Escolar Documentos
Profissional Documentos
Cultura Documentos
Contents
Contents
1 AAA Troubleshooting...............................................................................................................1-1
1.1 AAA Overview..............................................................................................................................................1-2 1.1.1 AAA, RADIUS and HWTACACS.......................................................................................................1-2 1.1.2 Domain and Address Pool....................................................................................................................1-5 1.1.3 Schemes and Modes.............................................................................................................................1-5 1.1.4 Server Templates..................................................................................................................................1-6 1.2 Troubleshooting Local User Authentication..................................................................................................1-7 1.2.1 Typical Networking..............................................................................................................................1-7 1.2.2 Configuration Notes.............................................................................................................................1-7 1.2.3 Troubleshooting Flowchart ..................................................................................................................1-9 1.2.4 Troubleshooting Procedure ................................................................................................................1-10 1.3 Troubleshooting RADIUS Authentication ..................................................................................................1-10 1.3.1 Typical Networking............................................................................................................................ 1-11 1.3.2 Configuration Notes........................................................................................................................... 1-11 1.3.3 Troubleshooting Flowchart ................................................................................................................1-14 1.3.4 Troubleshooting Procedure ................................................................................................................1-15 1.4 Troubleshooting HWTACAS Authentication..............................................................................................1-17 1.4.1 Typical Networking............................................................................................................................1-17 1.4.2 Configuration Notes...........................................................................................................................1-18 1.4.3 Troubleshooting Flowchart ................................................................................................................1-21 1.4.4 Troubleshooting Procedure ................................................................................................................1-22 1.5 Troubleshooting Cases ................................................................................................................................1-23 1.5.1 FTP User Fails to Pass Through RADIUS Authentication.................................................................1-23 1.5.2 HWTACACS User Fails to Get the Delivered Address .....................................................................1-25 1.6 FAQs ...........................................................................................................................................................1-26 1.7 Diagnostic Tools..........................................................................................................................................1-30 1.7.1 display Commands.............................................................................................................................1-30 1.7.2 debugging Commands........................................................................................................................1-32
Issue 01 (2008-08-20)
Figures
Figures
Figure 1-1 RADIUS message structure ..............................................................................................................1-2 Figure 1-2 Attribute format ................................................................................................................................1-4 Figure 1-3 Networking diagram of local authentication.....................................................................................1-7 Figure 1-4 Troubleshooting flowchart of the local user authentication ..............................................................1-9 Figure 1-5 Networking diagram of RADIUS authentication............................................................................ 1-11 Figure 1-6 Troubleshooting flowchart of RADIUS authentication ..................................................................1-14 Figure 1-7 Networking diagram of HWTACAS authentication .......................................................................1-17 Figure 1-8 Troubleshooting flowchart of HWTACACS authentication ...........................................................1-21 Figure 1-9 Networking diagram of the RADIUS authentication......................................................................1-23 Figure 1-10 Networking diagram of HWTACAS authentication .....................................................................1-25
ii
Issue 01 (2008-08-20)
1 AAA Troubleshooting
1
About This Chapter
Section 1.1 AAA Overview 1.2 Troubleshooting Local User Authentication
AAA Troubleshooting
The following table shows the contents of this chapter. Description This section describes the knowledge you need to know before troubleshooting AAA. This section describes the notes about configuring the local user authentication, and provides the local user authentication troubleshooting flowchart and the troubleshooting procedure in a typical local user authentication network. This section describes the notes about configuring the RADIUS authentication, and provides the RADIUS authentication troubleshooting flowchart and the troubleshooting procedure in a typical RADIUS authentication network. This section describes the notes about configuring the HWTACAS authentication, and provides the HWTACAS authentication troubleshooting flowchart and the troubleshooting procedure in a typical HWTACAS authentication network. This section presents several troubleshooting cases. This section lists frequently asked questions and their answers. This section describes common diagnostic tools: display commands and debugging commands.
