Operation Manual – AAAH3C S3100 Series Ethernet Switches Chapter 2 AAA Configuration2-36III. Configuration procedure# Add a Telnet user.(Omitted here)# Configure a HWTACACS scheme. system-view[Sysname] hwtacacs scheme hwtac[Sysname-hwtacacs-hwtac] primary authentication 10.110.91.164 49[Sysname-hwtacacs-hwtac] primary authorization 10.110.91.164 49[Sysname-hwtacacs-hwtac] key authentication aabbcc[Sysname-hwtacacs-hwtac] key authorization aabbcc[Sysname-hwtacacs-hwtac] user-name-format without-domain[Sysname-hwtacacs-hwtac] quit# Configure the domain name of the HWTACACS scheme to hwtac.[Sysname] domain hwtacacs[Sysname-isp-hwtacacs] scheme hwtacacs-scheme hwtac2.6 Troubleshooting AAA2.6.1 Troubleshooting RADIUS ConfigurationThe RADIUS protocol operates at the application layer in the TCP/IP protocol suite.This protocol prescribes how the switch and the RADIUS server of the ISP exchangeuser information with each other.Symptom 1: User authentication/authorization always fails.Possible reasons and solutions:z The user name is not in the userid@isp-name or userid.isp-name format, or thedefault ISP domain is not correctly specified on the switch — Use the correct username format, or set a default ISP domain on the switch.z The user is not configured in the database of the RADIUS server — Check thedatabase of the RADIUS server, make sure that the configuration informationabout the user exists.z The user input an incorrect password — Be sure to input the correct password.z The switch and the RADIUS server have different shared keys — Compare theshared keys at the two ends, make sure they are identical.z The switch cannot communicate with the RADIUS server (you can determine bypinging the RADIUS server from the switch) — Take measures to make the switchcommunicate with the RADIUS server normally.Symptom 2: RADIUS packets cannot be sent to the RADIUS server.Possible reasons and solutions:
