No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>


To have a better experience, please upgrade your IE browser.


RADIUS Authentication Fails Because an Incorrect NAS IP Address Is Bound to the RADIUS Server

Publication Date:  2012-07-27 Views:  1178 Downloads:  0
Issue Description
 S9300 version:
PC------Intermediate network-----S9300-------IP bearer network------Radius server
Problem symptom:
RADIUS authentication fails on the S9300. 


Alarm Information

Handling Process

 1. Through testing, the S9300 can successfully ping the RADIUS server without packet loss. This indicates that the route is reachable.
2. The configuration is as follows:
<WZ-CX-S9312-1>display radius-server configuration
Server-template-name : system
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : wzwg
Timeout-interval(in second) : 5
Primary-authentication-server :
Primary-accounting-server :
Secondary-authentication-server :
Secondary-accounting-server :
Retransmission : 3
Domain-included : NO
<WZ-CX-S9312-1>display domain default
Domain-name : default
Domain-state : Active
Authentication-scheme-name : default
Accounting-scheme-name : default
Authorization-scheme-name : default
Web-IP-address : -
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
Idle-data-attribute (time,flow) : 0, 60
User-access-limit : 384
Online-number : 2
RADIUS-server-template : system
HWTACACS-server-template : -
The authentication scheme, RADIUS server template, and domain are configured correctly.
3. Enable debugging on the S9300. It is found that only a RADIUS server packet with code 1 is sent but no response packet with code 2 or 3 is received.
<WZ-CX-S9312-1>debug radius packet
*0.4031110899 WZ-CX-S9312-1 RDS/7/debug2:
Radius Sent a Packet
Server Template: 0
Server IP :
Protocol: Standard
Code : 1
Len : 218
ID : 14
[NAS-IP-Address(4) ] [6 ] []
The NAS IP address is the optimal route address by default. According to the preceding information, the NAS IP address, that is, IP address of the uplink outbound interface, is It is inferred that the NAS IP addresses at both ends are different.
4. It is confirmed that the RADIUS server is bound to the S9300 loopback address. Therefore, the NAS IP address of the S9300 is changed to the loopback address. The changed configuration is as follows:
radius-server template system
radius-server authentication 1645 source LoopBack 0
After the change, RADIUS authentication succeeds and the problem is solved. 


Root Cause
 1. The link is faulty or the route is unreachable.
2. The configuration is incorrect.
3. An incorrect NAS IP address of the S9300 is bound to the RADIUS server.
4. The S9300 is faulty or the version is incorrect. 


 The S9300 RADIUS authentication is as follows:
radius-server template system
radius-server shared-key wzwg
radius-server authentication 1645 source LoopBack 0
undo radius-server user-name domain-included

local-user wznetcom password cipher S""O/9EHNHWQ=^Q`MAF4<1!!
local-user wznetcom service-type ftp telnet ssh
local-user wznetcom level 1
local-user wznetcom ftp-directory cfcard:/
authentication-scheme default
authentication-mode radius local
authorization-scheme default
accounting-scheme default
domain default
radius-server system

user-interface vty 0 14
authentication-mode aaa