Issue 01 (2008-08-20)
1-1
1 AAA Troubleshooting
RADIUS
RADIUS is used for the communication between the Network Access Server (NAS) and RADIUS Server on the application layer. RADIUS adopts the Server/Client model in which the client runs on the resource side and the server stores information about the user. To assure the reliability, RADIUS supports UDP packets and adopts retransmission mechanism and backup server mechanism. The authentication and the accounting ports adopted by RADIUS is1645/1646 or 1812/1813. Figure 1-1 shows the RADIUS packet format. Figure 1-1 RADIUS message structure
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 70 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 1 2 3 4 5 6 Attribute...... Authenticator Code Identifier Length
Code
1-2
Issue 01 (2008-08-20)
1 AAA Troubleshooting
Code contains one byte, indicating the RADIUS message type. The common code values are as follows. Value 1 2 Packet type Access-request Access-accept Indication Sending an authentication request Accepting the authentication request Rejecting the authentication request Sending a accounting request Responding to the accounting request Description An NAS sends an authentication request to a RADIUS server. A RADIUS server sends a response packet to accept the authentication request. A RADIUS server sends a response packet to reject the authentication request. A NAS sends an accounting request to a RADIUS server. A RADIUS server responds to a certain accounting request packet.
Access-request
4 5
Accounting-request Accounting-response
The following are three types of accounting packets. They are distinguished by the No.40 attributes area. Value of No.40 attributes area is 1: accounting start packets Value of No.40 attributes area is 3: accounting stop packets Value of No.40 attributes area is 2: hot billing packets
Identifier Identifier contains one byte, used to match request packets or response packets. Length Length contains two bytes, indicating the total length of all fields. Authenticator Authenticator authenticates the response packets sent by a RADIUS server and hiding code algorithm. It contains 16 bytes. Authenticator is divided into the following:
Attribute Attribute has a flexible length. It consists of various attributes. Figure 1-2 shows the attribute format.
Issue 01 (2008-08-20)
1-3
1 AAA Troubleshooting
Type: indicates the attribute type. Length: indicates the length of every attribute. It contains one byte. Value: indicates the attribute value. It is flexible.
Standard RADIUS protocol and extended attributes, including RFC2865 and RFC2866 Extended RADIUS+1.1 protocol of Huawei Active detection on the RADIUS server state After receiving an AAA authentication or accounting message, the NAS enables the server detection if the status of the server is Down. It then transforms the message into a packet and sends the packet to the current server. The NAS regards the server as normal, only after receiving a response packet from the current server. Local buffer retransmission of Accounting Stop packets If the number of retransmission events exceeds the value configured, packets are saved to the buffer queue. The system timer periodically scans the queue, extracts the packet, sends them to the specific server and enables the waiting timer. If the transmission fails or no response packet is received from the server within the timeout time, the packet is again put back to the buffer queue. Auto-switch of the RADIUS server If the waiting timer expires and the current server is Down or the number of retransmission events exceeds the maximum, another server in the server group assumes the role of the current server to transmit packets.
HWTACACS
HWTACACS provides AAA service for communication between the NAS and HWTACACS server. HWTACACS is an extended version of the TACACS protocol (RFC1492). Similar to the RADIUS, it adopts a client/server mode to implement AAA between users and the HWTACACS server. HWTACACS is different from RADIUS in the following aspects: RADIUS is based on UDP while HWTACACS is based on TCP. RADIUS performs authentication together with authorization while HWTACACS separates them. RADIUS encrypts only the password field in the authentication packet while HWTACACS encrypts the whole packet.
1-4
Issue 01 (2008-08-20)
1 AAA Troubleshooting
Address Pool
PPP users can use PPP address negotiation to obtain the IP address of the local interface from the NAS. The methods are as follows: Use the remote address command in the interface view to allocate an IP address to the peer. Configure an address pool in the AAA view and then use the remote address pool command to allocate the address from the address pool to the peer. Allocating the address from the address pool is more flexible and convenient. In addition, the address pool can be used together with the domain. Configure a global address pool in the AAA view and a domain address pool in the domain view. Users in the domain can use the domain address pool preferentially.
Issue 01 (2008-08-20)
1-5
1 AAA Troubleshooting
1-6
Issue 01 (2008-08-20)
1 AAA Troubleshooting
Issue 01 (2008-08-20)
1-7
1 AAA Troubleshooting
Description Configure the domain to which a PAP user belongs. Configure local user in the AAA view.
