01-01 AAA Troubleshooting

VRP Troubleshooting - VAS
Contents
Contents
1 AAA Troubleshooting...............................................................................................................1-1
1.1 AAA Overview..............................................................................................................................................1-2 1.1.1 AAA, RADIUS and HWTACACS.......................................................................................................1-2 1.1.2 Domain and Address Pool....................................................................................................................1-5 1.1.3 Schemes and Modes.............................................................................................................................1-5 1.1.4 Server Templates..................................................................................................................................1-6 1.2 Troubleshooting Local User Authentication..................................................................................................1-7 1.2.1 Typical Networking..............................................................................................................................1-7 1.2.2 Configuration Notes.............................................................................................................................1-7 1.2.3 Troubleshooting Flowchart ..................................................................................................................1-9 1.2.4 Troubleshooting Procedure ................................................................................................................1-10 1.3 Troubleshooting RADIUS Authentication ..................................................................................................1-10 1.3.1 Typical Networking............................................................................................................................ 1-11 1.3.2 Configuration Notes........................................................................................................................... 1-11 1.3.3 Troubleshooting Flowchart ................................................................................................................1-14 1.3.4 Troubleshooting Procedure ................................................................................................................1-15 1.4 Troubleshooting HWTACAS Authentication..............................................................................................1-17 1.4.1 Typical Networking............................................................................................................................1-17 1.4.2 Configuration Notes...........................................................................................................................1-18 1.4.3 Troubleshooting Flowchart ................................................................................................................1-21 1.4.4 Troubleshooting Procedure ................................................................................................................1-22 1.5 Troubleshooting Cases ................................................................................................................................1-23 1.5.1 FTP User Fails to Pass Through RADIUS Authentication.................................................................1-23 1.5.2 HWTACACS User Fails to Get the Delivered Address .....................................................................1-25 1.6 FAQs ...........................................................................................................................................................1-26 1.7 Diagnostic Tools..........................................................................................................................................1-30 1.7.1 display Commands.............................................................................................................................1-30 1.7.2 debugging Commands........................................................................................................................1-32
Issue 01 (2008-08-20)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Figures
Figures
Figure 1-1 RADIUS message structure ..............................................................................................................1-2 Figure 1-2 Attribute format ................................................................................................................................1-4 Figure 1-3 Networking diagram of local authentication.....................................................................................1-7 Figure 1-4 Troubleshooting flowchart of the local user authentication ..............................................................1-9 Figure 1-5 Networking diagram of RADIUS authentication............................................................................ 1-11 Figure 1-6 Troubleshooting flowchart of RADIUS authentication ..................................................................1-14 Figure 1-7 Networking diagram of HWTACAS authentication .......................................................................1-17 Figure 1-8 Troubleshooting flowchart of HWTACACS authentication ...........................................................1-21 Figure 1-9 Networking diagram of the RADIUS authentication......................................................................1-23 Figure 1-10 Networking diagram of HWTACAS authentication .....................................................................1-25
ii
Issue 01 (2008-08-20)
1 AAA Troubleshooting
1
About This Chapter
Section 1.1 AAA Overview 1.2 Troubleshooting Local User Authentication
AAA Troubleshooting
The following table shows the contents of this chapter. Description This section describes the knowledge you need to know before troubleshooting AAA. This section describes the notes about configuring the local user authentication, and provides the local user authentication troubleshooting flowchart and the troubleshooting procedure in a typical local user authentication network. This section describes the notes about configuring the RADIUS authentication, and provides the RADIUS authentication troubleshooting flowchart and the troubleshooting procedure in a typical RADIUS authentication network. This section describes the notes about configuring the HWTACAS authentication, and provides the HWTACAS authentication troubleshooting flowchart and the troubleshooting procedure in a typical HWTACAS authentication network. This section presents several troubleshooting cases. This section lists frequently asked questions and their answers. This section describes common diagnostic tools: display commands and debugging commands.
1.3 Troubleshooting RADIUS Authentication
1.4 Troubleshooting HWTACAS Authentication
1.5 Troubleshooting Cases 1.6 FAQs 1.7 Diagnostic Tools
Issue 01 (2008-08-20)
1-1
1.1 AAA Overview

This section describes the basic concepts and information about AAA, RADIUS, and HWTACACS.
1.1.1 AAA, RADIUS and HWTACACS

AAA
AAA stands for Authentication, Authorization, and Accounting. It contains the following three types of security services. Authentication: specifies what kind of user can access the network. Authorization: specifies what of service the user can use. Accounting: records the network resource utilization of the user. AAA adopts the server/client model, in which the client runs on the resource side and the server stores information about the user. This model has a good extensibility and is helpful in managing users. The two communication protocols used between the client and the server are as follows: The Remote Authentication Dial-In User Service (RADIUS) Protocol The Huawei Terminal Access Controller Access Control System (HWTACACS) Protocol (HWTACACS is the enhancement of TACACS)
RADIUS
RADIUS is used for the communication between the Network Access Server (NAS) and RADIUS Server on the application layer. RADIUS adopts the Server/Client model in which the client runs on the resource side and the server stores information about the user. To assure the reliability, RADIUS supports UDP packets and adopts retransmission mechanism and backup server mechanism. The authentication and the accounting ports adopted by RADIUS is1645/1646 or 1812/1813. Figure 1-1 shows the RADIUS packet format. Figure 1-1 RADIUS message structure
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 70 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 1 2 3 4 5 6 Attribute...... Authenticator Code Identifier Length
Code
1-2
Issue 01 (2008-08-20)
Code contains one byte, indicating the RADIUS message type. The common code values are as follows. Value 1 2 Packet type Access-request Access-accept Indication Sending an authentication request Accepting the authentication request Rejecting the authentication request Sending a accounting request Responding to the accounting request Description An NAS sends an authentication request to a RADIUS server. A RADIUS server sends a response packet to accept the authentication request. A RADIUS server sends a response packet to reject the authentication request. A NAS sends an accounting request to a RADIUS server. A RADIUS server responds to a certain accounting request packet.
Access-request
4 5
Accounting-request Accounting-response
The following are three types of accounting packets. They are distinguished by the No.40 attributes area. Value of No.40 attributes area is 1: accounting start packets Value of No.40 attributes area is 3: accounting stop packets Value of No.40 attributes area is 2: hot billing packets
Identifier Identifier contains one byte, used to match request packets or response packets. Length Length contains two bytes, indicating the total length of all fields. Authenticator Authenticator authenticates the response packets sent by a RADIUS server and hiding code algorithm. It contains 16 bytes. Authenticator is divided into the following:

