Panasonic 8000 User Manual

Nortel Secure Router 8000 Series

Troubleshooting - VAS

Release: Document Revision:

www.nortel.com

5.3

01.01

NN46240-709 324767-A

Nortel Secure Router 8000 Series Release: 5.3 Publication: NN46240-709 Document status: Standard Document release date: 30 March 2009

Printed in Canada, India, and the United States of America

LEGAL NOTICE

While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice.

Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

ATTENTION

For information about the safety precautions, read "Safety messages" in this guide.

For information about the software license, read "Software license" in this guide.

Nortel Secure Router 8000 Series Troubleshooting - VAS Contents

About this document.......................................................................................................................1

1 AAA troubleshooting................................................................................................................1-1

1.1 AAA overview .............................................................................................................................................1-2

1.1.1 AAA, RADIUS, and HWTACACS...................................................................................................1-2

1.1.2 Domains and address pool.................................................................................................................1-4

1.1.3 Schemes and modes ..........................................................................................................................1-5

1.1.4 Server templates................................................................................................................................1-6

1.2 Troubleshooting local user authentication...................................................................................................1-6

1.2.1 Typical networking............................................................................................................................1-6

1.2.2 Configuration notes...........................................................................................................................1-7

1.2.3 Troubleshooting flowchart ................................................................................................................1-9

1.2.4 Troubleshooting procedure................................................................................................................1-9

1.3 Troubleshooting RADIUS authentication..................................................................................................1-10

1.3.1 Typical networking.......................................................................................................................... 1-11

1.3.2 Configuration notes.........................................................................................................................1-11

1.3.3 Troubleshooting flowchart ..............................................................................................................1-14

1.3.4 Troubleshooting procedure..............................................................................................................1-15

1.4 Troubleshooting HWTACAS authentication ............................................................................................. 1-17

1.4.1 Typical networking..........................................................................................................................1-17

1.4.2 Configuration notes.........................................................................................................................1-17

1.4.3 Troubleshooting flowchart ..............................................................................................................1-21

1.4.4 Troubleshooting procedure..............................................................................................................1-22

1.5 Troubleshooting cases ...............................................................................................................................1-23

1.5.1 FTP user fails to pass through RADIUS authentication ..................................................................1-23

1.5.2 HWTACACS user fails to get the delivered address.......................................................................1-25

1.6 FAQs..........................................................................................................................................................1-26

1.7 Diagnostic tools.........................................................................................................................................1-30

1.7.1 Display commands..........................................................................................................................1-30

1.7.2 Debugging commands.....................................................................................................................1-32

2 IPSec and IKE troubleshooting ...............................................................................................2-1

2.1 IPSec and IKE overview .............................................................................................................................2-3

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

Contents

Nortel Secure Router 8000 Series

Troubleshooting - VAS

2.2 Troubleshooting manual IPSec SA setup.....................................................................................................2-6

2.2.1 Typical networking............................................................................................................................2-6

2.2.2 Configuration notes...........................................................................................................................2-6

2.2.3 Troubleshooting flowchart ..............................................................................................................2-11

2.2.4 Troubleshooting procedure..............................................................................................................2-12

2.3 Troubleshooting ISAKMP SA ...................................................................................................................2-14

2.3.1 Typical networking..........................................................................................................................2-14

2.3.2 Configuration notes.........................................................................................................................2-15

2.3.3 Troubleshooting flowchart ..............................................................................................................2-19

2.3.4 Troubleshooting procedure..............................................................................................................2-21

2.4 Troubleshooting SA setup using an IPSec policy template .......................................................................2-24

2.4.1 Typical networking..........................................................................................................................2-24

2.4.2 Configuration notes.........................................................................................................................2-25

2.4.3 Troubleshooting flowchart ..............................................................................................................2-30

2.4.4 Troubleshooting procedure..............................................................................................................2-31

2.5 Troubleshooting NAT traversal in the IPSec tunnel ..................................................................................2-32

2.5.1 Typical networking..........................................................................................................................2-33

2.5.2 Configuration notes.........................................................................................................................2-33

2.5.3 Troubleshooting flowchart ..............................................................................................................2-40

2.5.4 Troubleshooting procedure..............................................................................................................2-41

2.6 Troubleshooting GRE over IPSec or L2TP over IPSec............................................................................. 2-42

2.6.1 Typical networking..........................................................................................................................2-42

2.6.2 Configuration notes.........................................................................................................................2-43

