No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

User Login Authentication Fails When the SSH Server and RADIUS Server Association Is Configured on an ME60 V600R008C10SPC300

Publication Date:  2019-07-28 Views:  96 Downloads:  0

Issue Description

User login authentication failures when the SSH server and RADIUS server association is configured on an ME60 V600R008C10SPC300.
Key configuration:
#
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound all
user-interface vty 16 20
#
stelnet server enable
ssh authentication-type default password  
#
 domain default_admin
  authentication-scheme pku-radius
  authorization-scheme pku-radius
  accounting-scheme none
  radius-server group telnet
#
 authentication-scheme pku-radius
  authentication-mode radius local
 #
authorization-scheme pku-radius
  authorization-mode local if-authenticated
 #
 accounting-scheme none
  accounting-mode none                    
 #
#
radius-server group telnet
 radius-server authentication x.x.x.252 1812 weight 0
 radius-server shared-key xxxx
 radius-server source interface GigabitEthernet2/0/0.100
 radius-server attribute translate
 undo radius-server user-name domain-included
#

Handling Process

Check the causes of the login failure.

https://support.huawei.com/enterprisecase/product/images/cd855abd59e641a3b4e60096efa69c89

 

Root Cause

The server delivers the user login level through the Radius Login-Service attribute. The device does not identify this attribute, leading to a user login failure.

Solution

#
radius-server group telnet
 radius-server authentication x.x.x.252 1812 weight 0
 radius-server shared-key xxxx
 radius-server source interface GigabitEthernet2/0/0.100
 radius-server attribute translate
 undo radius-server user-name domain-included
 radius-attribute disable Login-Service receive       //
Disable the device from receiving packets carrying this RADIUS attribute.
#

END