method configured on the RADIUS server are the same as those configured on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600.

Figure 22-1 shows the troubleshooting flowchart.

Figure 22-1  Troubleshooting flowchart for RADIUS authentication failure

Troubleshooting Procedure

NOTE:

Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault, you will have a record of your actions to provide technical support personnel.

Procedure

  1. Run the ping command to check whether the link between the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 and the RADIUS server is working.

    • If the ping operation fails, rectify the link fault according to The Ping Operation Fails.
    • If the ping operation succeeds, go to step 2.

  2. Check whether the number of online users reaches the maximum.

    Both the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 and RADIUS server have a limit to the number of online users. Run the display access-user command on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 to check the number of online users.
    • If the number of online users reaches the maximum, you do not need to take any action. The user can log in after the number of online users falls below the maximum.
    • If the number of online users does not reach the maximum, check the maximum number of online users set on the RADIUS server. If the maximum number of online users set on the RADIUS server is not reached, go to step 3.

  3. Check that the RADIUS configuration on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 is correct.

    Check the RADIUS configuration to ensure that:

    • The authentication domain of the user is in Active state.

    • The authentication scheme bound to the user domain is RADIUS authentication.

    • The correct RADIUS server template is bound to the domain. The IP address and port of the authentication server and accounting server are set correctly in the template. The source address in the packet sent by the router must be the same as the allowed address configured on the RADIUS server.

    • The user name format and shared key specified in the template are the same as those on the RADIUS server.

    Before checking the last two items, connecting the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 to a RADIUS server.

    Action

    Command

    Check the domain configuration.

    display domain

    Check which RADIUS server template is bound to the domain.

    display domain name domain-name

    Check the authentication scheme bound to the domain.

    display authentication-scheme

    Check the accounting scheme bound to the domain.

    display accounting-scheme

    Check the configuration of the RADIUS server template.

    display radius-server configuration

  4. Check information about the RADIUS packets sent and received by the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600.

    Run the debugging radius packet command in the user view to enable RADIUS packet debugging. Initiate RADIUS authentication or run the test-aaa command to send an authentication request. Check whether any RADIUS packets have been sent and received by the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600.

    <Huawei> debugging radius packet
    <Huawei> terminal debugging
    <Huawei> terminal monitor

    Debugging affects system performance. So, after debugging, run the undo debugging all command to disable the debugging immediately.

    • If no debugging information is displayed, the router configuration is incorrect. Check that the RADIUS server template is bound to the domain.

      The following configuration file shows that the RADIUS server template radius is bound to the domain huawei.

      #
      radius-server template radius
       radius-server authentication 1.1.1.1 1645
      #
      aaa
       authentication-scheme default
       authentication-scheme aaa
        authentication-mode radius
       authorization-scheme default
       accounting-scheme default
       domain default
       domain default_admin
       domain huawei
        authentication-scheme aaa
        radius-server  radius
      
    • If debugging information is displayed, proceed according to the following debugging information.

      Debugging Information

      Solution

      Nov 10 2010 15:23:34.260.6 Huawei RDS/7/debug2:
        Radius Sent a Packet          
        Server Template: 0            
        Server IP   : 192.168.1.128   
        Protocol: Standard           
        ......
      

      The RADIUS module sent an authentication packet. This message indicates that the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 can send RADIUS authentication packets.

      Nov 10 2010 15:23:34.260.6 Huawei %%01RDS/4/RDAUTHDOWN(l):
      RADIUS authentication server ( IP: 192.168.1.128 )  is down! 
      

      The RADIUS authentication server did not send an authentication response packet. This may be because the link between the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 and the RADIUS server failed or the RADIUS server has not restarted.

      Check that the router IP address and RADIUS service port numbers configured on the RADIUS server are the same as those configured on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600, and that the RADIUS service is enabled.

      Nov 10 2010 15:23:34.260.6 Huawei RDS/7/debug2:
      [RDS (Evt):] Send a msg (Auth reject)
      Nov 10 2010 15:23:34.260.7 Huawei RDS/7/debug2:
      [RDS (Msg):]Msg type   :Auth reject
      [RDS (Msg):]UserID     :16005
      [RDS (Msg):]Template no:88.99
      [RDS (Msg):]Authmethod :(pap)
      [RDS (Msg):]ulSrcMsg   :Auth req
      [RDS (Msg):]szBitmap   :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      

      The RADIUS authentication server returned an authentication failure packet. The possible causes of authentication failure are:

      • The router IP address and the shared key are not configured on the RADIUS server.

      • The shared key configured on the RADIUS server is different from the shared key configured on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600.

      • The user account is not configured on the RADIUS server, or the user name format configured in the RADIUS server template is different from that on the RADIUS server. For example, the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 sends the user name without the domain name but the RADIUS server requires the user name with the domain name.

      • The password entered by the user is different from the password configured on the RADIUS server.

      If any of the preceding errors exist, modify the configuration on the RADIUS server. After configuration modification, check whether the user can pass the authentication. If the fault persists, go to step 5.

  5. Check the user type.

    • If the user is a Telnet user or an FTP user, rectify the fault according to "The User Fails to Log in to the Server Through Telnet" or "The User Fails to Log in to the Server Through FTP."
    • If the user is a network access user, rectify the fault according to "NAC Troubleshooting."

  6. If the fault persists, collect the following information and contact technical support personnel:

    • Results of the preceding troubleshooting procedure
    • Configuration file, log file, and alarm file of the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 455213

Downloads: 4320

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next