01-01 AAA Troubleshooting

VRP Troubleshooting - VAS Contents

Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

i

Contents

1 AAA Troubleshooting...............................................................................................................1-1 1.1 AAA Overview..............................................................................................................................................1-2

1.1.1 AAA, RADIUS and HWTACACS.......................................................................................................1-2 1.1.2 Domain and Address Pool....................................................................................................................1-5 1.1.3 Schemes and Modes.............................................................................................................................1-5 1.1.4 Server Templates..................................................................................................................................1-6

1.2 Troubleshooting Local User Authentication..................................................................................................1-7 1.2.1 Typical Networking..............................................................................................................................1-7 1.2.2 Configuration Notes.............................................................................................................................1-7 1.2.3 Troubleshooting Flowchart ..................................................................................................................1-9 1.2.4 Troubleshooting Procedure ................................................................................................................1-10

1.3 Troubleshooting RADIUS Authentication ..................................................................................................1-10 1.3.1 Typical Networking............................................................................................................................1-11 1.3.2 Configuration Notes...........................................................................................................................1-11 1.3.3 Troubleshooting Flowchart ................................................................................................................1-14 1.3.4 Troubleshooting Procedure ................................................................................................................1-15

1.4 Troubleshooting HWTACAS Authentication..............................................................................................1-17 1.4.1 Typical Networking............................................................................................................................1-17 1.4.2 Configuration Notes...........................................................................................................................1-18 1.4.3 Troubleshooting Flowchart ................................................................................................................1-21 1.4.4 Troubleshooting Procedure ................................................................................................................1-22

1.5 Troubleshooting Cases ................................................................................................................................1-23 1.5.1 FTP User Fails to Pass Through RADIUS Authentication.................................................................1-23 1.5.2 HWTACACS User Fails to Get the Delivered Address .....................................................................1-25

1.6 FAQs ...........................................................................................................................................................1-26 1.7 Diagnostic Tools..........................................................................................................................................1-30

1.7.1 display Commands.............................................................................................................................1-30 1.7.2 debugging Commands........................................................................................................................1-32

Figures VRP

Troubleshooting - VAS

ii Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 01 (2008-08-20)

Figures

Figure 1-1 RADIUS message structure ..............................................................................................................1-2

Figure 1-2 Attribute format ................................................................................................................................1-4

Figure 1-3 Networking diagram of local authentication.....................................................................................1-7

Figure 1-4 Troubleshooting flowchart of the local user authentication..............................................................1-9

Figure 1-5 Networking diagram of RADIUS authentication............................................................................1-11

Figure 1-6 Troubleshooting flowchart of RADIUS authentication ..................................................................1-14

Figure 1-7 Networking diagram of HWTACAS authentication .......................................................................1-17

Figure 1-8 Troubleshooting flowchart of HWTACACS authentication ...........................................................1-21

Figure 1-9 Networking diagram of the RADIUS authentication......................................................................1-23

Figure 1-10 Networking diagram of HWTACAS authentication .....................................................................1-25

VRP Troubleshooting - VAS 1 AAA Troubleshooting


1-1

1 AAA Troubleshooting

About This Chapter

The following table shows the contents of this chapter.

Section Description

1.1 AAA Overview This section describes the knowledge you need to know before troubleshooting AAA.

1.2 Troubleshooting Local User Authentication

This section describes the notes about configuring the local user authentication, and provides the local user authentication troubleshooting flowchart and the troubleshooting procedure in a typical local user authentication network.

1.3 Troubleshooting RADIUS Authentication

This section describes the notes about configuring the RADIUS authentication, and provides the RADIUS authentication troubleshooting flowchart and the troubleshooting procedure in a typical RADIUS authentication network.

1.4 Troubleshooting HWTACAS Authentication

This section describes the notes about configuring the HWTACAS authentication, and provides the HWTACAS authentication troubleshooting flowchart and the troubleshooting procedure in a typical HWTACAS authentication network.

1.5 Troubleshooting Cases This section presents several troubleshooting cases.

1.6 FAQs This section lists frequently asked questions and their answers.

1.7 Diagnostic Tools This section describes common diagnostic tools: display commands and debugging commands.

1 AAA Troubleshooting VRP


1-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Issue 01 (2008-08-20)

1.1 AAA Overview This section describes the basic concepts and information about AAA, RADIUS, and HWTACACS.

1.1.1 AAA, RADIUS and HWTACACS

AAA AAA stands for Authentication, Authorization, and Accounting. It contains the following three types of security services.

Authentication: specifies what kind of user can access the network. Authorization: specifies what of service the user can use. Accounting: records the network resource utilization of the user.

AAA adopts the server/client model, in which the client runs on the resource side and the server stores information about the user. This model has a good extensibility and is helpful in managing users.

The two communication protocols used between the client and the server are as follows:

The Remote Authentication Dial-In User Service (RADIUS) Protocol The Huawei Terminal Access Controller Access Control System (HWTACACS) Protocol

(HWTACACS is the enhancement of TACACS)

RADIUS RADIUS is used for the communication between the Network Access Server (NAS) and RADIUS Server on the application layer.

RADIUS adopts the Server/Client model in which the client runs on the resource side and the server stores information about the user.

To assure the reliability, RADIUS supports UDP packets and adopts retransmission mechanism and backup server mechanism. The authentication and the accounting ports adopted by RADIUS is1645/1646 or 1812/1813.

Figure 1-1 shows the RADIUS packet format.

Figure 1-1 RADIUS message structure

Authenticator

Code Identifier Length

Attribute......

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7

123456

Code



1-3

Code contains one byte, indicating the RADIUS message type. The common code values are as follows.

Value Packet type Indication Description

1 Access-request Sending an authentication request

An NAS sends an authentication request to a RADIUS server.

2 Access-accept Accepting the authentication request

A RADIUS server sends a response packet to accept the authentication request.

3 Access-request Rejecting the authentication request

A RADIUS server sends a response packet to reject the authentication request.

