Issue Description
Add attribute 61 (NAS-port-type) with attribute value 5 fail S12700(V200R007C00SPC500)
Alarm Information
<LANCore-1> Dec 8 2015 14:01:55.636.5+01:00 LANCore-1 RDS/7/DEBUG: Server Template: 0 Server IP : 10.1.11.22 Protocol: Standard Code : 1 Len : 123 ID : 44 [User-Name ] [13] [Basschilder] [User-Password ] [18] [7c aa 23 8a 96 a4 19 f2 27 e1 f6 ab a3 f7 e2 bb ] [Service-Type ] [6 ] [2] [Framed-Protocol ] [6 ] [1] [NAS-Identifier ] [11] [LANCore-1] [NAS-Port-Type ] [6 ] [15]
Handling Process
1. Check the configuration.
#
radius-server template ArenA
radius-server shared-key cipher %#%#gJL|W.}kJN`JT}Iyd*q-5yMZ8I+HU)no7S)v|1M6A1e`:zF/^OI0#kJ%^{9)%#%#
radius-server authentication 10.1.11.22 1812 vpn-instance vrf1 source ip-address 10.1.12.254 weight 80
radius-server authentication 10.1.11.23 1812 vpn-instance vrf1 source ip-address 10.1.12.254 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
radius-attribute set Service-Type 44
radius-attribute set NAS-Port-Id tty1
radius-attribute set NAS-Port-Type 5
#
#
#
aaa
authentication-scheme default
authentication-scheme ArenA
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
domain arenanet.nl
authentication-scheme ArenA
undo local-user admin
local-user huawei password irreversible-cipher %#%#Q(JF3gg|@$[%H9+C}cSEDL’k=,}Q9<ibW2CA|Tn=n:T]Ue,j*==Vc-=$(e,K%#%#
local-user huawei privilege level 15
local-user huawei service-type telnet terminal ssh
local-user tenadmin password irreversible-cipher %#%#M*ZI>]-bmNciMU#Zi17-]:.j#C|-N(g6;uG&M`/KtuK7A0(*]U3SjD”B0m4;%#%#
local-user tenadmin privilege level 15
local-user tenadmin ftp-directory flash:
local-user tenadmin service-type terminal ssh ftp
#
2. Confirm with customer for domain arenanet.nl, add the configuration just as below. It for the user privilege level and apply the radius-server in domain arenanet.nl.
#
aaa
service-scheme ArenA
admin-user privilege level 15
#
#
domain arenanet.nl
radius-server ArenA
service-scheme ArenA
#
3. From the record of ISE, found the Authorization deny. Checked the setting for the Radius server. Make sure the SW have already add the Radius server with the proper parameters.
4. After the set the proper parameters for the Radius server. Enable test-aaa, found the attribute set NAS-Port-Type is still 15 not change to 5.
#
radius-server template ArenA
radius-server shared-key cipher %#%#gJL|W.}kJN`JT}Iyd*q-5yMZ8I+HU)no7S)v|1M6A1e`:zF/^OI0#kJ%^{9)%#%#
radius-server authentication 10.1.11.22 1812 vpn-instance vrf1 source ip-address 10.1.12.254 weight 80
radius-server authentication 10.1.11.23 1812 vpn-instance vrf1 source ip-address 10.1.12.254 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
radius-attribute set Service-Type 44
radius-attribute set NAS-Port-Id tty1
radius-attribute set NAS-Port-Type 5
#
#
#
aaa
authentication-scheme default
authentication-scheme ArenA
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
domain arenanet.nl
authentication-scheme ArenA
undo local-user admin
local-user huawei password irreversible-cipher %#%#Q(JF3gg|@$[%H9+C}cSEDL’k=,}Q9<ibW2CA|Tn=n:T]Ue,j*==Vc-=$(e,K%#%#
local-user huawei privilege level 15
local-user huawei service-type telnet terminal ssh
local-user tenadmin password irreversible-cipher %#%#M*ZI>]-bmNciMU#Zi17-]:.j#C|-N(g6;uG&M`/KtuK7A0(*]U3SjD”B0m4;%#%#
local-user tenadmin privilege level 15
local-user tenadmin ftp-directory flash:
local-user tenadmin service-type terminal ssh ftp
#
2. Confirm with customer for domain arenanet.nl, add the configuration just as below. It for the user privilege level and apply the radius-server in domain arenanet.nl.
#
aaa
service-scheme ArenA
admin-user privilege level 15
#
#
domain arenanet.nl
radius-server ArenA
service-scheme ArenA
#
3. From the record of ISE, found the Authorization deny. Checked the setting for the Radius server. Make sure the SW have already add the Radius server with the proper parameters.
4. After the set the proper parameters for the Radius server. Enable test-aaa, found the attribute set NAS-Port-Type is still 15 not change to 5.
<LANCore-1> Dec 8 2015 14:01:55.636.5+01:00 LANCore-1 RDS/7/DEBUG: Server Template: 0 Server IP : 10.1.11.22 Protocol: Standard Code : 1 Len : 123 ID : 44 [User-Name ] [13] [Basschilder] [User-Password ] [18] [7c aa 23 8a 96 a4 19 f2 27 e1 f6 ab a3 f7 e2 bb ] [Service-Type ] [6 ] [2] [Framed-Protocol ] [6 ] [1] [NAS-Identifier ] [11] [LANCore-1] [NAS-Port-Type ] [6 ] [15]
5. When enable “test-aaa”, the test result for this the attribute NAS-Port-Type won’t change.
When apply the real end user to logon and then do the test “debugging radius all”, the attribute is changed. The test result for this just as below:
Root Cause
1. For “test-aaa”, the attribute NAS-Port-Type won’t change.
2. The configuration is not appropriate.
2. The configuration is not appropriate.
Suggestions
During the Troubleshooting, using different way to reduce the scope of possible root cause. That will be helpful for the work. If you have any questions, please email to csd@telecomate.com
Leave a comment