Request Authentication Response Authenticator
Attribute Attribute has a flexible length. It consists of various attributes. Figure 1-2 shows the attribute format.
Issue 01 (2008-08-20)
1-3
Figure 1-2 Attribute format

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 70 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Type Length Value
Type: indicates the attribute type. Length: indicates the length of every attribute. It contains one byte. Value: indicates the attribute value. It is flexible.
The NAS works as the client of RADIUS. It supports:

Standard RADIUS protocol and extended attributes, including RFC2865 and RFC2866 Extended RADIUS+1.1 protocol of Huawei Active detection on the RADIUS server state After receiving an AAA authentication or accounting message, the NAS enables the server detection if the status of the server is Down. It then transforms the message into a packet and sends the packet to the current server. The NAS regards the server as normal, only after receiving a response packet from the current server. Local buffer retransmission of Accounting Stop packets If the number of retransmission events exceeds the value configured, packets are saved to the buffer queue. The system timer periodically scans the queue, extracts the packet, sends them to the specific server and enables the waiting timer. If the transmission fails or no response packet is received from the server within the timeout time, the packet is again put back to the buffer queue. Auto-switch of the RADIUS server If the waiting timer expires and the current server is Down or the number of retransmission events exceeds the maximum, another server in the server group assumes the role of the current server to transmit packets.
HWTACACS
HWTACACS provides AAA service for communication between the NAS and HWTACACS server. HWTACACS is an extended version of the TACACS protocol (RFC1492). Similar to the RADIUS, it adopts a client/server mode to implement AAA between users and the HWTACACS server. HWTACACS is different from RADIUS in the following aspects: RADIUS is based on UDP while HWTACACS is based on TCP. RADIUS performs authentication together with authorization while HWTACACS separates them. RADIUS encrypts only the password field in the authentication packet while HWTACACS encrypts the whole packet.
1-4
Issue 01 (2008-08-20)
1.1.2 Domain and Address Pool

Domain
Most AAA configurations are related to the domain. NAS divides users into different groups based on the character string that follows the "@" of user names. For example, user0001@isp1 belongs to the domain isp1 and user0002 belongs to isp2. If there is no "@" in the user name, the user belongs to the default domain. The users in the same domain have similar attributes. The configurations in a domain view can affect all users in this domain. The domain resource can be used by all the users in this domain. You can configure authentication, authorization, and accounting schemes in a domain view. To a default domain, AAA adopts the default schemes for this domain. In addition, you can configure a RADIUS or a HWTACACS server template.
Address Pool
PPP users can use PPP address negotiation to obtain the IP address of the local interface from the NAS. The methods are as follows: Use the remote address command in the interface view to allocate an IP address to the peer. Configure an address pool in the AAA view and then use the remote address pool command to allocate the address from the address pool to the peer. Allocating the address from the address pool is more flexible and convenient. In addition, the address pool can be used together with the domain. Configure a global address pool in the AAA view and a domain address pool in the domain view. Users in the domain can use the domain address pool preferentially.
1.1.3 Schemes and Modes

Authentication Schemes and Modes
AAA supports four authentication modes: local authentication Non-authentication RADIUS authentication HWTACACS authentication It also allows a random combination of the four modes. The authentication-mode radius local command uses the RADIUS authentication mode first. If it fails, adopt the local authentication. The non-authentication mode should be adopted as a last option Configure the authentication mode in the authentication scheme view. By default, local authentication is used.
Issue 01 (2008-08-20)
1-5
Authorization Schemes and Modes

AAA supports four authorization modes: Local authorization Direct authorization If-authenticated authorization HWTACACS authorization It also allows a random combination of the four modes. The authorization-mode hwtacacs local command indicates using the HWTACACS authorization mode first. When it fails, adopt the local authorization. In the combination mode containing the direct authentication, direct should be in the last place, such as authorization-mode hwtacacs local none. By default, use the local authentication mode. RADIUS performs authentication together with authorization. The RADIUS authorization is non-existent.
Accounting Schemes and Modes

AAA supports six accounting modes: Local accounting Non-accounting RADIUS accounting HWTACACS accounting Combination of RADIUS and local accounting Combination of HWTACACS and local accounting Configure the hot billing interval in the accounting scheme. By default, the interval is five minutes. By default, the non-accounting mode is used.
1.1.4 Server Templates

RADIUS Server Template
The RADIUS server template describes details of the RADIUS server. On the RADIUS server template, you can configure authentication and accounting servers or configure backup authentication and accounting servers as required. Configure the shared key on the RADIUS server template. It should be the same as that on the server side. RADIUS supports the specified source address. You can configure the IP address of the specified loopback interface as the source address of RADIUS packets. You can then send the packets to a RADIUS server. After configuring a RADIUS server template, associate the template name with a domain in the corresponding domain view.
1-6
Issue 01 (2008-08-20)
HWTACACS Server Template

The HWTACACS server template is different from the RADIUS server template in the following aspects: It contains an authorization server and a backup authorization server. It supports packets with the source address configured directly instead of the address of the loopback interface. After configuring a HWTACACS template, associate the template name with a domain in the corresponding domain view.
1.2 Troubleshooting Local User Authentication

This section covers the following topics: Typical Networking Configuration Notes Troubleshooting Flowchart Troubleshooting Procedure
1.2.1 Typical Networking

Figure 1-3 shows the typical networking diagram of local authentication. Figure 1-3 Networking diagram of local authentication
Client PPP Serial4/0/0 9.1.1.1
Host PPP Serial1/1/0 9.1.1.2
1.2.2 Configuration Notes