2.6.3 Troubleshooting flowchart ..............................................................................................................2-46

2.6.4 Troubleshooting procedure..............................................................................................................2-47

2.7 Troubleshooting cases ...............................................................................................................................2-48

2.8 FAQs..........................................................................................................................................................2-49

2.9 Diagnostic tools.........................................................................................................................................2-50

2.9.1 Display commands..........................................................................................................................2-50

2.9.2 Debugging commands.....................................................................................................................2-59

3 Firewall troubleshooting ..........................................................................................................3-1

3.1 Firewall........................................................................................................................................................3-2

3.2 Troubleshooting the firewall........................................................................................................................3-2

3.2.1 Networking environment...................................................................................................................3-3

3.2.2 Configuration notes...........................................................................................................................3-3

3.2.3 Diagnostic flowchart .........................................................................................................................3-3

3.2.4 Troubleshooting procedures..............................................................................................................3-5

3.3 FAQs............................................................................................................................................................3-6

3.4 Diagnostic tools...........................................................................................................................................3-6

4 NAT troubleshooting ................................................................................................................4-1

4.1 NAT .............................................................................................................................................................4-2

Nortel Networks Inc.

Issue 01.01 (30 March 2009)

Nortel Secure Router 8000 Series Troubleshooting - VAS Contents

4.1.1 NAT attributes ...................................................................................................................................4-2

4.1.2 NAT modes........................................................................................................................................4-3

4.1.3 Special protocols supported by the address translation.....................................................................4-3

4.2 Troubleshooting NAT Troubleshooting.......................................................................................................4-4

4.2.1 Typical Networking...........................................................................................................................4-4

4.2.2 Configuration notes...........................................................................................................................4-5

4.2.3 Troubleshooting flowchart ................................................................................................................4-6

4.2.4 Troubleshooting procedures..............................................................................................................4-8

4.3 Troubleshooting cases .................................................................................................................................4-9

4.3.1 Internal Network Cannot Successfully Ping the External Network After NAT Is Configured on the

Router......................................................................................................................................................... 4-9

4.4 FAQs..........................................................................................................................................................4-10

4.5 Diagnostic tools.........................................................................................................................................4-11

4.5.1 Display commands.......................................................................................................................... 4-11

4.5.2 Debugging commands.....................................................................................................................4-19

Index ................................................................................................................................................ i-1

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

iii

Nortel Secure Router 8000 Series Troubleshooting - VAS Figures

Figures

Figure 1-1 RADIUS message structure ............................................................................................................1-2

Figure 1-2 Attribute format...............................................................................................................................1-3

Figure 1-3 Networking diagram of local authentication...................................................................................1-7

Figure 1-4 Troubleshooting flowchart of local user authentication ..................................................................1-9

Figure 1-5 Networking diagram of RADIUS authentication.......................................................................... 1-11

Figure 1-6 Troubleshooting flowchart of RADIUS authentication.................................................................1-14

Figure 1-7 Networking diagram of HWTACAS authentication .....................................................................1-17

Figure 1-8 Troubleshooting flowchart of HWTACACS authentication .........................................................1-21

Figure 1-9 Networking diagram of RADIUS authentication..........................................................................1-23

Figure 1-10 Networking diagram of HWTACAS authentication ...................................................................1-25

Figure 2-1 Format of the transport mode packets.............................................................................................2-4

Figure 2-2 Format of the tunnel mode packets.................................................................................................2-4

Figure 2-3 Networking diagram of the manual IPSec SA setup .......................................................................2-6

Figure 2-4 Troubleshooting flowchart of IPSec SA manual setup..................................................................2-11

Figure 2-5 Networking diagram of setting up ISAKMP IPSec ......................................................................2-15

Figure 2-6 Troubleshooting flowchart of SA setup in Phase 1 .......................................................................2-20

Figure 2-7 Troubleshooting flowchart of SA setup in Phase 2 .......................................................................2-21

Figure 2-8 Networking diagram of setting up SA using an IPSec policy template.........................................2-25

Figure 2-9 Troubleshooting flowchart of setting up IPSec SA using an IPSec policy template .....................2-30

Figure 2-10 Networking diagram of IPSec NAT ............................................................................................2-33

Figure 2-11 Troubleshooting flowchart of NAT traversal in IPSec ................................................................2-40

Figure 2-12 Networking diagram of configuring IPSec .................................................................................2-43

