No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Radius authentication through management interface fails

Publication Date:  2016-07-31 Views:  3361 Downloads:  0

Issue Description

On Cloud Engine 6800 customer was using radius authentication for SSH via management interface, the authentication failed.

Software version



radius server group rtve
radius server shared-key-cipher xxxxxxxxxxxxxxxxxx
radius server authentication x.x.128.28 1812
radius server accounting x.x.128.28 1813
radius server retransmit 2
radius server source interface MEth0/0/0
radius server user-name domain-excluded

authentication-scheme default
  authentication-mode radius local
authentication-scheme auth
  authentication-mode local radius
authorization-scheme default
accounting-scheme default
accounting-scheme abc
  accounting-mode radius
domain default
domain default_admin
  authentication-scheme auth
  accounting-scheme abc
  adminuser-priority 15
  radius server group rtve

stelnet server enable
ssh user admin
ssh user admin authentication-type all
ssh user admin service-type all
ssh authorization-type default aaa
ssh server cipher aes256_ctr aes128_ctr aes256_cbc aes128_cbc 3des_cbc blowfish_cbc
ssh server hmac sha2_256_96 sha2_256 sha1 sha1_96
interface MEth0/0/0
ip address

Alarm Information

none, user cannot login to the system by SSH.

Handling Process

1. Firstly it will be necessary to check if the radius server is reachable from the CE switch. Ping from radius server to Meth0/0/0 interface IP and reverse is successful.

2. The next step is to perform a debugging for aaa system while user is trying to connect to system by ssh.

Open debugging
<R7_U18_CE6850>  debugging radius all
<R7_U18_CE6850>t d                                                                                                                 
Info: Current terminal debugging is on.                                                                                            
<R7_U18_CE6850>t m                                                                                                                 
Info: Current terminal monitor is on.                                                                                              

Try to connect by ssh/stelnet
Collect the debugging.

At this step, the system was not returning any kind of output unless customer was trying to access the system with a local user. Remote users defined into radius didn't enable any kind of output.

Root Cause

Since the aaa didn't trigger any kind of logging for remote radius defined users I reviewed again the SSH configuration. It looks like customer defined only on user locally into the system.

ssh user admin
ssh user admin authentication-type all
ssh user admin service-type all
ssh authorization-type default aaa

For this user the authentication succeed.


Of course, defining all users locally into CE switch is not scalable, but using  “ssh authentication-type default password” system will allow radius authentication for all users that uses SSH connection .


# Configure the password authentication mode for an SSH user.
<HUAWEI> system-view
[~HUAWEI] ssh authentication-type default password