Item Configuring serial interfaces on the client side Configuring serial interfaces on the host side Sub-item Configuring IP address Configuring PAP user authentication Configuring IP address Configuring the PPP authentication Description IP address on the client side must be the same as that on the host side. The PAP user name and password configured on the client side should be consistent with those on the host side. IP address on the host side should be in the same network segment with that on the client side. The PAP user name and password configured on the host side should be consistent with those on the client side.
Issue 01 (2008-08-20)
1-7
Item Configuring AAA on the host side
Sub-item Domain Local user
Description Configure the domain to which a PAP user belongs. Configure local user in the AAA view.
The following covers part of commands in configuring AAA, RADIUS, and HWTACACS . For details, refer to the VRP Configuration Guide - Security.
Configuring the Serial Interface On the Client Side

Configure an IP address for the serial interface. In the PPP PAP mode, you need to configure the user name and the password.
<Quidway> system-view [Quidway] interface Serial 4/0/0 [Quidway-Serial4/0/0] ip address 9.1.1.1 255.255.255.0 [Quidway-Serial4/0/0] ppp pap local-user user001@huawei password simple abc123 [Quidway-Serial4/0/0] quit
Configuring the Serial Interface On the Host Side

Configure an IP address for the serial interface and set the PPP authentication mode to PAP.
[Quidway] interface Serial 1/1/0 [Quidway-Serial1/1/0] ip address 9.1.1.2 255.255.255.0 [Quidway-Serial1/1/0] ppp authentication-mode pap [Quidway-Serial1/1/0] quit
Configuring AAA On the Host Side

Use the local authentication mode.
[Quidway] aaa [Quidway-aaa] display this # aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # #
Configure the local user and the domain. Set a PAP user ser001@huawei on the client side as the local user.
[Quidway-aaa] local-user user001@huawei password simple abc123 [Quidway-aaa] domain huawei
1-8
Issue 01 (2008-08-20)
By default, the newly configured domain is in local authentication mode. So the PAP user user001@huawei should also adopt such a mode. After passing through the local authentication, PPP link authentication succeeds.
1.2.3 Troubleshooting Flowchart

Figure 1-4 Troubleshooting flowchart of the local user authentication
In PAP mode, the local user authenticati on fails
No Normal PPP link?
Ensure the PPP in up state when no authentication mode is configured
The fault disappears?
Yes
Yes
No End
Correct PAP configuration?
No Modify PAP
Yes
Yes
No
Correct AAA configuration?
No
Is the user domain configured?
Is the local authentication mode configured?
Yes Ensure the password of the local user is the same as that used in PAP
Seek technical support No
Yes End
Issue 01 (2008-08-20)
1-9
1.2.4 Troubleshooting Procedure

Step 1 Check the PPP Link. If PAP mode is not used, check that PPP link is Up. # Configure the serial interface on the client side.
[Quidway] interface Serial 4/0/0 [Quidway-Serial4/0/0] ip address 9.1.1.1 255.255.255.0 [Quidway-Serial4/0/0] quit
# Configure the serial interface on the host side.

[Quidway] interface Serial 1/1/0 [Quidway-Serial1/1/0] ip address 9.1.1.2 255.255.255.0 [Quidway-Serial1/1/0] quit
In normal situation, the host can ping through 9.1.1.1. Using the display this interface command in the interface view, you can view that LCP and IPCP are "opened". If PPP link is Up, continue the following. Step 2 Checking PAP. Debug PAP on each interface. The following display indicates that PAP is not configured on the peer and LCP negotiation fails.
%Sep 16 14:01:54 2005 Quidway PPP/5/NEGOTIATEFAIL:Slot=3;Serial3/0/0:0: We want to negotiate pap , but the peer doesn't have pap configuration. So LCP negotiate fail, PPP session will be closed.
If PAP link is Up, continue the following. Step 3 Check AAA. Based on the preceding two steps, you can estimate that there is something wrong with AAA. In such cases, check AAA as follows: 1. 2. 3. 4. Use the display this command in the AAA view to check that the domain huawei exists. Check if the user type is consistent with that configured in AAA. You can use the display local-user command in the user interface view. Check if the authentication scheme of domain huawei, the default authentication scheme, or the user configured authentication scheme is in local authentication mode. Check if user001@huawei is configured in the AAA view and the user001's password agree with that of the PAP user.
If the fault persists, contact Huawei technical personnel. ----End
1.3 Troubleshooting RADIUS Authentication

This section covers the following topics: Typical Networking Configuration Notes Troubleshooting Flowchart
1-10 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2008-08-20)
Troubleshooting Procedure

Figure 1-5 shows the networking of RADIUS authentication. Figure 1-5 Networking diagram of RADIUS authentication
NAS ISDN/ PSDN
Remote User
RADIUS Server

Item Configuring the RADIUS server template Sub-item Configuring the authentication server Configuring the accounting server Configuring the shared key Configuring the user name format Description The IP address and port of the RADIUS authentication server are configured. Note that the port on the template is of the same configuration as that on the RADIUS server. The IP address and port for the RADIUS accounting server are configured. Note that the port on the template is of the same configuration as that on the RADIUS server. The shared key of RADIUS server template should be the same as that on the RADIUS server. The user name can either contain a domain name or not. In this example, the user name contains no domain name.
Issue 01 (2008-08-20)
1-11
Item Configuring AAA
Sub-item Configuring the authentication scheme Configuring the accounting scheme Configuring the domain huawei
Description The RADIUS authentication mode is adopted.
The RADIUS authentication mode is adopted.
A domain named huawei is created and is associated with the authentication scheme, accounting scheme, and RADIUS server template in the domain. None. For example, 1812 is the authentication port number and 1813 is the accounting port number.
Enabling FTP server Configuring the RADIUS server
Enabling FTP server Configuring authentication and accounting ports Configuring IP address and shared key for the NAS Configuring user001
Note that the shared key of the NAS should be the same as that on the RAIDUS server template.
In this example, the domain name is not included in the user name. You need to configure the password for user001. In addition, you need to configure the FTP directory delivery on the RADIUS server.
The following covers part of commands in configuring AAA, RADIUS, and HWTACACS. For details, refer to the VRP Configuration Guide - Security. RADIUS servers are of different configurations, but they have something in common, that is, they all support the preceding configurations.
Creating A RADIUS Server Template

