ME60 version: V100R005C02B01B
Radius--------Device of the provincial level backbone---------NE80E---------ME60
Fault symptom: Authentication of dial-up users connected to the ME60 at the new site fails.
1. Check the configuration of the ME60. You can find that configuration of the ME60 is correct. Run the Debug Radius Packet command. You can find that the ME60 sends the authentication request packet of CODE 1 but does not receive the response packet from the RADIUS server.
2. Contact the engineer expert at RADIUS. The engineer confirms that the RADIUS server receives the authentication request packet and replies with a packet of CODE 2. The packet may be discarded or the return route is faulty.
3. Ping the remote RADIUS server from the ME60. The ping packets carry the source address. The ping succeeds, which indicates that the return route is normal. Then, it can be confirmed that the packet of CODE 2 is discarded during transmission.
4. Change the sources address of the packet sent by the ME60 to the RADIUS server to an address of another network segment. The ME60 can receive the response packet, and users can go online. Therefore, the fault is located on the original network segment. The IP packet can reach the ME60 and the packet replied by the RADIUS server is a UDP packet. Therefore, the intermediate devices may limit the traffic of the network segment. Check the intermediate devices one by one. You can find that a device is configured with the ACL, and the ACL filters out the UDP packet. After the ACL is deleted, the fault is cleared.
1. The configuration of the ME60 may be faulty.
2. The source address of the packets sent by the ME60 to the RADIUS may not be configured as a trusted NAS-IP.
3. The configurations of the protocol type and share key may be inconsistent on the RADIUS server.
4. The route from the RADIUS server to the source address of the authentication packet may be unreachable.
5. Other faults may occur.