The following covers part of commands in configuring AAA, RADIUS, and HWTACACS . For details, refer to the VRP Configuration Guide - Security.
Configure the local user and the domain. Set a PAP user ser001@huawei on the client side as the local user.
[Quidway-aaa] local-user user001@huawei password simple abc123 [Quidway-aaa] domain huawei
1-8
Issue 01 (2008-08-20)
1 AAA Troubleshooting
By default, the newly configured domain is in local authentication mode. So the PAP user user001@huawei should also adopt such a mode. After passing through the local authentication, PPP link authentication succeeds.
Yes
Yes
No End
No Modify PAP
Yes
Yes
No
No
Yes Ensure the password of the local user is the same as that used in PAP
Yes End
Issue 01 (2008-08-20)
1-9
1 AAA Troubleshooting
In normal situation, the host can ping through 9.1.1.1. Using the display this interface command in the interface view, you can view that LCP and IPCP are "opened". If PPP link is Up, continue the following. Step 2 Checking PAP. Debug PAP on each interface. The following display indicates that PAP is not configured on the peer and LCP negotiation fails.
%Sep 16 14:01:54 2005 Quidway PPP/5/NEGOTIATEFAIL:Slot=3;Serial3/0/0:0: We want to negotiate pap , but the peer doesn't have pap configuration. So LCP negotiate fail, PPP session will be closed.
If PAP link is Up, continue the following. Step 3 Check AAA. Based on the preceding two steps, you can estimate that there is something wrong with AAA. In such cases, check AAA as follows: 1. 2. 3. 4. Use the display this command in the AAA view to check that the domain huawei exists. Check if the user type is consistent with that configured in AAA. You can use the display local-user command in the user interface view. Check if the authentication scheme of domain huawei, the default authentication scheme, or the user configured authentication scheme is in local authentication mode. Check if user001@huawei is configured in the AAA view and the user001's password agree with that of the PAP user.
1 AAA Troubleshooting
Troubleshooting Procedure
Remote User
RADIUS Server
Issue 01 (2008-08-20)
1-11
1 AAA Troubleshooting
Sub-item Configuring the authentication scheme Configuring the accounting scheme Configuring the domain huawei
A domain named huawei is created and is associated with the authentication scheme, accounting scheme, and RADIUS server template in the domain. None. For example, 1812 is the authentication port number and 1813 is the accounting port number.
Enabling FTP server Configuring authentication and accounting ports Configuring IP address and shared key for the NAS Configuring user001
Note that the shared key of the NAS should be the same as that on the RAIDUS server template.
In this example, the domain name is not included in the user name. You need to configure the password for user001. In addition, you need to configure the FTP directory delivery on the RADIUS server.
The following covers part of commands in configuring AAA, RADIUS, and HWTACACS. For details, refer to the VRP Configuration Guide - Security. RADIUS servers are of different configurations, but they have something in common, that is, they all support the preceding configurations.
1-12
Issue 01 (2008-08-20)
1 AAA Troubleshooting
Configuring AAA
Create a RADIUS authentication scheme and a RADIUS accounting scheme. Create a domain named Huawei. Configure the authentication scheme, the accounting scheme, and RADIUS server template in the domain view.
[Quidway] aaa [Quidway-aaa] authentication-scheme radius [Quidway-aaa-authen-radius] authentication-mode radius [Quidway-aaa-authen-radius] quit [Quidway-aaa] accounting-scheme radius [Quidway-aaa-accounting-radius] accounting-mode radius [Quidway-aaa-accounting-radius] quit [Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] authentication-scheme radius [Quidway-aaa-domain-huawei] accounting-scheme radius [Quidway-aaa-domain-huawei] radius-server rt_huawei [Quidway-aaa-domain-huawei] quit [Quidway-aaa] quit
Issue 01 (2008-08-20)
1-13
1 AAA Troubleshooting
Login record
No
Yes
No Yes
No
Yes
No No
No
Yes
No Yes
Yes
End
No
1-14
Issue 01 (2008-08-20)
1 AAA Troubleshooting
If the link is Down, remove the faults on the link first. 2. On the NAS, check that:
The domain huawei is configured. The RADIUS authentication mode is configured in the domain view. The RADIUS server template is configured in the domain view. IP addresses and ports of the server are configured.