Create a RAIDUS server template and configure IP addresses and the port for the authentication server and accounting server for it. Note that: IP addresses of RADIUS servers are routable. The port configurations on the NAS should be the same as the port configurations on the server. The shared key on the NAS should be the same as the shared key on servers. In this example, the user name does not contain the domain name.
<Quidway> system-view [Quidway] radius-server template rt_huawei [Quidway-radius-rt_huawei] radius-server authentication 192.168.1.202 1812 [Quidway-radius-rt_huawei] radius-server accounting 192.168.1.202 1813 [Quidway-radius-rt_huawei] radius-server shared-key huawei [Quidway-radius-rt_huawei] undo radius-server user-name domain-included
1-12
Issue 01 (2008-08-20)

[Quidway-radius-rt_huawei] quit
Configuring AAA
Create a RADIUS authentication scheme and a RADIUS accounting scheme. Create a domain named Huawei. Configure the authentication scheme, the accounting scheme, and RADIUS server template in the domain view.
[Quidway] aaa [Quidway-aaa] authentication-scheme radius [Quidway-aaa-authen-radius] authentication-mode radius [Quidway-aaa-authen-radius] quit [Quidway-aaa] accounting-scheme radius [Quidway-aaa-accounting-radius] accounting-mode radius [Quidway-aaa-accounting-radius] quit [Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] authentication-scheme radius [Quidway-aaa-domain-huawei] accounting-scheme radius [Quidway-aaa-domain-huawei] radius-server rt_huawei [Quidway-aaa-domain-huawei] quit [Quidway-aaa] quit
Enabling the FTP Server

Enable the FTP server in the system view of the NAS.
[Quidway] ftp server enable Info:Start FTP server
Configuring the RADIUS server

Configure RADIUS server based on the help files. Configure the following items: The authentication and the accounting ports An IP address and the shared key for the NAS The user name, the password, and the authorization information Check whether AAA takes effect on the RADIUS server using the tool provided by the operating system.
Issue 01 (2008-08-20)
1-13

Figure 1-6 Troubleshooting flowchart of RADIUS authentication
The FTP user fails to pass the RADIUS authentication
Login record
No
Can NAS transmit the authentication information to the RADIUS server
Yes
No Yes
Failing authentication information?
No
Remove the fault based on the failing authentication information
Yes
No No
Can NAS receivethe authorized FTP directory?
No
Configure the authentication mode on the RADIUS server correctly
Yes
No Yes
Can the user log on to the NAS FTP server?
Yes
End
No
Seek the technical support
1-14
Issue 01 (2008-08-20)

Step 1 Check that radius server displays login records. In the normal situation, You can view the login records by checking the display on the server.. When the user logs in to a RAIDUS server, the server records the user name and successful authentication. Else, it records the faults and also the possible causes. If there is no records prompt on the server, it means that the authentication relationship is not set up between the NAS and RADIUS server. Check the link, the NAS, and the RADIUS server properly. 1. Check the link.
If the link is Down, remove the faults on the link first. 2. On the NAS, check that:

The domain huawei is configured. The RADIUS authentication mode is configured in the domain view. The RADIUS server template is configured in the domain view. IP addresses and ports of the server are configured.
Then using the debugging radius packet command, yon can view whether RADIUS packets are sent out.
<Quidway> debugging radius packet <Quidway> terminal debugging <Quidway> terminal monitor
If the debugging is enabled but no display prompts, the fault must lie in the NAS. You need to check whether the domain is associated with the RADIUS server template. If the debugging information exists, you can see the sent RADIUS authentication packet.
*0.264194889 RT1 RDS/8/debug2: Radius Sent a Packet Server Template: 0 Server IP Code Len ID : 1 : 210 : 0 ] [5 ] [tao] ] [18] [5220c68cbd7014d96a3c9c5a6750d67e] ] [6 ] [0] ] [6 ] [6] ] [6 ] [6] ] [6 ] [192.168.1.202] ] [5 ] [RT1] ] [6 ] [5] ] [34] [slot=0;subslot=0;port=0;vlanid=0] ] [6 ] [3232235978] ] [6 ] [952825733] ] [33] [192.168.1.202 ff:ff:ff:ff:ff:ff] ] [6 ] [6000] ] [30] [Huawei VRP Software Version ] : 192.168.1.128 Protocol: Standard
[User-name(1) [Password(2) [NAS-Port(5) [Service-Type(6) [Framed-Protocol(7) [Framed-IP-Address(8) [NAS-Identifier(32) [NAS-Port-Type(61) [NAS-Port-Id(87) [Login-IP-Host(14) [NAS-Startup-Timestamp(26-59) [Ip-Host-Addr(26-60) [Connect_ID(26-26) *0.264196064 RT1 RDS/8/debug2: [Version(26-254)
Issue 01 (2008-08-20)
1-15
[Product-ID(26-255) [NAS-IP-Address(4) ] [5 ] [VRP] ] [6 ] [192.168.1.1]
The preceding display indicates that the RADIUS authentication packet has been sent out. You then need to check whether the response packet is received. If the following display prompts, it indicates that the authentication server is not started. You then need to check the RADIUS authentication server.
#Mar 12 01:49:08 2000 RT1 RDS/5/RDAUTHDOWN:RADIUS authentication server(IP 192.168.1.128) is down!
Step 2 Check the RADIUS authentication server. Check whether the IP address and the port of the authentication server are configured correctly. If so, check whether the RADIUS server runs normally. To check whether the related services are enabled on ports, you can use the diagnostic tool provided by the operating system. If the RADIUS server and the NAS can receive packets from each other, continue to check the following. Step 3 Checking whether the RADIUS server displays failing authentication information. Although the NAS and RADIUS server can communicate, the authentication fails. The reason mainly lies in the RADIUS server. Check that: The NAS address and the shared key are configured on the RADIUS server. The shared key configured on the RADIUS server is consistent with that on NAS. The user is configured on the RADIUS server. Note that the server template configured on the NAS can strip the domain name from the login user name. The password of the user configured on RADIUS server is consistent with that of the login user. If the authentication fails, the output or the login record is displayed. By viewing the records, you can get the causes for the authentication failure. The possible causes are: The user name is non-existent. The password including the shared key on the server is not consistent with that on NAS. The NAS address is not configured. After the preceding check and modification, most authentication faults disappear. If you cannot perform FTP after the authentication succeeds, continue to check the following. Step 4 Checking that NAS can receive the authorized FTP directory. If the FTP login view displays 503 Logged fail, authentication directory is incorrect or Connection closed by remote host, it indicates that the FTP directory authorization is wrong. After RADIUS packets debugging is enabled, you can view that the NAS can receive the debugging information about authentication response packets sent by the RADIUS server.
Radius Received a Packet Server Template: 0 Server IP : 192.168.1.202 Server Port : 1812 Protocol: Standard
1-16
Issue 01 (2008-08-20)

