No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
HWTACACS Authentication Fails

HWTACACS Authentication Fails

Common Causes

This fault is commonly caused by one of the following:
  • The user name or password is incorrect. For example, the user name does not exist, or the user name format (with or without the domain name) is different from the format configured on the Huawei Terminal Access Controller Access Control System (HWTACACS) server.
  • The HWTACACS configuration on the AR is incorrect, including the authentication mode and HWTACACS server template.
  • The port number and shared key configured on the AR are different from those on the HWTACACS server.
  • The number of online users reaches the maximum value.

Troubleshooting Flowchart

A user fails to pass the HWTACACS authentication.

The troubleshooting roadmap is as follows:
  • Check whether the link between the AR and the HWTACACS server is working.
  • Check whether the number of authenticated users has reached the maximum.
  • Check the HWTACACS configuration on the AR, including the domain name, domain status, HWTACACS server template, authentication mode, authorization mode, and accounting mode.
  • Check whether the user name, password, and user access type configured on the HWTACACS server are correct and whether the router IP address, port number, shared key, and domain name mode and resolution method configured on the HWTACACS server are the same as those configured on the AR.

Figure 22-2 shows the troubleshooting flowchart.

Figure 22-2 Troubleshooting flowchart for HWTACACS authentication failure

Troubleshooting Procedure

NOTE:

Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault, you will have a record of your actions to provide technical support personnel.

Procedure

  1. Run the ping command to check whether the link between the AR and the HWTACACS server is working.

    • If the ping operation fails, rectify the link fault according to "The Ping Operation Fails".
    • If the ping operation succeeds, go to step 2.

  2. Check whether the number of online users has reached the maximum.

    Both the AR and HWTACACS server have a limit on the number of online users. Run the display access-user command on the AR to check the number of online users.
    • If the number of online users has reached the maximum, you do not need to take any action. The user can log in after the number of online users falls below the maximum.
    • If the number of online users has not reached the maximum, check the maximum number of online users set on the HWTACACS server. If the maximum number of online users set on the HWTACACS server has not been reached, go to step 3.

  3. Check the HWTACACS configuration on the AR to ensure that:

    • The authentication domain of the user is in Active state.

    • The authentication scheme bound to the user domain is HWTACACS authentication.

    • The correct HWTACACS server template is bound to the domain. The IP address and port of the authentication server, authorization server, and accounting server are set correctly in the template. The source address in the packet sent by the router must be the same as the allowed address configured on the HWTACACS server.

    • The user name format and shared key specified in the template are the same as those on the HWTACACS server.

    Before checking the last two items, connect the AR to a HWTACACS server. Ensure that the preceding configurations meet the requirements based on the actual networking.

    Action

    Command

    Check the domain configuration.

    display domain

    Check which HWTACACS server template is bound to the domain.

    display domain name domain-name

    Check the authentication scheme bound to the domain.

    display authentication-scheme

    Check the authorization scheme bound to the domain.

    display authorization-scheme

    Check the accounting scheme bound to the domain.

    display accounting-scheme

    Check the configuration of the HWTACACS server template.

    display hwtacacs-server template

  4. Check information about the HWTACACS packets sent and received by the AR.

    Run the debugging hwtacacs all command in the user view to enable HWTACACS packet debugging. Initiate HWTACACS authentication. Check whether any HWTACACS packets are being sent or received by the AR.

    <Huawei> debugging hwtacacs all
    <Huawei> terminal debugging
    <Huawei> terminal monitor

    Debugging affects system performance. So, after debugging, run the undo debugging all command to disable the debugging immediately.

    • If no debugging information is displayed, the router configuration is incorrect. Verify that the HWTACACS server template is applied to the domain.

      The following configuration file shows that the HWTACACS server template hwtacacs is bound to the domain huawei.

      #
      hwtacacs-server template hwtacacs
       hwtacacs-server authentication 2.2.2.2    
      #
      aaa
       authentication-scheme default
       authentication-scheme aaa
        authentication-mode hwtacacs
       authorization-scheme default
       accounting-scheme default
       domain default
       domain default_admin
       domain huawei
        authentication-scheme aaa
        hwtacacs-server hwtacacs
      #                              
      
    • If debugging information is displayed, proceed according to the debugging information.

      Debugging Information

      Solution

      Nov 10 2010 15:43:35.500.6 Huawei TAC/7/Event:HandleReqMsg: Session status is not connect now.
      Nov 10 2010 15:43:35.500.7 Huawei TAC/7/Event:statistics: transmit flag:
      1-SENDPACKET, server flag: 0-authentication, packet flag: 0xff
      Nov 10 2010 15:43:35.550.1 Huawei TAC/7/Event:HandleResp: Session status is connect now.
      Nov 10 2010 15:43:35.550.2 Huawei TAC/7/Event: Tac packet sending success!
      version:c0 type:1-authentication sequence:1 flag:1-UNENCRYPTED_FLAG session id:908 length:24 serverIP:10.138.88.209 vrf:0

      The HWTACACS module sent an authentication packet. This message indicates that the AR can send HWTACACS authentication packets.

      Nov 10 2010 15:49:18.430.6 Huawei TAC/7/Event:HandleReqMsg: Session status is not connect now.
      Nov 10 2010 15:49:18.430.7 Huawei TAC/7/Event:statistics: transmit flag:
      1-SENDPACKET, server flag: 0-authentication, packet flag: 0xff
      Nov 10 2010 15:49:18.480.2 Huawei TAC/7/Event:HandleResp: Session status is connect now.
      Nov 10 2010 15:49:18.480.3 Huawei TAC/7/Event: Tac send packet error!
      

      The HWTACACS authentication server did not send any authentication response packets. This may be because the link between the AR and the HWTACACS server is Down, the HWTACACS server has not restarted, or the HWTACACS server fails.

      In this case, check that the router IP address and HWTACACS service port numbers configured on the HWTACACS server are the same as those configured on the AR, and that the HWTACACS service is enabled.

      Nov 10 2010 16:02:35.760.1 Huawei TAC/7/Event:
      version:c0  type:AUTHEN_REPLY
      seq_no:6  flag:UNENCRYPTED_FLAG
      session_id:0x4ff8  length:6  pstPacketAll->ulDataLen:6
      pstAuthenReply:ucStatus=2 ucflags=0 usServerMsgLen=0 usDataLen=0
      status:AUTHEN_STATUS_FAIL  flag:REPLY_FLAG_ECHO
      server_msg len:0  data len:0
      server_msg:  data:
      

      The HWTACACS server returned an authentication failure packet. The possible causes of authentication failure are:

      • The router IP address and the shared key are not configured on the HWTACACS server.

      • The shared key configured on the HWTACACS server is different from the shared key configured on the AR.

      • The user account is not configured on the HWTACACS server, or the user name format configured in the HWTACACS server template is different from that on the HWTACACS server. For example, the AR sends the user name without the domain name but the HWTACACS server requires the user name with the domain name.

      • The password entered by the user is different from the password configured on the HWTACACS server.

      If any of the preceding errors exist, modify the configuration on the HWTACACS server. After configuration modification, check whether the user can pass the authentication. If the fault persists, go to step 5.

  5. Check the user type.

    • If the user is a Telnet user or an FTP user, rectify the fault according to "The User Fails to Log in to the Server Through Telnet" or "An FTP Connection Fails to Be Set Up."
    • If the user is a network access user, rectify the fault according to "NAC troubleshooting".

  6. If the fault persists, collect the following information and contact technical support personnel:

    • Results of the preceding troubleshooting procedure
    • Configuration file, log file, and alarm file of the AR

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000079719

Views: 494423

Downloads: 4527

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next