Then using the debugging radius packet command, yon can view whether RADIUS packets are sent out.
<Quidway> debugging radius packet <Quidway> terminal debugging <Quidway> terminal monitor
If the debugging is enabled but no display prompts, the fault must lie in the NAS. You need to check whether the domain is associated with the RADIUS server template. If the debugging information exists, you can see the sent RADIUS authentication packet.
*0.264194889 RT1 RDS/8/debug2: Radius Sent a Packet Server Template: 0 Server IP Code Len ID : 1 : 210 : 0 ] [5 ] [tao] ] [18] [5220c68cbd7014d96a3c9c5a6750d67e] ] [6 ] [0] ] [6 ] [6] ] [6 ] [6] ] [6 ] [192.168.1.202] ] [5 ] [RT1] ] [6 ] [5] ] [34] [slot=0;subslot=0;port=0;vlanid=0] ] [6 ] [3232235978] ] [6 ] [952825733] ] [33] [192.168.1.202 ff:ff:ff:ff:ff:ff] ] [6 ] [6000] ] [30] [Huawei VRP Software Version ] : 192.168.1.128 Protocol: Standard
[User-name(1) [Password(2) [NAS-Port(5) [Service-Type(6) [Framed-Protocol(7) [Framed-IP-Address(8) [NAS-Identifier(32) [NAS-Port-Type(61) [NAS-Port-Id(87) [Login-IP-Host(14) [NAS-Startup-Timestamp(26-59) [Ip-Host-Addr(26-60) [Connect_ID(26-26) *0.264196064 RT1 RDS/8/debug2: [Version(26-254)
Issue 01 (2008-08-20)
1-15
1 AAA Troubleshooting
[Product-ID(26-255) [NAS-IP-Address(4) ] [5 ] [VRP] ] [6 ] [192.168.1.1]
The preceding display indicates that the RADIUS authentication packet has been sent out. You then need to check whether the response packet is received. If the following display prompts, it indicates that the authentication server is not started. You then need to check the RADIUS authentication server.
#Mar 12 01:49:08 2000 RT1 RDS/5/RDAUTHDOWN:RADIUS authentication server(IP 192.168.1.128) is down!
Step 2 Check the RADIUS authentication server. Check whether the IP address and the port of the authentication server are configured correctly. If so, check whether the RADIUS server runs normally. To check whether the related services are enabled on ports, you can use the diagnostic tool provided by the operating system. If the RADIUS server and the NAS can receive packets from each other, continue to check the following. Step 3 Checking whether the RADIUS server displays failing authentication information. Although the NAS and RADIUS server can communicate, the authentication fails. The reason mainly lies in the RADIUS server. Check that: The NAS address and the shared key are configured on the RADIUS server. The shared key configured on the RADIUS server is consistent with that on NAS. The user is configured on the RADIUS server. Note that the server template configured on the NAS can strip the domain name from the login user name. The password of the user configured on RADIUS server is consistent with that of the login user. If the authentication fails, the output or the login record is displayed. By viewing the records, you can get the causes for the authentication failure. The possible causes are: The user name is non-existent. The password including the shared key on the server is not consistent with that on NAS. The NAS address is not configured. After the preceding check and modification, most authentication faults disappear. If you cannot perform FTP after the authentication succeeds, continue to check the following. Step 4 Checking that NAS can receive the authorized FTP directory. If the FTP login view displays 503 Logged fail, authentication directory is incorrect or Connection closed by remote host, it indicates that the FTP directory authorization is wrong. After RADIUS packets debugging is enabled, you can view that the NAS can receive the debugging information about authentication response packets sent by the RADIUS server.
Radius Received a Packet Server Template: 0 Server IP : 192.168.1.202 Server Port : 1812 Protocol: Standard
1-16
Issue 01 (2008-08-20)
1 AAA Troubleshooting
[Ftp-Directory
The preceding display indicates that the RADIUS server delivers the attribute of the FTP directory. The value of the attribute is hda1. If no such display appears, you need to configure the list of the delivered attributes for the user. If the fault persists, contact Huawei technical personnel. ----End
Remote User
HWTACACS Server
Issue 01 (2008-08-20)
1-17
1 AAA Troubleshooting
Configuring the authentication, the authorization and the accounting ports Configuring an IP address and shared key for NAS
1-18
Issue 01 (2008-08-20)
1 AAA Troubleshooting
Item
Description In this example, the user name contains no domain name. You need to configure the password for user001. In addition, you need to configure the FTP directory delivery attribute.
The following covers part of commands in configuring AAA, RADIUS, and HWTACACS. For details, refer to the VRP Configuration Guide - Security. All servers support the preceding configurations. The details in configuring HWTACACS server vary with the specific servers.
Configuring AAA
Create a HWTACACS authentication scheme. Create a HWTACACS authorization scheme. Create a HWTACACS accounting scheme. Create a domain named Huawei and configure the authentication scheme, the accounting scheme and the HWTACACS server template in this domain.
[Quidway] aaa [Quidway-aaa] authentication-scheme hwtacacs [Quidway-aaa-authen-hwtacacs] authentication-mode hwtacacs [Quidway-aaa-authen-hwtacacs] quit [Quidway-aaa] authorization-scheme hwtacacs [Quidway-aaa-author-hwtacacs] authorization-mode hwtacacs [Quidway-aaa-author-hwtacacs] quit [Quidway-aaa] accounting-scheme hwtacacs [Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs
Issue 01 (2008-08-20)
1-19
1 AAA Troubleshooting
[Quidway-aaa-accounting-hwtacacs] quit [Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] authentication-scheme hwtacacs [Quidway-aaa-domain-huawei] authorization-scheme hwtacacs [Quidway-aaa-domain-huawei] accounting-scheme hwtacacs [Quidway-aaa-domain-huawei] hwtacacs-server ht_huawei [Quidway-aaa-domain-huawei] quit [Quidway-aaa] quit
1-20
Issue 01 (2008-08-20)
1 AAA Troubleshooting
Login record
No
No Yes
Yes
No
No
No
Yes End
Issue 01 (2008-08-20)
1-21
1 AAA Troubleshooting
[Ftp-Directory
The preceding display indicates that the HWTACACS server delivers the attributes of the FTP directory whose value is hda1. Configure the attributes list to be delivered on the HWTACACS server for users. If the fault persists, contact Huawei technical personnel. ----End
1-22
Issue 01 (2008-08-20)
1 AAA Troubleshooting
Remote User
The legal remote user001@huawei who needs to log on to the NAS through FTP fails to pass through RADIUS authentication.
Fault Analysis
Check whether the RADIUS server has the records about the login user. If not, the NAS and RADIUS sever cannot communicate. Then focus on checking NAS. Use the debugging radius packets command in the user view of NAS to view output prompts. Checking AAA, you can find domain Huawei contains no RADIUS server template. After configuring such a template, view the debugging information on the NAS to check whether any response packet is received. Check that the authentication port number is the same as that configured on the NAS and the RADIUS server template. Check that the password configured on the RADIUS server is consistent with the shared key configured on the NAS. Check that the attributes of the FTP directory is delivered. Then check that user001 adds the delivered attributes. After attributes of FTP directory is delivered, the user can log on to the FTP server. The fault disappears.
Issue 01 (2008-08-20)
1-23
1 AAA Troubleshooting
Troubleshooting Procedure
Step 1 Check whether RADIUS server has the records on the login user. Step 2 If there is no login records, use the debugging radius packet command on the NAS to check whether NAS has sent out authentication request packets. Step 3 If the NAS fails to send out authentication request packets, check the AAA, and the RADIUS server template on NAS. Note that the user can view the sent RADIUS authentication request packets when logging in. Step 4 If the RADIUS server still has no login user records, check the IP address and the port configuration. Note that: Server and NAS can ping through each other. Port configuration on the RADIUS server should be the same as that on the RADIUS server template. Step 5 If the faulty authentication persists when NAS and RADIUS server can communicate, the possible causes are: The NAS address is not added. The shared key on the NAS is wrong. The user name and password are wrong. Step 6 If the authentication succeeds but the authorization fails after the NAS and RADIUS server can communicate, check whether the user is authorized by the RADIUS server. ----End
Summary
If the RADIUS authentication fails, ensure the following: Successful mutual communication between NAS and RADIUS server Successful authentication Successful authorization You can locate the fault through the debugging information on the NAS and RADIUS server.