4 Accounting-request Sending a accounting request

A NAS sends an accounting request to a RADIUS server.

5 Accounting-response Responding to the accounting request

A RADIUS server responds to a certain accounting request packet.

The following are three types of accounting packets. They are distinguished by the No.40 attributes area.

Value of No.40 attributes area is 1: accounting start packets Value of No.40 attributes area is 3: accounting stop packets Value of No.40 attributes area is 2: hot billing packets

Identifier

Identifier contains one byte, used to match request packets or response packets.

Length

Length contains two bytes, indicating the total length of all fields.

Authenticator

Authenticator authenticates the response packets sent by a RADIUS server and hiding code algorithm. It contains 16 bytes.

Authenticator is divided into the following:

− Request Authentication − Response Authenticator

Attribute

Attribute has a flexible length. It consists of various attributes.

Figure 1-2 shows the attribute format.




Issue 01 (2008-08-20)

Figure 1-2 Attribute format

Type Length Value

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 70 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7

− Type: indicates the attribute type. − Length: indicates the length of every attribute. It contains one byte. − Value: indicates the attribute value. It is flexible.

The NAS works as the client of RADIUS. It supports:

− Standard RADIUS protocol and extended attributes, including RFC2865 and RFC2866

− Extended RADIUS+1.1 protocol of Huawei − Active detection on the RADIUS server state − After receiving an AAA authentication or accounting message, the NAS enables the

server detection if the status of the server is Down. It then transforms the message into a packet and sends the packet to the current server. The NAS regards the server as normal, only after receiving a response packet from the current server.

− Local buffer retransmission of Accounting Stop packets − If the number of retransmission events exceeds the value configured, packets are

saved to the buffer queue. The system timer periodically scans the queue, extracts the packet, sends them to the specific server and enables the waiting timer. If the transmission fails or no response packet is received from the server within the timeout time, the packet is again put back to the buffer queue.

− Auto-switch of the RADIUS server − If the waiting timer expires and the current server is Down or the number of

retransmission events exceeds the maximum, another server in the server group assumes the role of the current server to transmit packets.

HWTACACS HWTACACS provides AAA service for communication between the NAS and HWTACACS server. HWTACACS is an extended version of the TACACS protocol (RFC1492). Similar to the RADIUS, it adopts a client/server mode to implement AAA between users and the HWTACACS server.

HWTACACS is different from RADIUS in the following aspects:

RADIUS is based on UDP while HWTACACS is based on TCP. RADIUS performs authentication together with authorization while HWTACACS

separates them. RADIUS encrypts only the password field in the authentication packet while

HWTACACS encrypts the whole packet.



1-5

1.1.2 Domain and Address Pool

Domain Most AAA configurations are related to the domain.

NAS divides users into different groups based on the character string that follows the "@" of user names. For example, user0001@isp1 belongs to the domain isp1 and user0002 belongs to isp2.

If there is no "@" in the user name, the user belongs to the default domain.

The users in the same domain have similar attributes. The configurations in a domain view can affect all users in this domain. The domain resource can be used by all the users in this domain.

You can configure authentication, authorization, and accounting schemes in a domain view. To a default domain, AAA adopts the default schemes for this domain. In addition, you can configure a RADIUS or a HWTACACS server template.

Address Pool PPP users can use PPP address negotiation to obtain the IP address of the local interface from the NAS. The methods are as follows:

Use the remote address command in the interface view to allocate an IP address to the peer.

Configure an address pool in the AAA view and then use the remote address pool command to allocate the address from the address pool to the peer.

Allocating the address from the address pool is more flexible and convenient.

In addition, the address pool can be used together with the domain. Configure a global address pool in the AAA view and a domain address pool in the domain view. Users in the domain can use the domain address pool preferentially.

1.1.3 Schemes and Modes

Authentication Schemes and Modes AAA supports four authentication modes:

local authentication Non-authentication RADIUS authentication HWTACACS authentication

It also allows a random combination of the four modes.

The authentication-mode radius local command uses the RADIUS authentication mode first. If it fails, adopt the local authentication.

The non-authentication mode should be adopted as a last option

Configure the authentication mode in the authentication scheme view. By default, local authentication is used.




Issue 01 (2008-08-20)

Authorization Schemes and Modes AAA supports four authorization modes:

Local authorization Direct authorization If-authenticated authorization HWTACACS authorization

It also allows a random combination of the four modes.

The authorization-mode hwtacacs local command indicates using the HWTACACS authorization mode first. When it fails, adopt the local authorization.

In the combination mode containing the direct authentication, direct should be in the last place, such as authorization-mode hwtacacs local none.

By default, use the local authentication mode. RADIUS performs authentication together with authorization. The RADIUS authorization is non-existent.

Accounting Schemes and Modes AAA supports six accounting modes:

Local accounting Non-accounting RADIUS accounting HWTACACS accounting Combination of RADIUS and local accounting Combination of HWTACACS and local accounting

Configure the hot billing interval in the accounting scheme. By default, the interval is five minutes.

By default, the non-accounting mode is used.

1.1.4 Server Templates

RADIUS Server Template The RADIUS server template describes details of the RADIUS server.

On the RADIUS server template, you can configure authentication and accounting servers or configure backup authentication and accounting servers as required.

Configure the shared key on the RADIUS server template. It should be the same as that on the server side.

RADIUS supports the specified source address. You can configure the IP address of the specified loopback interface as the source address of RADIUS packets. You can then send the packets to a RADIUS server.

After configuring a RADIUS server template, associate the template name with a domain in the corresponding domain view.



1-7

HWTACACS Server Template The HWTACACS server template is different from the RADIUS server template in the following aspects:

It contains an authorization server and a backup authorization server. It supports packets with the source address configured directly instead of the address of

the loopback interface.

After configuring a HWTACACS template, associate the template name with a domain in the corresponding domain view.