Code Len ID : 2 : 33 : 15 ] [7 ] [hda1:]
[Ftp-Directory
The preceding display indicates that the RADIUS server delivers the attribute of the FTP directory. The value of the attribute is hda1. If no such display appears, you need to configure the list of the delivered attributes for the user. If the fault persists, contact Huawei technical personnel. ----End
1.4 Troubleshooting HWTACAS Authentication

This section covers the following topics: Typical Networking Configuration Notes Troubleshooting Flowchart Troubleshooting Procedure

Figure 1-7 shows the typical networking diagram of HWTACACS authentication. Figure 1-7 Networking diagram of HWTACAS authentication
NAS ISDN/ PSDN
Remote User
HWTACACS Server
Issue 01 (2008-08-20)
1-17

Item Configuring the HWTACACS server template Sub-item Configuring the authentication server Description The IP address and port for the HWTACACS authentication server are configured. Note that the port on the template must be of the same configuration as that on the HWTACACS server. Configuring the authorization The IP address and port for the HWTACACS authorization server are configured. Note that the port on the template should of the same configuration as that on the HWTACACS server. Configuring the accounting server The IP address and port for the HWTACACS accounting server are configured. Note that the port on the template should be of the same configuration as that on the HWTACACS server. Configuring the shared key Configuring the user name format Note that the shared key of the HWTACACS server should be the same as that on the HWTACACS server template. The user name can either contain a domain name. In this example, the user name contains no domain name. Configuring AAA Configuring the authentication scheme Configuring the authorization scheme Configuring the accounting scheme Configuring the domain huawei The HWTACACS authentication mode is adopted. The HWTACACS authorization mode is adopted. The HWTACACS accounting mode is adopted. A domain named huawei is created and the configured authentication scheme, authorization scheme, the accounting scheme, and the HWTACACS server template are applied in the domain. In this example, 49 is adopted as the authentication, authorization, and accounting port. The shared key of NAS should be the same as that configured for the HWTACACS server template.
Configuring the HWTACACS server
Configuring the authentication, the authorization and the accounting ports Configuring an IP address and shared key for NAS
1-18
Issue 01 (2008-08-20)
Item
Sub-item Configuring a user named user001
Description In this example, the user name contains no domain name. You need to configure the password for user001. In addition, you need to configure the FTP directory delivery attribute.
The following covers part of commands in configuring AAA, RADIUS, and HWTACACS. For details, refer to the VRP Configuration Guide - Security. All servers support the preceding configurations. The details in configuring HWTACACS server vary with the specific servers.
Configuring A HWTACACS Server Template

Create a HWTACACS server template and configure IP addresses and ports for HWTACACS authentication, authorization, and accounting servers. Note that: IP addresses of the HWTACACS servers are reachable. The port configurations on the NAS should be the same as those on HWTACACS servers. The shared key on the NAS should also be the same as that on the server. In this example, the user name does not contain the domain name.
<Quidway> system-view [Quidway] hwtacacs-server template ht_huawei [Quidway-hwtacacs-ht_huawei] hwtacacs-server authentication 192.168.1.202 49 [Quidway-hwtacacs-ht_huawei] hwtacacs-server authorization 192.168.1.202 49 [Quidway-hwtacacs-ht_huawei] hwtacacs-server accounting 192.168.1.202 49 [Quidway-hwtacacs-ht_huawei] hwtacacs-server shared-key huawei [Quidway-hwtacacs-ht_huawei] undo hwtacacs-server user-name domain-included [Quidway-hwtacacs-ht_huawei] quit
Configuring AAA
Create a HWTACACS authentication scheme. Create a HWTACACS authorization scheme. Create a HWTACACS accounting scheme. Create a domain named Huawei and configure the authentication scheme, the accounting scheme and the HWTACACS server template in this domain.
[Quidway] aaa [Quidway-aaa] authentication-scheme hwtacacs [Quidway-aaa-authen-hwtacacs] authentication-mode hwtacacs [Quidway-aaa-authen-hwtacacs] quit [Quidway-aaa] authorization-scheme hwtacacs [Quidway-aaa-author-hwtacacs] authorization-mode hwtacacs [Quidway-aaa-author-hwtacacs] quit [Quidway-aaa] accounting-scheme hwtacacs [Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs
Issue 01 (2008-08-20)
1-19
[Quidway-aaa-accounting-hwtacacs] quit [Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] authentication-scheme hwtacacs [Quidway-aaa-domain-huawei] authorization-scheme hwtacacs [Quidway-aaa-domain-huawei] accounting-scheme hwtacacs [Quidway-aaa-domain-huawei] hwtacacs-server ht_huawei [Quidway-aaa-domain-huawei] quit [Quidway-aaa] quit
Configuring the HWTACACS Server

Configure the HWTACACS server based on the help files. Configure the following items: The authentication port, the authorization port, and the accounting port The IP address and the shared key for the NAS The user name, the password, and the authorization information Check whether AAA takes effect on the HWTACACS server using the tools provided by the operating system.
1-20
Issue 01 (2008-08-20)

Figure 1-8 Troubleshooting flowchart of HWTACACS authentication
The Telnet user fails to pass through the HWTACACS authentication
Login record
No
Can NAS transmit the authentication information to the HWTACACS server
Yes The fault disappears?
No Yes
Failing authentication information? No
Yes
Remove the fault based on the failing authentication information
No
Can NAS receivethe authorized Telnet users? Yes
No
Configure the authentication mode on the HWTACACS server correctly.
No
Can the user telnet to the NAS server? No
Yes End
Seek the technical support
Issue 01 (2008-08-20)
1-21

