Got it

The Dynamic ACL Delivered by the RADIUS Server Does Not Take Effect

471 0 0 0 0

It may be caused by one of the following:

•The HW-Data-Filter attribute is not configured on the RADIUS server.
•The RADIUS server is not configured to dynamically deliver ACLs on the device.
•The resource for dynamic traffic classifier-behavior pairs is insufficient.
•The resource for rules is insufficient on the device.
•Rules are incorrectly delivered.

 

The common troubleshooting procedure is:

1.Check that the RADIUS server configuration on the NE40E is correct.

 

Run the test-aaa user-name password radius-group group-name command to check whether the RADIUS server works properly.

  • If the RADIUS server does not work properly, reconfigure the RADIUS server based on the guide. For configuration details.
  • If the RADIUS server works properly, go to step 2.

 

2.Check that the HW-Data-Filter attribute is configured on the RADIUS server.

 

The RADIUS server can dynamically deliver ACLs only after the HW-Data-Filter attribute is configured on the RADIUS server.

  • If the HW-Data-Filter attribute is not configured on the RADIUS server, configure the HW-Data-Filter attribute on the RADIUS server.
  • If the HW-Data-Filter attribute is configured on the RADIUS server, go to step 3.

 

3.Check that the RADIUS server is configured to dynamically deliver ACLs on the NE40E.

 

Run the display this command in the system view to check whether the remote-download acl enable command is configured.

imgDownload?uuid=2de81c86eb1f402bad45366 NOTE: If the traffic classifier carried in the HW-Data-Filter attribute contains the name of a user group that does not exist on the NE40E, enable the RADIUS server to dynamically create user groups.

  • If the RADIUS server is not configured to dynamically deliver ACLs on the NE40E, run the remote-download acl enable command in the AAA view to enable the RADIUS server to dynamically deliver ACLs. To enable the RADIUS server to dynamically create user groups, run the remote-download user-group enable command in the AAA view.
  • If the RADIUS server is configured to dynamically deliver ACLs on the NE40E, go to step 4.

 

4.Check that the number of traffic classifier-behavior pairs dynamically delivered by the RADIUS server does not exceed the specification supported by the NE40E.

 

Run the display aaa remote-download acl item command to check whether the number of traffic classifier-behavior pairs delivered by the RADIUS server exceeds the specification supported by the NE40E, or run the display alarm active command to check whether a hwRemoteDownloadAclThresholdAlarm alarm is generated.

imgDownload?uuid=2de81c86eb1f402bad45366 NOTE: The NE40E supports a maximum number of 1024 traffic classifier-behavior pairs. If the number of traffic classifier-behavior pairs delivered by the RADIUS server exceeds 1024, subsequent pairs fail to be delivered.

  • If the number of traffic classifier-behavior pairs delivered by the RADIUS server exceeds 1024, run the recycle remote-download acl classifier command to reclaim the idle classifier-behavior pairs.
  • If the number of traffic classifier-behavior pairs delivered by the RADIUS server does not exceed 1024, go to step 5.

 

5.Check that the number of rules does not exceed the specification supported by the NE40E.

 

Check whether a hwXQoSRuleFaileAlarm alarm is generated on the NMS.

imgDownload?uuid=2de81c86eb1f402bad45366 NOTE:

A traffic classifier-behavior pair can contain multiple rules. If the number of rules, including those carried in the dynamically delivered traffic classifier-behavior pairs and those configured using commands, exceeds the specification supported by the NE40E, subsequent rules cannot take effect.

  • If a hwXQoSRuleFaileAlarm alarm is generated, reclaim some rules.
  • If a hwXQoSRuleFaileAlarm alarm is not generated, go to step 6.

 

6.Check that rules are correctly delivered in the traffic classifier-behavior pairs.

 

Run the display aaa remote-download acl item verbose command to check detailed information about traffic classifier-behavior pairs and determine whether rules are correctly delivered.

  • If no rules are delivered or rules are incorrectly delivered, configure the RADIUS server to deliver correct rules in the HW-Data-Filter attribute of the RADIUS Access-Accept packets or CoA packets.
  • If rules are correct, go to step 7.

 

7.Collect the following information and contact Huawei technical support personnel.

  • Results of the troubleshooting procedure
  • Configuration files, log files, and alarm files from the devices
  • Debugging information about the devices

 

For more information, click NE40E Maintenance Guide V1.0 (VRPv8)

From group: 路由器
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.