1.2 Troubleshooting Local User Authentication This section covers the following topics:

Typical Networking Configuration Notes Troubleshooting Flowchart Troubleshooting Procedure

1.2.1 Typical Networking Figure 1-3 shows the typical networking diagram of local authentication.

Figure 1-3 Networking diagram of local authentication

ClientPPP Serial 4/0/0

9.1.1.1

HostPPP Serial 1/1/0

9.1.1.2

1.2.2 Configuration Notes Item Sub-item Description

Configuring IP address

IP address on the client side must be the same as that on the host side.

Configuring serial interfaces on the client side

Configuring PAP user authentication

The PAP user name and password configured on the client side should be consistent with those on the host side.

Configuring IP address

IP address on the host side should be in the same network segment with that on the client side.

Configuring serial interfaces on the host side

Configuring the PPP authentication

The PAP user name and password configured on the host side should be consistent with those on the client side.




Issue 01 (2008-08-20)

Item Sub-item Description

Domain Configure the domain to which a PAP user belongs. Configuring AAA on the host side Local user Configure local user in the AAA view.

The following covers part of commands in configuring AAA, RADIUS, and HWTACACS . For details, refer to the VRP Configuration Guide - Security.

Configuring the Serial Interface On the Client Side Configure an IP address for the serial interface. In the PPP PAP mode, you need to configure the user name and the password.

<Quidway> system-view

[Quidway] interface Serial 4/0/0

[Quidway-Serial4/0/0] ip address 9.1.1.1 255.255.255.0

[Quidway-Serial4/0/0] ppp pap local-user user001@huawei password simple abc123

[Quidway-Serial4/0/0] quit

Configuring the Serial Interface On the Host Side Configure an IP address for the serial interface and set the PPP authentication mode to PAP.



[Quidway-Serial1/1/0] ppp authentication-mode pap


Configuring AAA On the Host Side Use the local authentication mode.

[Quidway] aaa

[Quidway-aaa] display this

#

aaa

authentication-scheme default

#

authorization-scheme default

#

accounting-scheme default

#

domain default

#

#

Configure the local user and the domain. Set a PAP user ser001@huawei on the client side as the local user.

[Quidway-aaa] local-user user001@huawei password simple abc123

[Quidway-aaa] domain huawei



1-9

By default, the newly configured domain is in local authentication mode. So the PAP user user001@huawei should also adopt such a mode. After passing through the local authentication, PPP link authentication succeeds.

1.2.3 Troubleshooting Flowchart

Figure 1-4 Troubleshooting flowchart of the local user authentication

No

Yes

In PAPmode, thelocal user

authentication fails

Normal PPP link?

Correct PAPconfiguration?

Correct AAAconfiguration?

Ensure the PPP inup state when no

authentication modeis configured

The faultdisappears?

The faultdisappears?Modify PAP

Is the user domainconfigured?

Ensure the passwordof the local user isthe same as that

used in PAP

End

Is the localauthentication mode

configured?

Seek technicalsupport

The faultdisappears?

End

Yes

Yes

Yes

Yes

No

No

No

No

No

Yes




Issue 01 (2008-08-20)

1.2.4 Troubleshooting Procedure Step 1 Check the PPP Link.

If PAP mode is not used, check that PPP link is Up.

# Configure the serial interface on the client side.




# Configure the serial interface on the host side.




In normal situation, the host can ping through 9.1.1.1. Using the display this interface command in the interface view, you can view that LCP and IPCP are "opened". If PPP link is Up, continue the following.

Step 2 Checking PAP.

Debug PAP on each interface. The following display indicates that PAP is not configured on the peer and LCP negotiation fails.

%Sep 16 14:01:54 2005 Quidway PPP/5/NEGOTIATEFAIL:Slot=3;Serial3/0/0:0: We want to

negotiate pap , but the peer doesn't have pap configuration. So LCP negotiate fail, PPP

session will be closed.

If PAP link is Up, continue the following.

Step 3 Check AAA.

Based on the preceding two steps, you can estimate that there is something wrong with AAA. In such cases, check AAA as follows:

1. Use the display this command in the AAA view to check that the domain huawei exists. 2. Check if the user type is consistent with that configured in AAA. You can use the

display local-user command in the user interface view. 3. Check if the authentication scheme of domain huawei, the default authentication scheme,

or the user configured authentication scheme is in local authentication mode. 4. Check if user001@huawei is configured in the AAA view and the user001's password

agree with that of the PAP user.

If the fault persists, contact Huawei technical personnel.

----End

1.3 Troubleshooting RADIUS Authentication This section covers the following topics:

Typical Networking Configuration Notes Troubleshooting Flowchart



1-11

Troubleshooting Procedure

1.3.1 Typical Networking Figure 1-5 shows the networking of RADIUS authentication.

Figure 1-5 Networking diagram of RADIUS authentication

Remote User

NAS

RADIUS Server

ISDN/PSDN


Configuring the authentication server

The IP address and port of the RADIUS authentication server are configured. Note that the port on the template is of the same configuration as that on the RADIUS server.

Configuring the accounting server

The IP address and port for the RADIUS accounting server are configured. Note that the port on the template is of the same configuration as that on the RADIUS server.

Configuring the shared key

The shared key of RADIUS server template should be the same as that on the RADIUS server.

Configuring the RADIUS server template

Configuring the user name format

The user name can either contain a domain name or not. In this example, the user name contains no domain name.




Issue 01 (2008-08-20)


Configuring the authentication scheme

The RADIUS authentication mode is adopted.

Configuring the accounting scheme

The RADIUS authentication mode is adopted.

Configuring AAA

Configuring the domain huawei

A domain named huawei is created and is associated with the authentication scheme, accounting scheme, and RADIUS server template in the domain.

Enabling FTP server

Enabling FTP server

None.

Configuring authentication and accounting ports

For example, 1812 is the authentication port number and 1813 is the accounting port number.

Configuring IP address and shared key for the NAS

Note that the shared key of the NAS should be the same as that on the RAIDUS server template.

Configuring the RADIUS server

Configuring user001

In this example, the domain name is not included in the user name. You need to configure the password for user001. In addition, you need to configure the FTP directory delivery on the RADIUS server.