Step 1 Check whether the HWTACACS server displays login record. The procedure is similar to that of the RADIUS server. Refer to checking whether RADIUS server displays login records. Step 2 Check whether the HWTACACS server displays failing authentication. The NAS and HWTACACS server can communicate but the authentication fails. The fault lies in the HWTACACS server. Check that: The NAS address and the shared key are configured on the HWTACACS server. The shared key configured on the HWTACACS server is consistent with that on the NAS. The user is configured on the server. Note that the server template configured on the NAS can remove the domain name from the login user name. The password of the user configured on the server is consistent with that of the login user. If the authentication fails, through viewing the login records, you can locate the fault. The possible causes are: The user name is non-existent. The password including the shared key on the server is not consistent with that on the NAS. The NAS address is not configured. Step 3 Check whether NAS can receive the authorized ftp user class. The display "503 Logged fail, authentication directory is incorrect" and "Connection closed by remote host" in the login interface of FTP indicates that the authorized FTP directory is incorrect. Enable the HWTACACS PACKET debugging and you can view that the NAS has received the related authentication response packets from the HWTACACS server.
HWTACACS Received a Packet Server Template: 0 Server IP : 192.168.1.202 Server Port : 49 Protocol: Standard Code Len ID : 2 : 33 : 15 ] [7 ] [hda1:]
[Ftp-Directory
The preceding display indicates that the HWTACACS server delivers the attributes of the FTP directory whose value is hda1. Configure the attributes list to be delivered on the HWTACACS server for users. If the fault persists, contact Huawei technical personnel. ----End
1-22
Issue 01 (2008-08-20)
1.5 Troubleshooting Cases

This section provides the following troubleshooting cases: FTP User Fails to Pass Through RADIUS Authentication HWTACACS User Fails to Get the Delivered Address
1.5.1 FTP User Fails to Pass Through RADIUS Authentication

Fault Symptom
Figure 1-9 Networking diagram of the RADIUS authentication
NAS 192.168.1.6 ISDN/ PSDN
Remote User
RADIUS Server 192.168.1.202
The legal remote user001@huawei who needs to log on to the NAS through FTP fails to pass through RADIUS authentication.
Fault Analysis
Check whether the RADIUS server has the records about the login user. If not, the NAS and RADIUS sever cannot communicate. Then focus on checking NAS. Use the debugging radius packets command in the user view of NAS to view output prompts. Checking AAA, you can find domain Huawei contains no RADIUS server template. After configuring such a template, view the debugging information on the NAS to check whether any response packet is received. Check that the authentication port number is the same as that configured on the NAS and the RADIUS server template. Check that the password configured on the RADIUS server is consistent with the shared key configured on the NAS. Check that the attributes of the FTP directory is delivered. Then check that user001 adds the delivered attributes. After attributes of FTP directory is delivered, the user can log on to the FTP server. The fault disappears.
Issue 01 (2008-08-20)
1-23
Step 1 Check whether RADIUS server has the records on the login user. Step 2 If there is no login records, use the debugging radius packet command on the NAS to check whether NAS has sent out authentication request packets. Step 3 If the NAS fails to send out authentication request packets, check the AAA, and the RADIUS server template on NAS. Note that the user can view the sent RADIUS authentication request packets when logging in. Step 4 If the RADIUS server still has no login user records, check the IP address and the port configuration. Note that: Server and NAS can ping through each other. Port configuration on the RADIUS server should be the same as that on the RADIUS server template. Step 5 If the faulty authentication persists when NAS and RADIUS server can communicate, the possible causes are: The NAS address is not added. The shared key on the NAS is wrong. The user name and password are wrong. Step 6 If the authentication succeeds but the authorization fails after the NAS and RADIUS server can communicate, check whether the user is authorized by the RADIUS server. ----End
Summary
If the RADIUS authentication fails, ensure the following: Successful mutual communication between NAS and RADIUS server Successful authentication Successful authorization You can locate the fault through the debugging information on the NAS and RADIUS server.
1-24
Issue 01 (2008-08-20)
1.5.2 HWTACACS User Fails to Get the Delivered Address

Fault Symptom
Figure 1-10 Networking diagram of HWTACAS authentication
NAS ISDN/ PSDN 79.1.1.2
79.1.1.10 is the authrozied address to user001@isp1
Remote User user001@isp1
HWTACACS Server 192.168.1.202
A legal remote user user001@huawei gets the address from the NAS using PPP address negotiation mode. The NAS however, delivers no IP address to the related interfaces. Then the HWTACACS server authorizes the address for the user.
Fault Analysis
Check whether NAS can deliver the address to the remote user directly without using the address authorized by the HWTACACS server. If so, the fault lies in the link between the NAS and HWTACACS server. Assume a Telnet user, adopting HWTACACS authentication and authorization mode, logs in to NAS. If login succeeds, it means that the HWTACACS server and NAS can communicate. The fault then lies in the wrong address authorized by the HWTACACS server. After checking, you can find that the IP address delivered by the HWTACACS server and the NAS interface connected with the user are in a different network segment. Then modify the delivered IP address.
Step 1 Check whether the remote user can communicate with NAS without using a HWTACACS server. You can then check the link between NAS and the server. Step 2 If a Telnet user can log in to NAS, it means the NAS and HWTACACS server work normally. The fault lies in the delivered address. Step 3 Check the HWTACACS server, and find the delivered address is wrong. ----End
Issue 01 (2008-08-20)
1-25
Summary
This example adopts the substitution method to locate the fault. If the fault disappears when a HWTACACS server is not used, you can assign the fault to HWTACACS server configuration. If the Telnet user logs in to NAS, some checking steps can be omitted. The fault can be located rapidly. When you are familiar with the configurations, this method is helpful.
1.6 FAQs
Q: Huawei Devices and Non-Huawei Devices The Same TACACS Server but the Authentication Fails. Why?
A: The user class range set by the major partner is different from that set by Huawei. The user class range set by Huawei is from 0 to 3 and any value that exceeds 3 is wrong. In this way, the authentication fails. To remove this fault, configure users for the products of the major partners and Huawei respectively.
Q: Why Cannot the Telnet User Who Has Passed the RADIUS Authentication Enter the System View?
A: It is because the user is not authorized by the RADIUS server. If shiva is used as the RADIUS server, configure exec-privilege for it; if other type of server is used, configure the extended exec-privilege on it. That is, add the extended attribute (29) contained in the standard attribute (26) to the related attribute dictionary. For FTP users, if shiva is used as the RADIUS server, configure ftp-directory for it; if other type of server is used, configure the extended ftp-directory. That is, add the extended attribute (29) contained in the standard attribute (26) to the related attribute dictionary.
Q: In AAA, How to Allocate Address to the PPP User?

A: The address allocation rules are as follows: To the user not to be authenticated: If the interface is with an IP address, the NAS allocates the address to the peer directly; if the interface is with an IP address pool, the NAS allocates the address in the address pool to the peer. To the authenticated default domain user: If the RADIUS server has delivered the IP address, the NAS allocates this address to the peer directly; if the RADIUS server has delivered the IP address pool ID, the NAS allocates the address in the global or domain address pool to the peer. If the RAIDUS server has not delivered the address pool ID but the interface is with an IP address pool, the NAS allocates the address in this global address pool to the peer. To the authenticated common domain user: If the RADIUS server has delivered the IP address, the NAS allocates the address to the peer directly. If the RADIUS server has delivered the IP address pool ID, the NAS allocates the address in the specified domain address pool to the peer. If the RAIDUS server has not delivered the address pool ID but the interface is with an IP address, the NAS allocates this address to the peer. If the interface is with an IP address pool, the NAS allocates the address in the domain address pool to the peer.
1-26 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 01 (2008-08-20)
In the preceding three cases: If all the addresses in the specified global address pool have been used, the NAS traverses the whole address pool, starting from the address pool firstly configured. If all the addresses in the specified domain address pool have been used, the NAS traverses from the domain address pool firstly configured. The user can use the IP address in its local domain address pool preferentially. If all the domain address pools have no address to allocate, traverse from the global address pool.
Q: What Are the Common RADIUS Attributes?

A: They are as follows. Value 1 Attributes User-name Field format String(1 to 32) Usage Configure the user name based on the command line. It can either contain a domain name or not, such as user0001@isp or user0001. The encrypted password is valid in PAP. The password (MD5 encrypted authenticator) is valid in CHAP authentication. If a RADIUS server is bound with a certain interface address, adopt this address to be the IP address of the NAS. Or The address of the interface from which the packets are sent can also be adopted. The user access port is in the format of 4 slot numbers + 2 card numbers + 5 port numbers + 21 VLAN numbers. Types of users: 2 indicates the access user. 6 indicates the administrative user. 7 8 Framed-Protocol Framed-IP-Address Integer Address The value is fixed to be 1, indicating PPP type. The framed-IP address indicates the IP address allocated to the user by a RADIUS server. If the value is 0xFFFFFFFE, it indicates that the IP address of the user should be allocated by a NAS. It indicates the IP address masks allocated to the user by a RADIUS server.
2 3
Password Challenge-Password
String(16 to 128) String(17)
NAS-IP-Address
IP Address
NAS-Port
Integer
Service-Type
Integer
Framed-Netmask
Address
Issue 01 (2008-08-20)
1-27
Value 11
Attributes Filter-ID
Field format String(1)
Usage It indicates the User Control List (UCL) group and interworking group, which are in the format of UCL-Group@Inter-Group. It indicates the IP address of the login user. It indicates the login user's type, such as Telnet, Rlogin, TCP Cear, PortMaster (proprietary), and LAT. In the authentication acceptance packet, it indicates the successful authentication In the authentication rejection packet, it indicates the failing authentication.
14 15
Login-IP-Host Login-Service
Address Integer
18
Reply-Message
String(1 to 128)
25
Class
String
A RADIUS server sends the authentication acceptance packet together with the class attributes to a NAS. The NAS then sends back the class attributes together with accounting request packets. On the standard RADIUS server, the class attributes also contains the Committed Access Rate (CAR). It indicates the timeout time of the user, in seconds. In the Extensible Authentication Protocol (EAP) challenge packets, it indicates the re-authenticated time for the user. It indicates the idle timeout time, in seconds. It indicates the MAC address. If the NAS ID is configured, the NAS identifier should be NAS ID. If not, the NAS identifier can be the host name. It indicates the type of accounting request packets. 1 indicates the accounting start packet. 2 indicates the accounting stop packet. 3 indicates the hot billing packet. 4 indicates the accounting packet resetting.
27
Session-TimeOut
Integer
28 31 32
Idle-TimeOut Calling-Station-Id NAS-Identifier
Integer String String
40
Acct-Status-Type
Integer
1-28
Issue 01 (2008-08-20)
Value 41
Attributes Acct-Delay-Time
Field format Integer
Usage It indicates the time taken in sending accounting packets, in seconds. The network transmission time is excluded. It indicates the number of the received bytes, in bytes, Kbytes, Mbytes or Gbytes. It indicates the number of the sending bytes, in bytes, Kbytes, Mbytes or Gbytes. It indicates the accounting access ID. It indicates the user authentication mode. 1 indicates the RADIUS authentication. 2 indicates the local authentication.
42
Acct-Input-Octets
Integer
43
Acct-Output-Octets
Integer
44 45
Acct-Session-Id Acct-Authentic
String Integer
46 47 48 49 52 53 55
Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Terminate-Cause Acct-Input-Gigawords Acct-Output-Gigawor ds Event-Timestamp
Integer Integer Integer Integer Integer Integer Integer
It indicates the online time of the user, in seconds. It indicates the number of the received packets. It indicates the number of packets sent by users. It indicates causes for session interruption. It indicates the number of the received bytes is a multiple of 4 G (232). It indicates the number of the sent bytes is a multiple of 4 G (232). It indicates the generating time of accounting request packets, in seconds. It should be the absolute second since 00:00:00, January 1st, 1970. It indicates CHAP challenge field. It indicates the type of the NAS port. It indicates the port ID of the access user, in the format of slot=XX; subslot=XX; port=XXX; VLANID=XXXX; or slot=XX; subslot=XX; port=XXX; VPI=XXX; VCI=XXXX.
60 61 87
CHAP-Challenge NAS-Port-Type NAS-Port-Id
String(16) Integer String
Issue 01 (2008-08-20)
1-29
1.7 Diagnostic Tools

1.7.1 display Commands
Command display radius-server configuration template display authentication-scheme display authorization-scheme display accounting-scheme display domain display radius-server configuration template display hwtacacs-server template Description Displays the RADIUS server template. Displays the authentication scheme. Displays the authorization scheme. Displays the accounting scheme. Displays the domain. Displays the RADIUS server template. Displays the HWTACACS server template.
display radius-server configuration template

