2-23
[Sysname-ui-vty0-4] quit
# Create and configure a local user named telnet.
[Sysname] local-user telnet
[Sysname-luser-telnet] service-type telnet
[Sysname-luser-telnet] password simple aabbcc
[Sysname-luser-telnet] quit
# Configure an authentication scheme for the default “system” domain.
[Sysname] domain system
[Sysname-isp-system] scheme local
A Telnet user logging into the switch with the name telnet@system belongs to the "system" domain and
will be authenticated according to the configuration of the "system" domain.
Method 2: using local RADIUS server
This method is similar to the remote authentication method described in
Remote RADIUS
Authentication of Telnet/SSH Users
. However, you need to:
z Change the server IP address, and the UDP port number of the authentication server to 127.0.0.1,
and 1645 respectively in the configuration step "Configure a RADIUS scheme" in
Remote RADIUS
Authentication of Telnet/SSH Users
.
z Enable the local RADIUS server function, set the IP address and shared key for the network
access server to 127.0.0.1 and aabbcc, respectively.
z Configure local users.
Troubleshooting AAA
Troubleshooting RADIUS Configuration
The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocol
prescribes how the switch and the RADIUS server of the ISP exchange user information with each
other.
Symptom 1: User authentication/authorization always fails.
Possible reasons and solutions:
z The username is not in the userid@isp-name or userid.isp-name format, or the default ISP domain
is not correctly specified on the switch — Use the correct username format, or set a default ISP
domain on the switch.
z The user is not configured in the database of the RADIUS server — Check the database of the
RADIUS server, make sure that the configuration information about the user exists.
z The user input an incorrect password — Be sure to input the correct password.
z The switch and the RADIUS server have different shared keys — Compare the shared keys at the
two ends, make sure they are identical.
z The switch cannot communicate with the RADIUS server (you can determine by pinging the
RADIUS server from the switch) — Take measures to make the switch communicate with the
RADIUS server normally.
Symptom 2: RADIUS packets cannot be sent to the RADIUS server.
Possible reasons and solutions:
z The communication links (physical/link layer) between the switch and the RADIUS server is
disconnected/blocked — Take measures to make the links connected/unblocked.
To Next Page
Loading...