1-24
Issue 01 (2008-08-20)
1 AAA Troubleshooting
A legal remote user user001@huawei gets the address from the NAS using PPP address negotiation mode. The NAS however, delivers no IP address to the related interfaces. Then the HWTACACS server authorizes the address for the user.
Fault Analysis
Check whether NAS can deliver the address to the remote user directly without using the address authorized by the HWTACACS server. If so, the fault lies in the link between the NAS and HWTACACS server. Assume a Telnet user, adopting HWTACACS authentication and authorization mode, logs in to NAS. If login succeeds, it means that the HWTACACS server and NAS can communicate. The fault then lies in the wrong address authorized by the HWTACACS server. After checking, you can find that the IP address delivered by the HWTACACS server and the NAS interface connected with the user are in a different network segment. Then modify the delivered IP address.
Troubleshooting Procedure
Step 1 Check whether the remote user can communicate with NAS without using a HWTACACS server. You can then check the link between NAS and the server. Step 2 If a Telnet user can log in to NAS, it means the NAS and HWTACACS server work normally. The fault lies in the delivered address. Step 3 Check the HWTACACS server, and find the delivered address is wrong. ----End
Issue 01 (2008-08-20)
1-25
1 AAA Troubleshooting
Summary
This example adopts the substitution method to locate the fault. If the fault disappears when a HWTACACS server is not used, you can assign the fault to HWTACACS server configuration. If the Telnet user logs in to NAS, some checking steps can be omitted. The fault can be located rapidly. When you are familiar with the configurations, this method is helpful.
1.6 FAQs
Q: Huawei Devices and Non-Huawei Devices The Same TACACS Server but the Authentication Fails. Why?
A: The user class range set by the major partner is different from that set by Huawei. The user class range set by Huawei is from 0 to 3 and any value that exceeds 3 is wrong. In this way, the authentication fails. To remove this fault, configure users for the products of the major partners and Huawei respectively.
Q: Why Cannot the Telnet User Who Has Passed the RADIUS Authentication Enter the System View?
A: It is because the user is not authorized by the RADIUS server. If shiva is used as the RADIUS server, configure exec-privilege for it; if other type of server is used, configure the extended exec-privilege on it. That is, add the extended attribute (29) contained in the standard attribute (26) to the related attribute dictionary. For FTP users, if shiva is used as the RADIUS server, configure ftp-directory for it; if other type of server is used, configure the extended ftp-directory. That is, add the extended attribute (29) contained in the standard attribute (26) to the related attribute dictionary.
1 AAA Troubleshooting
In the preceding three cases: If all the addresses in the specified global address pool have been used, the NAS traverses the whole address pool, starting from the address pool firstly configured. If all the addresses in the specified domain address pool have been used, the NAS traverses from the domain address pool firstly configured. The user can use the IP address in its local domain address pool preferentially. If all the domain address pools have no address to allocate, traverse from the global address pool.
2 3
Password Challenge-Password
NAS-IP-Address
IP Address
NAS-Port
Integer
Service-Type
Integer
Framed-Netmask
Address
Issue 01 (2008-08-20)
1-27
1 AAA Troubleshooting
Value 11
Attributes Filter-ID
Usage It indicates the User Control List (UCL) group and interworking group, which are in the format of UCL-Group@Inter-Group. It indicates the IP address of the login user. It indicates the login user's type, such as Telnet, Rlogin, TCP Cear, PortMaster (proprietary), and LAT. In the authentication acceptance packet, it indicates the successful authentication In the authentication rejection packet, it indicates the failing authentication.
14 15
Login-IP-Host Login-Service
Address Integer
18
Reply-Message
String(1 to 128)
25
Class
String
A RADIUS server sends the authentication acceptance packet together with the class attributes to a NAS. The NAS then sends back the class attributes together with accounting request packets. On the standard RADIUS server, the class attributes also contains the Committed Access Rate (CAR). It indicates the timeout time of the user, in seconds. In the Extensible Authentication Protocol (EAP) challenge packets, it indicates the re-authenticated time for the user. It indicates the idle timeout time, in seconds. It indicates the MAC address. If the NAS ID is configured, the NAS identifier should be NAS ID. If not, the NAS identifier can be the host name. It indicates the type of accounting request packets. 1 indicates the accounting start packet. 2 indicates the accounting stop packet. 3 indicates the hot billing packet. 4 indicates the accounting packet resetting.
