2-31Troubleshooting AAATroubleshooting RADIUS ConfigurationThe RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocolprescribes how the switch and the RADIUS server of the ISP exchange user information with eachother.Symptom 1: User authentication/authorization always fails.Possible reasons and solutions:z The username is not in the userid@isp-name or userid.isp-name format, or the default ISP domainis not correctly specified on the switch — Use the correct username format, or set a default ISPdomain on the switch.z The user is not configured in the database of the RADIUS server — Check the database of theRADIUS server, make sure that the configuration information about the user exists.z The user input an incorrect password — Be sure to input the correct password.z The switch and the RADIUS server have different shared keys — Compare the shared keys at thetwo ends, make sure they are identical.z The switch cannot communicate with the RADIUS server (you can determine by pinging theRADIUS server from the switch) — Take measures to make the switch communicate with theRADIUS server normally.Symptom 2: RADIUS packets cannot be sent to the RADIUS server.Possible reasons and solutions:z The communication links (physical/link layer) between the switch and the RADIUS server isdisconnected/blocked — Take measures to make the links connected/unblocked.z None or incorrect RADIUS server IP address is set on the switch — Be sure to set a correctRADIUS server IP address.z One or all AAA UDP port settings are incorrect — Be sure to set the same UDP port numbers asthose on the RADIUS server.Symptom 3: The user passes the authentication and gets authorized, but the accounting informationcannot be transmitted to the RADIUS server.Possible reasons and solutions:z The accounting port number is not properly set — Be sure to set a correct port number for RADIUSaccounting.z The switch requests that both the authentication/authorization server and the accounting serveruse the same device (with the same IP address), but in fact they are not resident on the samedevice — Be sure to configure the RADIUS servers on the switch according to the actual situation.Troubleshooting HWTACACS ConfigurationSee the previous section if you encounter an HWTACACS fault.
