Users access the router fail to pass authentication.
Fault Symptom
Router B is newly deployed and configured with RADIUS authentication and accounting. All users at the site access the Internet through Router B. Router A is a non-Huawei device.
After the configuration, all dial-up users at this site fail to pass authentication.
Fault Analysis
1. Run the debugging RADIUS packet command to enable the debugging. The command output shows that the router has sent a request carrying the Code field being 1 for authentication, but does not receive a response from the RADIUS server.
2. Check debugging information on the RADIUS server. It has received the request and replied with a packet carrying the Code field being 2.
As the reply packet is not received, the reply packet may be discarded during forwarding or the route for the reply packet is incorrect.
3. Ping the RADIUS server from the router. The ping is successful, indicating that the route for the returned packet is correct. The replied packet must have been discarded during forwarding.
4. Change the source IP address to another IP address in a different network segment for the packet sent from the router to the RADIUS server. The reply packet can be received, and then users can go online.
Considering that IP packets are sent successfully and UDP packets are returned by the RADIUS server, an intermediate device may apply an ACL rule to UDP packets with source IP addresses in a specified network segment.
5. On the basis of a check, Router A is configured with an ACL rule, thus discarding UDP packets replied by the RADIUS server.
Procedure
1. Delete the ACL rule on Router A. The RouterB can communicate with the RADIUS server. The fault is then rectified.
Summary
When users cannot go online, first check whether the Router sends requests for authentication and receives replies. In this troubleshooting case, the RADIUS server has received a request for authentication and sent a reply. The Router cannot receive the reply, which is caused by incorrect ACL rule set on an device between the Router and the RADIUS server.
