Operation Manual – AAA & RADIUS & HWTACACS & EADH3C S7500 Series Ethernet SwitchesChapter 1 AAA & RADIUS & HWTACACSConfiguration1-45[H3C-isp-hwtacacs] scheme hwtacacs-scheme hwtac1.8 Troubleshooting AAA & RADIUS & HWTACACSConfiguration1.8.1 Troubleshooting the RADIUS ProtocolThe RADIUS protocol is at the application layer in the TCP/IP protocol suite. Thisprotocol prescribes how the switch and the RADIUS server of the ISP exchange userinformation with each other; therefore, it is likely that RADIUS configuration will becomefaulty.Symptom 1: User authentication/authorization always fails.Possible reasons and solutions:z The entered user name is not in the userid@isp-name format, or no default ISPdomain is specified on the switch — Use the correct user name format, or set adefault ISP domain on the switch.z The user is not configured in the database of the RADIUS server — Check thedatabase of the RADIUS server; verify that the configuration information about theuser exists.z The user input an incorrect password — Verify that the correct password is input.z The switch and the RADIUS server have different shared keys — Compare theshared keys at the two ends and verify that they are identical.z The switch cannot communicate with the RADIUS server (you can determine bypinging the RADIUS server from the switch) — Take measures to make the switchcommunicate with the RADIUS server normally.Symptom 2: RADIUS packets cannot be sent to the RADIUS server.Possible reasons and solutions:z The communication links (physical/link layer) between the switch and the RADIUSserver is disconnected/blocked — Take measures to make the linksconnected/unblocked.z None or incorrect RADIUS server IP address is set on the switch — Be sure to seta correct RADIUS server IP address.z One or all AAA UDP port settings are incorrect — Be sure to set the same UDPport numbers as those on the RADIUS server.Symptom 3: The user passes the authentication and gets authorized, but theaccounting information cannot be transmitted to the RADIUS server.Possible reasons and solutions:z The accounting port number is not properly set — Be sure to set a correct portnumber for RADIUS accounting.z The switch requests that both the authentication/authorization server and theaccounting server use the same device (with the same IP address), but in fact they