The following covers part of commands in configuring AAA, RADIUS, and HWTACACS. For

details, refer to the VRP Configuration Guide - Security. RADIUS servers are of different configurations, but they have something in common, that is, they

all support the preceding configurations.

Creating A RADIUS Server Template Create a RAIDUS server template and configure IP addresses and the port for the authentication server and accounting server for it. Note that:

IP addresses of RADIUS servers are routable. The port configurations on the NAS should be the same as the port configurations on the

server. The shared key on the NAS should be the same as the shared key on servers. In this example, the user name does not contain the domain name.


[Quidway] radius-server template rt_huawei

[Quidway-radius-rt_huawei] radius-server authentication 192.168.1.202 1812

[Quidway-radius-rt_huawei] radius-server accounting 192.168.1.202 1813

[Quidway-radius-rt_huawei] radius-server shared-key huawei

[Quidway-radius-rt_huawei] undo radius-server user-name domain-included



1-13

[Quidway-radius-rt_huawei] quit

Configuring AAA Create a RADIUS authentication scheme and a RADIUS accounting scheme. Create a domain named Huawei. Configure the authentication scheme, the accounting scheme, and RADIUS server

template in the domain view. [Quidway] aaa

[Quidway-aaa] authentication-scheme radius

[Quidway-aaa-authen-radius] authentication-mode radius

[Quidway-aaa-authen-radius] quit

[Quidway-aaa] accounting-scheme radius

[Quidway-aaa-accounting-radius] accounting-mode radius

[Quidway-aaa-accounting-radius] quit


[Quidway-aaa-domain-huawei] authentication-scheme radius

[Quidway-aaa-domain-huawei] accounting-scheme radius

[Quidway-aaa-domain-huawei] radius-server rt_huawei

[Quidway-aaa-domain-huawei] quit

[Quidway-aaa] quit

Enabling the FTP Server Enable the FTP server in the system view of the NAS.

[Quidway] ftp server enable

Info:Start FTP server

Configuring the RADIUS server Configure RADIUS server based on the help files.

Configure the following items:

The authentication and the accounting ports An IP address and the shared key for the NAS The user name, the password, and the authorization information

Check whether AAA takes effect on the RADIUS server using the tool provided by the operating system.




Issue 01 (2008-08-20)


Figure 1-6 Troubleshooting flowchart of RADIUS authentication

End

The fault disappears?



The FTP user fails topass the RADIUS

authentication

Login record？No

Yes

Failing authenticationinformation?

Can NAS transmitthe authenticationinformation to theRADIUS server？

Remove the faultbased on the failing

authenticationinformation

Configure theauthentication mode

on the RADIUSserver correctly

Can NAS receivethe authorized

FTP directory?

Can the userlog on to the NAS

FTP server?

Seek thetechnicalsupport

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

No

No



1-15

1.3.4 Troubleshooting Procedure Step 1 Check that radius server displays login records.

In the normal situation, You can view the login records by checking the display on the server.. When the user logs in to a RAIDUS server, the server records the user name and successful authentication. Else, it records the faults and also the possible causes.

If there is no records prompt on the server, it means that the authentication relationship is not set up between the NAS and RADIUS server. Check the link, the NAS, and the RADIUS server properly.

1. Check the link.

If the link is Down, remove the faults on the link first.

2. On the NAS, check that: − The domain huawei is configured. − The RADIUS authentication mode is configured in the domain view. − The RADIUS server template is configured in the domain view. − IP addresses and ports of the server are configured.

Then using the debugging radius packet command, yon can view whether RADIUS packets are sent out.

<Quidway> debugging radius packet

<Quidway> terminal debugging

<Quidway> terminal monitor

If the debugging is enabled but no display prompts, the fault must lie in the NAS. You need to check whether the domain is associated with the RADIUS server template.

If the debugging information exists, you can see the sent RADIUS authentication packet.

*0.264194889 RT1 RDS/8/debug2:

Radius Sent a Packet

Server Template: 0

Server IP : 192.168.1.128

Protocol: Standard

Code : 1

Len : 210

ID : 0

[User-name(1) ] [5 ] [tao]

[Password(2) ] [18] [5220c68cbd7014d96a3c9c5a6750d67e]

[NAS-Port(5) ] [6 ] [0]

[Service-Type(6) ] [6 ] [6]

[Framed-Protocol(7) ] [6 ] [6]

[Framed-IP-Address(8) ] [6 ] [192.168.1.202]

[NAS-Identifier(32) ] [5 ] [RT1]

[NAS-Port-Type(61) ] [6 ] [5]

[NAS-Port-Id(87) ] [34] [slot=0;subslot=0;port=0;vlanid=0]

[Login-IP-Host(14) ] [6 ] [3232235978]

[NAS-Startup-Timestamp(26-59) ] [6 ] [952825733]

[Ip-Host-Addr(26-60) ] [33] [192.168.1.202 ff:ff:ff:ff:ff:ff]

[Connect_ID(26-26) ] [6 ] [6000]

*0.264196064 RT1 RDS/8/debug2:

[Version(26-254) ] [30] [Huawei VRP Software Version ]




Issue 01 (2008-08-20)

[Product-ID(26-255) ] [5 ] [VRP]

[NAS-IP-Address(4) ] [6 ] [192.168.1.1]

The preceding display indicates that the RADIUS authentication packet has been sent out. You then need to check whether the response packet is received. If the following display prompts, it indicates that the authentication server is not started. You then need to check the RADIUS authentication server.

#Mar 12 01:49:08 2000 RT1 RDS/5/RDAUTHDOWN:RADIUS authentication server(IP 192.168.1.128)

is down!

Step 2 Check the RADIUS authentication server.

Check whether the IP address and the port of the authentication server are configured correctly. If so, check whether the RADIUS server runs normally.

To check whether the related services are enabled on ports, you can use the diagnostic tool provided by the operating system.

If the RADIUS server and the NAS can receive packets from each other, continue to check the following.

Step 3 Checking whether the RADIUS server displays failing authentication information.

Although the NAS and RADIUS server can communicate, the authentication fails. The reason mainly lies in the RADIUS server. Check that:

The NAS address and the shared key are configured on the RADIUS server. The shared key configured on the RADIUS server is consistent with that on NAS. The user is configured on the RADIUS server. Note that the server template configured

on the NAS can strip the domain name from the login user name. The password of the user configured on RADIUS server is consistent with that of the

login user.

If the authentication fails, the output or the login record is displayed. By viewing the records, you can get the causes for the authentication failure.

The possible causes are:

The user name is non-existent. The password including the shared key on the server is not consistent with that on NAS. The NAS address is not configured.

After the preceding check and modification, most authentication faults disappear.

If you cannot perform FTP after the authentication succeeds, continue to check the following.

Step 4 Checking that NAS can receive the authorized FTP directory.

If the FTP login view displays 503 Logged fail, authentication directory is incorrect or Connection closed by remote host, it indicates that the FTP directory authorization is wrong.

After RADIUS packets debugging is enabled, you can view that the NAS can receive the debugging information about authentication response packets sent by the RADIUS server.

Radius Received a Packet

Server Template: 0

Server IP : 192.168.1.202

Server Port : 1812

Protocol: Standard



1-17

Code : 2

Len : 33

ID : 15

[Ftp-Directory ] [7 ] [hda1:]

The preceding display indicates that the RADIUS server delivers the attribute of the FTP directory. The value of the attribute is hda1. If no such display appears, you need to configure the list of the delivered attributes for the user.


----End

1.4 Troubleshooting HWTACAS Authentication This section covers the following topics:

Typical Networking Configuration Notes Troubleshooting Flowchart Troubleshooting Procedure

1.4.1 Typical Networking Figure 1-7 shows the typical networking diagram of HWTACACS authentication.

Figure 1-7 Networking diagram of HWTACAS authentication

RemoteUser

NAS

HWTACACSServer

ISDN/PSDN




Issue 01 (2008-08-20)


Configuring the authentication server

The IP address and port for the HWTACACS authentication server are configured. Note that the port on the template must be of the same configuration as that on the HWTACACS server.

Configuring the authorization

The IP address and port for the HWTACACS authorization server are configured. Note that the port on the template should of the same configuration as that on the HWTACACS server.

Configuring the accounting server

The IP address and port for the HWTACACS accounting server are configured. Note that the port on the template should be of the same configuration as that on the HWTACACS server.

Configuring the shared key

Note that the shared key of the HWTACACS server should be the same as that on the HWTACACS server template.

Configuring the HWTACACS server template

Configuring the user name format

The user name can either contain a domain name. In this example, the user name contains no domain name.

Configuring the authentication scheme

The HWTACACS authentication mode is adopted.

Configuring the authorization scheme

The HWTACACS authorization mode is adopted.

Configuring the accounting scheme

The HWTACACS accounting mode is adopted.

Configuring AAA

Configuring the domain huawei

A domain named huawei is created and the configured authentication scheme, authorization scheme, the accounting scheme, and the HWTACACS server template are applied in the domain.

Configuring the authentication, the authorization and the accounting ports

In this example, 49 is adopted as the authentication, authorization, and accounting port.

Configuring the HWTACACS server

Configuring an IP address and shared key for NAS

The shared key of NAS should be the same as that configured for the HWTACACS server template.



1-19


Configuring a user named user001

In this example, the user name contains no domain name. You need to configure the password for user001. In addition, you need to configure the FTP directory delivery attribute.

The following covers part of commands in configuring AAA, RADIUS, and HWTACACS. For

details, refer to the VRP Configuration Guide - Security. All servers support the preceding configurations. The details in configuring HWTACACS server vary with the specific servers.

Configuring A HWTACACS Server Template Create a HWTACACS server template and configure IP addresses and ports for HWTACACS authentication, authorization, and accounting servers.

Note that:

IP addresses of the HWTACACS servers are reachable. The port configurations on the NAS should be the same as those on HWTACACS

servers. The shared key on the NAS should also be the same as that on the server. In this example, the user name does not contain the domain name.


[Quidway] hwtacacs-server template ht_huawei

[Quidway-hwtacacs-ht_huawei] hwtacacs-server authentication 192.168.1.202 49

[Quidway-hwtacacs-ht_huawei] hwtacacs-server authorization 192.168.1.202 49

[Quidway-hwtacacs-ht_huawei] hwtacacs-server accounting 192.168.1.202 49

[Quidway-hwtacacs-ht_huawei] hwtacacs-server shared-key huawei

[Quidway-hwtacacs-ht_huawei] undo hwtacacs-server user-name domain-included

[Quidway-hwtacacs-ht_huawei] quit

Configuring AAA Create a HWTACACS authentication scheme. Create a HWTACACS authorization scheme. Create a HWTACACS accounting scheme. Create a domain named Huawei and configure the authentication scheme, the accounting

scheme and the HWTACACS server template in this domain. [Quidway] aaa

[Quidway-aaa] authentication-scheme hwtacacs

[Quidway-aaa-authen-hwtacacs] authentication-mode hwtacacs

[Quidway-aaa-authen-hwtacacs] quit

[Quidway-aaa] authorization-scheme hwtacacs

[Quidway-aaa-author-hwtacacs] authorization-mode hwtacacs

[Quidway-aaa-author-hwtacacs] quit

[Quidway-aaa] accounting-scheme hwtacacs

[Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs




Issue 01 (2008-08-20)

[Quidway-aaa-accounting-hwtacacs] quit


[Quidway-aaa-domain-huawei] authentication-scheme hwtacacs

[Quidway-aaa-domain-huawei] authorization-scheme hwtacacs

[Quidway-aaa-domain-huawei] accounting-scheme hwtacacs

[Quidway-aaa-domain-huawei] hwtacacs-server ht_huawei

[Quidway-aaa-domain-huawei] quit

[Quidway-aaa] quit

Configuring the HWTACACS Server Configure the HWTACACS server based on the help files.

