< Home

Testing Whether a User Can Pass RADIUS Authentication or Accounting

Prerequisites

RADIUS authentication or accounting is configured.

Context

Test whether a user can pass RADIUS authentication or accounting, helping the administrator locate faults.

Procedure

  • Run the test-aaa user-name user-password radius-template template-name [ chap | pap | accounting [ start | realtime | stop ] ] command in any view to test whether a user can pass RADIUS authentication or accounting.

Follow-up Procedure

  • The test-aaa command returns an account test timeout message.

    RADIUS authentication test for a single user times out.
    <HUAWEI> test-aaa user1 huawei123 radius-template huawei
Info: Account test time out.
    RADIUS accounting test for a single user times out.
    <HUAWEI> test-aaa user1 huawei123 radius-template huawei accounting
Info: Account test time out.
    • The possible causes are as follows:
      • The route between the device and the server is unreachable.
      • The NAS-IP in the RADIUS server template is different from the NAS-IP configured on the RADIUS server.
      • The authentication or accounting port in the RADIUS server template is incorrect.
      • The authentication or accounting port on the RADIUS server is occupied by another application.
      • The RADIUS server address in the RADIUS server template is incorrect.
      • The IP address of the access control device is incorrect or the RADIUS server is not started.
    • Handling procedure:
      • Run the ping command to check whether a reachable route exists between the device and the server. If there is no reachable route, establish a static route or use a routing protocol to establish a dynamic route between the device and the server.
      • Run the display radius-server configuration [ template template-name ] command in any view to check whether the port number and NAS-IP in the RADIUS server template are the same as those on the RADIUS server. If they are not the same, configure the same port number and NAS-IP.
      • Check whether the authentication and accounting port numbers on the RADIUS server are 1812 and 1813, respectively. If not, configure the correct authentication and accounting port numbers.
      • When a controller is used as the RADIUS server, run the netstat -nao | findstr 1812 and netstat -nao | findstr 1813 commands on the server to check whether the ports are occupied. If yes, disable the applications that occupy the ports.
      • Check whether the IP address of the access control device is correct. If not, carry out the corresponding configuration to rectify this.

  • The test-aaa command returns an account test failure.

    RADIUS authentication test for a single user fails.
    <HUAWEI> test-aaa user1 huawei123 radius-template huawei
Info: Account test failed.
    RADIUS accounting test for a single user fails.
    <HUAWEI> test-aaa user1 huawei123 radius-template huawei accounting
Info: Account test failed.
    • The possible causes are as follows:
      • The shared key of the RADIUS server is not configured.
      • The IP address of the RADIUS server is not configured.
    • Handling procedure:
      • Run the display radius-server configuration [ template template-name ] command in any view to check whether the shared key and IP address are configured in the RADIUS server template. If they are not the same, reconfigure the shared key and IP address in the RADIUS server template.

  • After the test-aaa command is run, the test is passed, but authentication or accounting cannot be performed for the user.

    • The possible causes are as follows:
      • The route between the device and the server is unreachable.
      • The user authentication or accounting domain is different from the RADIUS authentication or accounting domain configured on the device.
    • Handling procedure:
      • Run the ping command to check whether a reachable route exists between the user and device. If there is no reachable route, establish a static route or use a routing protocol to establish a dynamic route between the device and the server.

      • Run the display this command in the AAA view to check whether the user authentication or accounting domain is the same as the RADIUS authentication or accounting domain configured on the device.

        • When the user name entered by the user contains a domain name, check whether RADIUS authentication or accounting has been configured in the domain. If not, configure RADIUS authentication or accounting in the domain.
        • When the user name entered by the user does not contain a domain name, check whether RADIUS authentication or accounting has been configured in the global default domain (administrator uses default_admin and common users use default). If not, configure RADIUS authentication or accounting in the domain.
      • Run the display this command in the AAA view to check whether the AAA authentication or accounting scheme and RADIUS server template have been applied to the domain. If not, apply the AAA authentication or accounting scheme and RADIUS server template to the domain.
      • If NAC has been configured, check whether the NAC configuration is correct. If not, correctly configure the NAC.
Parent Topic: Maintaining AAA
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >