During remote authentication of login to an S series switch, authentication fails because of the incorrect user name and password based on the debugging information. Actually, the user name and password are configured on the authentication server. What are the causes

17

For S series switches, this problem occurs because the user name contains the domain name. Check whether the user name contains the domain server on the authentication server.
�?If the user name contains the domain name, run the radius-server user-name domain-included command in the RADIUS server template view or the hwtacacs-server user-name domain-included command in the HWTACACS server template view.
�?If the user name does not contain the domain name, run the undo radius-server user-name domain-included command in the RADIUS server template view or the undo hwtacacs-server user-name domain-included command in the HWTACACS server template view.

Other related questions:
Configure S series switches to send user names without a domain name to the RADIUS server for authentication
For S series switches (except S1700 switches), the format of a user name is user name@domain name. In the user name, @ is the domain name delimiter, which can also be any of the following symbols: \ / : < > | ' %. By default, a switch does not modify the user name entered by the user in the packets sent to the RADIUS server. If the RADIUS server does not accept user names with domain names, users who enter user names with domain names fail the RADIUS authentication. To solve the problem, perform the following configuration on the switch to make the switch send user names without domain names to the RADIUS server. [HUAWEI] radius-server template template1 [HUAWEI-radius-template1] undo radius-server user-name domain-included Note: You can modify this configuration only when the RADIUS server template is not in use.

How to configure remote authentication for 802.1x authentication users on S series switches
802.1x authentication user information (including the user name, password, and other attributes) for remote authentication and authorization is configured on a remote AAA server. Remote authentication and authorization for 802.1x authentication users feature high network security. For S series and E series switches (except the S1700) running V200R003C10 and earlier versions, NAC can be configured only in common mode. For switches running V200R005C00 and later versions, NAC can be configured in common or unified mode. Accordingly, remote authentication for 802.1x authentication users can be configured in common or unified mode. For switches running V200R009C00, the configuration model of NAC unified mode changes. Query the appropriate product manual based on the switch model and version. The following links are for reference only. - For the configuration example in common mode, see "Typical User Access and Authentication Configuration - Typical NAC Configuration (Common Mode) - Example for Configuring 802.1x Authentication to Control Internal User Access" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples. - For the configuration example in unified mode on switches running versions from V200R005C00 to V200R008C00, see "Typical User Access and Authentication Configuration - Typical NAC Configuration (Unified Mode) (V200R005C00 to, V200R008C00) - Example for Configuring 802.1x Authentication to Control Internal User Access" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples. - For the configuration example in unified mode on switches running V200R009C00 and later versions, see "Typical User Access and Authentication Configuration - Typical NAC Configuration (Unified Mode) (V200R009C00 and Later Versions) - Example for Configuring 802.1x Authentication to Control Internal User Access" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Configuration Guide - User Access and Authentication.

Can I use the user name and password provided by the peer carrier to interwork with the U1981?
1. The U1981 can interwork a carrier's device through the SIP trunk in IMS registration group mode and use the user name and password provided by the peer carrier for registration. 2. The user name and password are not required in other signaling interworking modes, such as PRA, SS7, QSIG, and AT0.

How to configure local authentication for a MAC address authentication user when the user's MAC address is used as the user name for authentication
You can configure local authentication for MAC address authentication users on S series switches (except the S1700). Perform the following operations to configure local authentication for a MAC address authentication user when the user's MAC address is specified as the user name for authentication (the configuration in NAC common mode is used as an example and is applicable to switches running all versions).
1. Configure an AAA scheme and a local account.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme a1
[HUAWEI-aaa-authen-a1] authentication-mode local   //Set the user's authentication mode to local authentication.
[HUAWEI-aaa-authen-a1] quit
[HUAWEI-aaa] local-user 000b-09d4-8828 password cipher Huawei@123  //Configure a local account and specify the user's MAC address as the user name.
[HUAWEI-aaa] local-user 000b-09d4-8828 service-type bind   //Configure the access type. You can set the access type of the local authentication user to 802.1x, Bind, PPP, or web.
2. Configure an authentication domain.
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] authentication-scheme a1
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] domain huawei   //Configure the authentication domain huawei as the global default authentication domain.
3. Specify the user's MAC address as the user name for local authentication.
[HUAWEI] mac-authen username macaddress format with-hyphen password cipher Huawei@123
4. Enable MAC address authentication.
[HUAWEI] mac-authen  //Enable MAC address authentication globally.
[HUAWEI] interface gigabitethernet 1/0/1  //Enter the view of the interface connected to the user.
[HUAWEI-GigabitEthernet1/0/1] port link-type access
[HUAWEI-GigabitEthernet1/0/1] port default vlan 10   //Add the interface to the VLAN to which the user belongs.
[HUAWEI-GigabitEthernet1/0/1] mac-authen  //Enable MAC address authentication on the interface.
[HUAWEI-GigabitEthernet1/0/1] quit
For switches running V200R009C00, the configuration model of NAC unified mode changes. Query the appropriate product manual based on the switch model and version. Take the configuration on a switch running V200R009 as an example. For details, see "NAC Configuration (Unified Mode) - Example for Configuring MAC Address Authentication (AAA Local Authentication Is Used)" in S1720&S2700&S5700&S6720 V200R009C00 Configuration Guide - User Access and Authentication.

Administrator user name and password change for the USG2000&5000 series
For firewalls, once an administrator account is created, the user name cannot be changed. You can change the administrator password on the web UI: 1. Choose System > Administrators > Administrators. 2. Click the Edit icon on the line of the administrator and change the password in the displayed dialog box. In addition, you can run the current-user password-modify command to change the password of the current administrator.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top