27
Session-TimeOut
Integer
28 31 32
40
Acct-Status-Type
Integer
1-28
Issue 01 (2008-08-20)
1 AAA Troubleshooting
Value 41
Attributes Acct-Delay-Time
Usage It indicates the time taken in sending accounting packets, in seconds. The network transmission time is excluded. It indicates the number of the received bytes, in bytes, Kbytes, Mbytes or Gbytes. It indicates the number of the sending bytes, in bytes, Kbytes, Mbytes or Gbytes. It indicates the accounting access ID. It indicates the user authentication mode. 1 indicates the RADIUS authentication. 2 indicates the local authentication.
42
Acct-Input-Octets
Integer
43
Acct-Output-Octets
Integer
44 45
Acct-Session-Id Acct-Authentic
String Integer
46 47 48 49 52 53 55
It indicates the online time of the user, in seconds. It indicates the number of the received packets. It indicates the number of packets sent by users. It indicates causes for session interruption. It indicates the number of the received bytes is a multiple of 4 G (232). It indicates the number of the sent bytes is a multiple of 4 G (232). It indicates the generating time of accounting request packets, in seconds. It should be the absolute second since 00:00:00, January 1st, 1970. It indicates CHAP challenge field. It indicates the type of the NAS port. It indicates the port ID of the access user, in the format of slot=XX; subslot=XX; port=XXX; VLANID=XXXX; or slot=XX; subslot=XX; port=XXX; VPI=XXX; VCI=XXXX.
60 61 87
Issue 01 (2008-08-20)
1-29
1 AAA Troubleshooting
Secondary-authentication-server : 0.0.0.0:0:LoopBack0
-------------------------------------------------------------------
-------------------------------------------------------------------------
display authorization-scheme
[Quidway-aaa] display authorization-scheme hwtacacs -------------------------------------------------------------------------Authorization-scheme-name Authorization-method : hwtacacs : HWTACACS authorization
--------------------------------------------------------------------------
1-30
Issue 01 (2008-08-20)
1 AAA Troubleshooting
display accounting-scheme
[Quidway-aaa] display accounting-scheme hwtacacs -------------------------------------------------------------------------Accounting-scheme-name Accounting-method Realtime-accounting-switch Realtime-accounting-interval(min) Start-accounting-fail-policy Realtime-accounting-fail-policy Realtime-accounting-failure-retries : hwtacacs : HWTACACS accounting : Open : 5 : Cut user : Cut user : 3
--------------------------------------------------------------------------
display domain
<Quidway> display domain huawei ------------------------------------------------------------------Domain-name Domain-state Authentication-scheme-name Accounting-scheme-name Authorization-scheme-name User-CAR Web-IP-address Next-hop Primary-DNS-IP-address Second-DNS-IP-address Primary-NBNS-IP-address Second-NBNS-IP-address Acl-number User-priority User-access-limit Online-number RADIUS-server-template HWTACACS-server-template : : : : : : : : : : 256 : 0 : rt_1 : : huawei : Active : hwtacacs : hwtacacs : hwtacacs
Idle-data-attribute (time,flow) : 0, 60
-------------------------------------------------------------------
Secondary-authentication-server : 0.0.0.0:0:LoopBack0
-------------------------------------------------------------------
Issue 01 (2008-08-20)
1-31
1 AAA Troubleshooting
Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 0.0.0.0:0 Secondary-accounting-server Current-authentication-server Current-authorization-server Current-accounting-server Source-IP-address Shared-key Quiet-interval(min) Domain-included Traffic-unit : 0.0.0.0:0 : 192.168.1.60:49 : 192.168.1.60:49 : 192.168.1.60:49 : 0.0.0.0 : huawei : 5 : No : B
Response-timeout-Interval(sec) : 5
--------------------------------------------------------------------------
1-32
Issue 01 (2008-08-20)