Configure the following items:

The authentication port, the authorization port, and the accounting port The IP address and the shared key for the NAS The user name, the password, and the authorization information

Check whether AAA takes effect on the HWTACACS server using the tools provided by the operating system.



1-21


Figure 1-8 Troubleshooting flowchart of HWTACACS authentication

The Telnet userfails to pass through

the HWTACACSauthentication

Login record？No

Yes

Seek thetechnicalsupport

Failingauthentication information?

Can NASreceivethe authorized

Telnet users?

Can the usertelnet to

the NAS server?End

Can NAS transmitthe authenticationinformation to the

HWTACACSserver？


Remove the faultbased on the failing

authenticationinformation


Configure theauthentication modeon the HWTACACS

server correctly.


Yes

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

No




Issue 01 (2008-08-20)

1.4.4 Troubleshooting Procedure Step 1 Check whether the HWTACACS server displays login record.

The procedure is similar to that of the RADIUS server. Refer to checking whether RADIUS server displays login records.

Step 2 Check whether the HWTACACS server displays failing authentication.

The NAS and HWTACACS server can communicate but the authentication fails. The fault lies in the HWTACACS server.

Check that:

The NAS address and the shared key are configured on the HWTACACS server. The shared key configured on the HWTACACS server is consistent with that on the

NAS. The user is configured on the server. Note that the server template configured on the

NAS can remove the domain name from the login user name. The password of the user configured on the server is consistent with that of the login

user.

If the authentication fails, through viewing the login records, you can locate the fault.

The possible causes are:

The user name is non-existent. The password including the shared key on the server is not consistent with that on the

NAS. The NAS address is not configured.

Step 3 Check whether NAS can receive the authorized ftp user class.

The display "503 Logged fail, authentication directory is incorrect" and "Connection closed by remote host" in the login interface of FTP indicates that the authorized FTP directory is incorrect.

Enable the HWTACACS PACKET debugging and you can view that the NAS has received the related authentication response packets from the HWTACACS server.

HWTACACS Received a Packet

Server Template: 0

Server IP : 192.168.1.202

Server Port : 49

Protocol: Standard

Code : 2

Len : 33

ID : 15

[Ftp-Directory ] [7 ] [hda1:]

The preceding display indicates that the HWTACACS server delivers the attributes of the FTP directory whose value is hda1. Configure the attributes list to be delivered on the HWTACACS server for users.


----End



1-23

1.5 Troubleshooting Cases This section provides the following troubleshooting cases:

FTP User Fails to Pass Through RADIUS Authentication HWTACACS User Fails to Get the Delivered Address

1.5.1 FTP User Fails to Pass Through RADIUS Authentication

Fault Symptom

Figure 1-9 Networking diagram of the RADIUS authentication

RemoteUser

NAS192.168.1.6

RADIUS Server192.168.1.202

ISDN/PSDN

The legal remote user001@huawei who needs to log on to the NAS through FTP fails to pass through RADIUS authentication.

Fault Analysis Check whether the RADIUS server has the records about the login user. If not, the NAS

and RADIUS sever cannot communicate. Then focus on checking NAS. Use the debugging radius packets command in the user view of NAS to view output

prompts. Checking AAA, you can find domain Huawei contains no RADIUS server template.

After configuring such a template, view the debugging information on the NAS to check whether any response packet is received.

Check that the authentication port number is the same as that configured on the NAS and the RADIUS server template.

Check that the password configured on the RADIUS server is consistent with the shared key configured on the NAS.

Check that the attributes of the FTP directory is delivered. Then check that user001 adds the delivered attributes.

After attributes of FTP directory is delivered, the user can log on to the FTP server. The fault disappears.




Issue 01 (2008-08-20)

Troubleshooting Procedure Step 1 Check whether RADIUS server has the records on the login user.

Step 2 If there is no login records, use the debugging radius packet command on the NAS to check whether NAS has sent out authentication request packets.

Step 3 If the NAS fails to send out authentication request packets, check the AAA, and the RADIUS server template on NAS. Note that the user can view the sent RADIUS authentication request packets when logging in.

Step 4 If the RADIUS server still has no login user records, check the IP address and the port configuration. Note that:

Server and NAS can ping through each other. Port configuration on the RADIUS server should be the same as that on the RADIUS

server template.

Step 5 If the faulty authentication persists when NAS and RADIUS server can communicate, the possible causes are:

The NAS address is not added. The shared key on the NAS is wrong. The user name and password are wrong.

Step 6 If the authentication succeeds but the authorization fails after the NAS and RADIUS server can communicate, check whether the user is authorized by the RADIUS server.

----End

Summary If the RADIUS authentication fails, ensure the following:

Successful mutual communication between NAS and RADIUS server Successful authentication Successful authorization

You can locate the fault through the debugging information on the NAS and RADIUS server.



1-25

1.5.2 HWTACACS User Fails to Get the Delivered Address

Fault Symptom

Figure 1-10 Networking diagram of HWTACAS authentication

Remote Useruser001@isp1

NAS

HWTACACS Server192.168.1.202

79.1.1.10 is theauthrozied address to

user001@isp1

79.1.1.2ISDN/PSDN

A legal remote user user001@huawei gets the address from the NAS using PPP address negotiation mode. The NAS however, delivers no IP address to the related interfaces. Then the HWTACACS server authorizes the address for the user.

Fault Analysis Check whether NAS can deliver the address to the remote user directly without using the

address authorized by the HWTACACS server. If so, the fault lies in the link between the NAS and HWTACACS server.

Assume a Telnet user, adopting HWTACACS authentication and authorization mode, logs in to NAS. If login succeeds, it means that the HWTACACS server and NAS can communicate. The fault then lies in the wrong address authorized by the HWTACACS server.

