No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Nas-ip and radius server binding differ lead to S9300 radius authentication failure

Publication Date:  2019-07-20 Views:  1393 Downloads:  0

Issue Description

S9300 version information:
PC------middle network-----S9300-------IP bearer network ------Radius Server
S9300 radius authentication failure

Alarm Information


Handling Process

1. After test, 9300 can ping Radius Server, and no lost, it means route is enable.
2. Check all configuration as follows:
<WZ-CX-S9312-1>display radius-server configuration  
  Server-template-name             :  system                                   
  Protocol-version                 :  standard                                 
  Traffic-unit                     :  B                                        
  Shared-secret-key                :  wzwg                                     
  Timeout-interval(in second)      :  5                                        
  Primary-authentication-server    :  x.x.128.82:1645:LoopBack-1  
  Primary-accounting-server        :                      
  Secondary-authentication-server  :  
  Secondary-accounting-server      :      
  Retransmission                   :  3                                        
  Domain-included                  :  NO                                       
<WZ-CX-S9312-1>display domain default                                          
  Domain-name                     : default                                    
  Domain-state                    : Active                                     
  Authentication-scheme-name      : default                                    
  Accounting-scheme-name          : default                                    
  Authorization-scheme-name       : default                                    
  Web-IP-address                  : -                                          
  Primary-DNS-IP-address          : -                                          
  Second-DNS-IP-address           : -                                          
  Primary-NBNS-IP-address         : -                                          
  Second-NBNS-IP-address          : -                                          
  Idle-data-attribute (time,flow) : 0, 60                                      
  User-access-limit               : 384                                        
  Online-number                   : 2                                          
  RADIUS-server-template          : system                                     
  HWTACACS-server-template        : -                                          
3、Open debug information on S9300, radius that code=1 send packet, there is no code=2 or 3 return packet.
<WZ-CX-S9312-1>debug radius packet 
*0.4031110899 WZ-CX-S9312-1 RDS/7/debug2:                                      
  Radius Sent a Packet                                                         
  Server Template: 0                                                           
  Server IP   : x.x.128.82                                                   
  Protocol: Standard                                                           
  Code    : 1                                                                  
  Len     : 218                                                                
  ID      : 14                                                                 
  [NAS-IP-Address(4)                  ] [6 ] [x.x.71.154]     
nas-ip default the address of optimal route, there nas-ip is upstream outer interface address x.x.71.154, it doubt that both side nas-ip differ cause that.
4、confirm that Radius Server binding address is lookback address of 9300, modify nas-ip address of S9300 to loolback address, modify configuration is as follows:
radius-server template system          
radius-server authentication x.x.128.82 1645 source LoopBack 0
Test after modify, radius authentication is successful, failure is solved.

Root Cause

1. Link or route peoblem
2. Configuration prolem
3. nas-ip and radius server binding differ
4. Device or version reason


9300 configure radius authentication configuration:
radius-server template system                                                  
radius-server shared-key wzwg                                                 
radius-server authentication x.x.128.82 1645 source LoopBack 0
undo radius-server user-name domain-included 

local-user wznetcom password cipher S""O/9EHNHWQ=^Q`MAF4<1!!                  
local-user wznetcom service-type ftp telnet ssh                               
local-user wznetcom level 1                                                   
local-user wznetcom ftp-directory cfcard:/                                    
authentication-scheme default                                                 
  authentication-mode  radius  local                                           
authorization-scheme default                                                  
accounting-scheme default                                                     
domain default                                                                
  radius-server system  
  user-interface vty 0 14                                                        
authentication-mode aaa