<Quidway> display radius-server configuration template rt_1 ------------------------------------------------------------------Server-template-name Protocol-version Traffic-unit Shared-secret-key Timeout-interval(in second) Primary-authentication-server Primary-accounting-server Secondary-accounting-server Retransmission Domain-included : rt_1 : standard : B : huawei : 5 : 192.168.1.202:1812:LoopBack-1 : 192.168.1.202:1813:LoopBack-1 : 0.0.0.0:0:LoopBack0 : 3 : NO
Secondary-authentication-server : 0.0.0.0:0:LoopBack0
-------------------------------------------------------------------
display authentication-scheme hwtacacs

[Quidway-aaa] display authentication-scheme hwtacacs -------------------------------------------------------------------------Authentication-scheme-name Authentication-method : hwtacacs : HWTACACS authentication
-------------------------------------------------------------------------
display authorization-scheme
[Quidway-aaa] display authorization-scheme hwtacacs -------------------------------------------------------------------------Authorization-scheme-name Authorization-method : hwtacacs : HWTACACS authorization
--------------------------------------------------------------------------
1-30
Issue 01 (2008-08-20)
display accounting-scheme
[Quidway-aaa] display accounting-scheme hwtacacs -------------------------------------------------------------------------Accounting-scheme-name Accounting-method Realtime-accounting-switch Realtime-accounting-interval(min) Start-accounting-fail-policy Realtime-accounting-fail-policy Realtime-accounting-failure-retries : hwtacacs : HWTACACS accounting : Open : 5 : Cut user : Cut user : 3
--------------------------------------------------------------------------
display domain
<Quidway> display domain huawei ------------------------------------------------------------------Domain-name Domain-state Authentication-scheme-name Accounting-scheme-name Authorization-scheme-name User-CAR Web-IP-address Next-hop Primary-DNS-IP-address Second-DNS-IP-address Primary-NBNS-IP-address Second-NBNS-IP-address Acl-number User-priority User-access-limit Online-number RADIUS-server-template HWTACACS-server-template : : : : : : : : : : 256 : 0 : rt_1 : : huawei : Active : hwtacacs : hwtacacs : hwtacacs
Idle-data-attribute (time,flow) : 0, 60
-------------------------------------------------------------------
display radius-server configuration template

<Quidway> display radius-server configuration template rt_1 ------------------------------------------------------------------Server-template-name Protocol-version Traffic-unit Shared-secret-key Timeout-interval(in second) Primary-authentication-server Primary-accounting-server Secondary-accounting-server Retransmission Domain-included : rt_1 : standard : B : huawei : 5 : 192.168.1.202:1812:LoopBack-1 : 192.168.1.202:1813:LoopBack-1 : 0.0.0.0:0:LoopBack0 : 3 : NO
Secondary-authentication-server : 0.0.0.0:0:LoopBack0
-------------------------------------------------------------------
Issue 01 (2008-08-20)
1-31
display hwtacacs-server template

<Quidway> display hwtacacs-server template ht_1 -------------------------------------------------------------------------HWTACACS-server template name Primary-authentication-server Primary-authorization-server Primary-accounting-server : ht_1 : 192.168.1.60:49 : 192.168.1.60:49 : 192.168.1.60:49
Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 0.0.0.0:0 Secondary-accounting-server Current-authentication-server Current-authorization-server Current-accounting-server Source-IP-address Shared-key Quiet-interval(min) Domain-included Traffic-unit : 0.0.0.0:0 : 192.168.1.60:49 : 192.168.1.60:49 : 192.168.1.60:49 : 0.0.0.0 : huawei : 5 : No : B
Response-timeout-Interval(sec) : 5
--------------------------------------------------------------------------
1.7.2 debugging Commands

Command debugging radius packet debugging hwtacacs all Description Debugs the RADIUS packet. Debugs the HWTACACS packet.
1-32
Issue 01 (2008-08-20)

01-01 AAA Troubleshooting

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

01-01 AAA Troubleshooting

Enviado por

Direitos autorais:

Formatos disponíveis

VRP Troubleshooting - VAS

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

VRP Troubleshooting - VAS

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

VRP Troubleshooting - VAS

1.3 Troubleshooting RADIUS Authentication

1.4 Troubleshooting HWTACAS Authentication

1.5 Troubleshooting Cases 1.6 FAQs 1.7 Diagnostic Tools

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

VRP Troubleshooting - VAS

1.1 AAA Overview

1.1.1 AAA, RADIUS and HWTACACS

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

VRP Troubleshooting - VAS

Request Authentication Response Authenticator

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

VRP Troubleshooting - VAS

Figure 1-2 Attribute format

The NAS works as the client of RADIUS. It supports:

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

VRP Troubleshooting - VAS

1.1.2 Domain and Address Pool

1.1.3 Schemes and Modes

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

VRP Troubleshooting - VAS

Authorization Schemes and Modes

Accounting Schemes and Modes

1.1.4 Server Templates

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

VRP Troubleshooting - VAS

HWTACACS Server Template

1.2 Troubleshooting Local User Authentication

1.2.1 Typical Networking

Client PPP Serial4/0/0 9.1.1.1

Host PPP Serial1/1/0 9.1.1.2

1.2.2 Configuration Notes

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

VRP Troubleshooting - VAS

Item Configuring AAA on the host side

Sub-item Domain Local user

Configuring the Serial Interface On the Client Side

Configuring the Serial Interface On the Host Side

Configuring AAA On the Host Side

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

VRP Troubleshooting - VAS

1.2.3 Troubleshooting Flowchart

No Normal PPP link?

Ensure the PPP in up state when no authentication mode is configured

The fault disappears?

Correct PAP configuration?

The fault disappears?

Correct AAA configuration?

Is the user domain configured?

Is the local authentication mode configured?

Seek technical support No

The fault disappears?

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

VRP Troubleshooting - VAS

1.2.4 Troubleshooting Procedure

# Configure the serial interface on the host side.

If the fault persists, contact Huawei technical personnel. ----End

1.3 Troubleshooting RADIUS Authentication

VRP Troubleshooting - VAS

1.3.1 Typical Networking