After checking, you can find that the IP address delivered by the HWTACACS server and the NAS interface connected with the user are in a different network segment. Then modify the delivered IP address.

Troubleshooting Procedure Step 1 Check whether the remote user can communicate with NAS without using a HWTACACS

server. You can then check the link between NAS and the server.

Step 2 If a Telnet user can log in to NAS, it means the NAS and HWTACACS server work normally. The fault lies in the delivered address.

Step 3 Check the HWTACACS server, and find the delivered address is wrong.

----End




Issue 01 (2008-08-20)

Summary This example adopts the substitution method to locate the fault.

If the fault disappears when a HWTACACS server is not used, you can assign the fault to HWTACACS server configuration. If the Telnet user logs in to NAS, some checking steps can be omitted. The fault can be located rapidly. When you are familiar with the configurations, this method is helpful.

1.6 FAQs

Q: Huawei Devices and Non-Huawei Devices The Same TACACS Server but the Authentication Fails. Why?

A: The user class range set by the major partner is different from that set by Huawei. The user class range set by Huawei is from 0 to 3 and any value that exceeds 3 is wrong. In this way, the authentication fails. To remove this fault, configure users for the products of the major partners and Huawei respectively.

Q: Why Cannot the Telnet User Who Has Passed the RADIUS Authentication Enter the System View?

A: It is because the user is not authorized by the RADIUS server.

If shiva is used as the RADIUS server, configure exec-privilege for it; if other type of server is used, configure the extended exec-privilege on it. That is, add the extended attribute (29) contained in the standard attribute (26) to the related attribute dictionary.

For FTP users, if shiva is used as the RADIUS server, configure ftp-directory for it; if other type of server is used, configure the extended ftp-directory. That is, add the extended attribute (29) contained in the standard attribute (26) to the related attribute dictionary.

Q: In AAA, How to Allocate Address to the PPP User? A: The address allocation rules are as follows:

To the user not to be authenticated: If the interface is with an IP address, the NAS allocates the address to the peer directly; if the interface is with an IP address pool, the NAS allocates the address in the address pool to the peer.

To the authenticated default domain user: If the RADIUS server has delivered the IP address, the NAS allocates this address to the peer directly; if the RADIUS server has delivered the IP address pool ID, the NAS allocates the address in the global or domain address pool to the peer. If the RAIDUS server has not delivered the address pool ID but the interface is with an IP address pool, the NAS allocates the address in this global address pool to the peer.

To the authenticated common domain user: If the RADIUS server has delivered the IP address, the NAS allocates the address to the peer directly. If the RADIUS server has delivered the IP address pool ID, the NAS allocates the address in the specified domain address pool to the peer. If the RAIDUS server has not delivered the address pool ID but the interface is with an IP address, the NAS allocates this address to the peer. If the interface is with an IP address pool, the NAS allocates the address in the domain address pool to the peer.



1-27

In the preceding three cases:

If all the addresses in the specified global address pool have been used, the NAS traverses the whole address pool, starting from the address pool firstly configured.

If all the addresses in the specified domain address pool have been used, the NAS traverses from the domain address pool firstly configured. The user can use the IP address in its local domain address pool preferentially.

If all the domain address pools have no address to allocate, traverse from the global address pool.

Q: What Are the Common RADIUS Attributes? A: They are as follows.

Value Attributes Field format Usage

1 User-name String(1 to 32)

Configure the user name based on the command line. It can either contain a domain name or not, such as user0001@isp or user0001.

2 Password String(16 to 128)

The encrypted password is valid in PAP.

3 Challenge-Password String(17) The password (MD5 encrypted authenticator) is valid in CHAP authentication.

4 NAS-IP-Address IP Address If a RADIUS server is bound with a certain interface address, adopt this address to be the IP address of the NAS. Or The address of the interface from which the packets are sent can also be adopted.

5 NAS-Port Integer The user access port is in the format of 4 slot numbers + 2 card numbers + 5 port numbers + 21 VLAN numbers.

6 Service-Type Integer Types of users: 2 indicates the access user. 6 indicates the administrative user.

7 Framed-Protocol Integer The value is fixed to be 1, indicating PPP type.

8 Framed-IP-Address Address The framed-IP address indicates the IP address allocated to the user by a RADIUS server. If the value is 0xFFFFFFFE, it indicates that the IP address of the user should be allocated by a NAS.

9 Framed-Netmask Address It indicates the IP address masks allocated to the user by a RADIUS server.




Issue 01 (2008-08-20)


11 Filter-ID String(1) It indicates the User Control List (UCL) group and interworking group, which are in the format of UCL-Group@Inter-Group.

14 Login-IP-Host Address It indicates the IP address of the login user.

15 Login-Service Integer It indicates the login user's type, such as Telnet, Rlogin, TCP Cear, PortMaster (proprietary), and LAT.

18 Reply-Message String(1 to 128)

In the authentication acceptance packet, it indicates the successful authentication

In the authentication rejection packet, it indicates the failing authentication.

25 Class String A RADIUS server sends the authentication acceptance packet together with the class attributes to a NAS. The NAS then sends back the class attributes together with accounting request packets. On the standard RADIUS server, the class attributes also contains the Committed Access Rate (CAR).

27 Session-TimeOut Integer It indicates the timeout time of the user, in seconds. In the Extensible Authentication Protocol (EAP) challenge packets, it indicates the re-authenticated time for the user.

28 Idle-TimeOut Integer It indicates the idle timeout time, in seconds.

31 Calling-Station-Id String It indicates the MAC address.

32 NAS-Identifier String If the NAS ID is configured, the NAS identifier should be NAS ID. If not, the NAS identifier can be the host name.

40 Acct-Status-Type Integer It indicates the type of accounting request packets.

1 indicates the accounting start packet.

2 indicates the accounting stop packet.

3 indicates the hot billing packet. 4 indicates the accounting packet resetting.



1-29


41 Acct-Delay-Time Integer It indicates the time taken in sending accounting packets, in seconds. The network transmission time is excluded.

42 Acct-Input-Octets Integer It indicates the number of the received bytes, in bytes, Kbytes, Mbytes or Gbytes.

43 Acct-Output-Octets Integer It indicates the number of the sending bytes, in bytes, Kbytes, Mbytes or Gbytes.

44 Acct-Session-Id String It indicates the accounting access ID.

45 Acct-Authentic Integer It indicates the user authentication mode.

1 indicates the RADIUS authentication.

2 indicates the local authentication.

46 Acct-Session-Time Integer It indicates the online time of the user, in seconds.

47 Acct-Input-Packets Integer It indicates the number of the received packets.

48 Acct-Output-Packets Integer It indicates the number of packets sent by users.

49 Terminate-Cause Integer It indicates causes for session interruption.

52 Acct-Input-Gigawords Integer It indicates the number of the received bytes is a multiple of 4 G (232).

53 Acct-Output-Gigawords

Integer It indicates the number of the sent bytes is a multiple of 4 G (232).

55 Event-Timestamp Integer It indicates the generating time of accounting request packets, in seconds. It should be the absolute second since 00:00:00, January 1st, 1970.

60 CHAP-Challenge String(16) It indicates CHAP challenge field.

61 NAS-Port-Type Integer It indicates the type of the NAS port.

87 NAS-Port-Id String It indicates the port ID of the access user, in the format of slot=XX; subslot=XX; port=XXX; VLANID=XXXX; or slot=XX; subslot=XX; port=XXX; VPI=XXX; VCI=XXXX.




Issue 01 (2008-08-20)

1.7 Diagnostic Tools 1.7.1 display Commands

Command Description

display radius-server configuration template Displays the RADIUS server template.

display authentication-scheme Displays the authentication scheme.

display authorization-scheme Displays the authorization scheme.

display accounting-scheme Displays the accounting scheme.

display domain Displays the domain.

display radius-server configuration template Displays the RADIUS server template.

display hwtacacs-server template Displays the HWTACACS server template.

display radius-server configuration template <Quidway> display radius-server configuration template rt_1

-------------------------------------------------------------------

Server-template-name : rt_1

Protocol-version : standard

Traffic-unit : B

Shared-secret-key : huawei

Timeout-interval(in second) : 5

Primary-authentication-server : 192.168.1.202:1812:LoopBack-1

Primary-accounting-server : 192.168.1.202:1813:LoopBack-1

Secondary-authentication-server : 0.0.0.0:0:LoopBack0

Secondary-accounting-server : 0.0.0.0:0:LoopBack0

Retransmission : 3

Domain-included : NO

-------------------------------------------------------------------

display authentication-scheme hwtacacs [Quidway-aaa] display authentication-scheme hwtacacs

--------------------------------------------------------------------------

Authentication-scheme-name : hwtacacs

Authentication-method : HWTACACS authentication

-------------------------------------------------------------------------

display authorization-scheme [Quidway-aaa] display authorization-scheme hwtacacs

--------------------------------------------------------------------------

Authorization-scheme-name : hwtacacs

Authorization-method : HWTACACS authorization

--------------------------------------------------------------------------



1-31

display accounting-scheme [Quidway-aaa] display accounting-scheme hwtacacs

--------------------------------------------------------------------------

Accounting-scheme-name : hwtacacs

Accounting-method : HWTACACS accounting

Realtime-accounting-switch : Open

Realtime-accounting-interval(min) : 5

Start-accounting-fail-policy : Cut user

Realtime-accounting-fail-policy : Cut user

Realtime-accounting-failure-retries : 3

--------------------------------------------------------------------------

display domain <Quidway> display domain huawei

-------------------------------------------------------------------

Domain-name : huawei

Domain-state : Active

Authentication-scheme-name : hwtacacs

Accounting-scheme-name : hwtacacs

Authorization-scheme-name : hwtacacs

User-CAR : -

Web-IP-address : -

Next-hop : -

Primary-DNS-IP-address : -

Second-DNS-IP-address : -

Primary-NBNS-IP-address : -

Second-NBNS-IP-address : -

Acl-number : -

Idle-data-attribute (time,flow) : 0, 60

User-priority : -

User-access-limit : 256

Online-number : 0

RADIUS-server-template : rt_1

HWTACACS-server-template : -

-------------------------------------------------------------------

display radius-server configuration template <Quidway> display radius-server configuration template rt_1

-------------------------------------------------------------------

Server-template-name : rt_1

Protocol-version : standard

Traffic-unit : B

Shared-secret-key : huawei

Timeout-interval(in second) : 5

Primary-authentication-server : 192.168.1.202:1812:LoopBack-1

Primary-accounting-server : 192.168.1.202:1813:LoopBack-1

Secondary-authentication-server : 0.0.0.0:0:LoopBack0

Secondary-accounting-server : 0.0.0.0:0:LoopBack0

Retransmission : 3

Domain-included : NO

-------------------------------------------------------------------




Issue 01 (2008-08-20)

display hwtacacs-server template <Quidway> display hwtacacs-server template ht_1

--------------------------------------------------------------------------

HWTACACS-server template name : ht_1

Primary-authentication-server : 192.168.1.60:49

Primary-authorization-server : 192.168.1.60:49

Primary-accounting-server : 192.168.1.60:49

Secondary-authentication-server : 0.0.0.0:0

Secondary-authorization-server : 0.0.0.0:0

Secondary-accounting-server : 0.0.0.0:0

Current-authentication-server : 192.168.1.60:49

Current-authorization-server : 192.168.1.60:49

Current-accounting-server : 192.168.1.60:49

Source-IP-address : 0.0.0.0

Shared-key : huawei

Quiet-interval(min) : 5

Response-timeout-Interval(sec) : 5

Domain-included : No

Traffic-unit : B

--------------------------------------------------------------------------

1.7.2 debugging Commands Command Description

debugging radius packet Debugs the RADIUS packet.

debugging hwtacacs all Debugs the HWTACACS packet.

Documents

01-01 AAA Troubleshooting