Figure 2-13 Troubleshooting flowchart of GRE over IPSec...........................................................................2-46

Figure 2-14 Networking diagram of IPSec setup ...........................................................................................2-48

Figure 3-1 Networking of the firewall..............................................................................................................3-3

Figure 3-2 Diagnostic flowchart for faults on the firewall ...............................................................................3-4

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

Figures

Nortel Secure Router 8000 Series

Troubleshooting - VAS

Figure 4-1 NAT principles................................................................................................................................4-2

Figure 4-2 NAPT working mode......................................................................................................................4-3

Figure 4-3 NAT networking..............................................................................................................................4-4

Figure 4-4 Networking of the load balancing, flow control and BT speed control on the NAT server ............4-5

Figure 4-5 troubleshooting flowchart...............................................................................................................4-7

Figure 4-6 Internal network fails to ping the external network ........................................................................4-9

Nortel Networks Inc.

Issue 01.01 (30 March 2009)

Nortel Secure Router 8000 Series Troubleshooting - VAS Contents

Contents

About this document....................................................................................................................... 1

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

Nortel Secure Router 8000 Series Troubleshooting - VAS About this document

About this document

Overview

This section describes the organization of this document, product version, intended audience, conventions, and update history.

Related versions

The following table lists the product versions related to this document.

Product Name Version

Nortel Secure Router 8000 Series V200R005

Intended audience

This document is intended for the following audience:

network operators

network administrators

network maintenance engineers

Organization

This document consists of three chapters related to Value Added Service (VAS) troubleshooting and is organized as follows.

Chapter Description

1 AAA troubleshooting This chapter describes the troubleshooting procedure for the

Issue 01.01 (30 March 2009)

Authentication, Authorization, and Accounting (AAA) protocol; frequently asked questions (FAQ); and diagnostic tools.

Nortel Networks Inc.

About this document

Nortel Secure Router 8000 Series

Troubleshooting - VAS

Chapter Description

2 IPSec and IKE troubleshooting

3 Firewall Troubleshooting

4 NAT troubleshooting This chapter describes the troubleshooting procedure for

Conventions

This section describes the symbol and text conventions used in this document

Symbol conventions

Symbol Description

This chapter describes troubleshooting procedures for IP Security (IPSec) and Internet Key Exchange (IKE), FAQs, and diagnostic tools.

This chapter describes the troubleshooting procedure for Firewall, FAQs, and diagnostic tools.

Network Address Translation (NAT), FAQs, and diagnostic tools.

Indicates a hazard with a high level of risk that, if not avoided, can result in death or serious injury.

General conventions

Convention Description

Times New Roman Normal paragraphs are in Times New Roman font.

Boldface

Italic Book titles are in italics.

Courier New

Indicates a hazard with a medium or low level of risk that, if not avoided, can result in minor or moderate injury.

Indicates a potentially hazardous situation that, if not avoided, can cause equipment damage, data loss, and performance degradation, or unexpected results.

Indicates a tip that may help you solve a problem or save time.

Provides additional information to emphasize or supplement important points of the main text.

Names of files, directories, folders, and users are in

boldface. For example, log on as the user root.

Terminal display is in Courier New font.

Nortel Networks Inc.

Issue 01.01 (30 March 2009)

Nortel Secure Router 8000 Series Troubleshooting - VAS About this document

Command conventions

Convention Description

Boldface

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in square brackets [ ] are

{ x | y | ... } Alternative items are grouped in braces and separated by

[ x | y | ... ] Optional alternative items are grouped in square brackets

{ x | y | ... } * Alternative items are grouped in braces and separated by

[ x | y | ... ] *

&<1-n> The parameter before the ampersand sign (&) can be

# A line starting with the number sign (#) contains comments.

The keywords of a command line are in boldface.

optional.

vertical bars. You can select one item.

and separated by vertical bars. You can select one item or no item.

vertical bars. You can select a minimum of one item or a maximum of all items.

Optional alternative items are grouped in square brackets and separated by vertical bars. You can select no item or multiple items.

repeated 1 to n times.

GUI conventions

Convention Description

Boldface

> Multilevel menus are in boldface and separated by the

Keyboard operation

Format Description

Key Key 1+Key 2

Key 1, Key 2 Press the keys in sequence. For example, Alt, A means

Buttons, menus, parameters, tabs, windows, and dialog box

titles are in boldface. For example, click OK.

right-angled bracket sign (>). For example, choose File >

Create > Folder.

Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, Ctrl+Alt+A

means press the three keys concurrently.

press the two keys in sequence.

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

About this document

Mouse operation

Action Description

Click Select and release the primary mouse button without

Double-click Press the primary mouse button twice quickly without

Drag Press and hold the primary mouse button and move the

Update history

Updates between document versions are cumulative. Therefore, the latest document version contains all updates made to previous versions.

Nortel Secure Router 8000 Series

Troubleshooting - VAS

moving the pointer.

pointer to a new position.

Updates in Issue 1.0 ( 6 June 2008 )

This is the first commercial release of this document.

Nortel Networks Inc.

Issue 01.01 (30 March 2009)

Nortel Secure Router 8000 Series Troubleshooting - VAS Contents

Contents

1 AAA troubleshooting................................................................................................................1-1

1.1 AAA overview...............................................................................................................................................1-1

1.1.1 AAA, RADIUS, and HWTACACS......................................................................................................1-2

1.1.2 Domains and address pool ...................................................................................................................1-4

1.1.3 Schemes and modes.............................................................................................................................1-4

1.1.4 Server templates...................................................................................................................................1-5

1.2 Troubleshooting local user authentication.....................................................................................................1-6

1.2.1 Typical networking ..............................................................................................................................1-6

1.2.2 Configuration notes..............................................................................................................................1-7

1.2.3 Troubleshooting flowchart...................................................................................................................1-9

1.3 Troubleshooting RADIUS authentication ...................................................................................................1-10

1.3.1 Typical networking ............................................................................................................................1-11

1.3.2 Configuration notes............................................................................................................................1-11

1.3.3 Troubleshooting flowchart.................................................................................................................1-14

1.3.4 Troubleshooting procedure ................................................................................................................1-15

1.4 Troubleshooting cases.................................................................................................................................1-17

1.4.1 FTP user fails to pass through RADIUS authentication.....................................................................1-17

1.4.2 HWTACACS user fails to get the delivered address......................................................................... 1-17

1.5 FAQs ...........................................................................................................................................................1-19

1.6 Diagnostic tools...........................................................................................................................................1-22

1.6.1 Display commands.............................................................................................................................1-22

1.6.2 Debugging commands........................................................................................................................1-25

Issue 01.01 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Troubleshooting - VAS Figures

Figures

Figure 1-1 RADIUS message structure..............................................................................................................1-2

Figure 1-2 Attribute format ................................................................................................................................1-3

Figure 1-3 Networking diagram of local authentication.....................................................................................1-6

Figure 1-4 Troubleshooting flowchart of local user authentication....................................................................1-9

Figure 1-5 Networking diagram of RADIUS authentication............................................................................1-11

Figure 1-6 Troubleshooting flowchart of RADIUS authentication ..................................................................1-14

Figure 1-7 Networking diagram of HWTACAS authentication ...................................................................... 1-15

Figure 1-8 Troubleshooting flowchart of HWTACACS authentication .......................................................... 1-16

Figure 1-9 Networking diagram of RADIUS authentication............................................................................1-17

Figure 1-10 Networking diagram of HWTACAS authentication .....................................................................1-19

Issue 01.01 (30 March 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting

1 AAA troubleshooting

About this chapter

The following table shows the contents of this chapter.

Section Description

1.1 AAA overview This section describes the concepts you need to know before troubleshooting Authentication, Authorization, and Accounting (AAA).

1.2 Troubleshooting local user

authentication

1.3 Troubleshooting RADIUS

authentication

1.4 Troubleshooting cases This section presents several troubleshooting cases.

1.5 FAQs This section lists frequently asked questions (FAQs) and

1.6 Diagnostic tools This section describes common diagnostic tools: display

This section contains configuration notes for local user authentication, and provides the local user authentication troubleshooting flowchart and procedure for a typical local user authentication network.

This section contains configuration notes for RADIUS authentication, and provides the RADIUS authentication troubleshooting flowchart and procedure for a typical RADIUS authentication network.

their answers.

commands and debugging commands.

1.1 AAA overview

This section describes the basic concepts of AAA, RADIUS, and HWTACACS.

Issue 01.01 (30 March 2009) Nortel Networks Inc. 1-1

1 AAA troubleshooting

1.1.1 AAA and RADIUS

AAA

Authentication, Authorization, and Accounting (AAA) contains the following three types of security services.

Authentication: specifies what type of user can access the network.

Authorization: specifies what type of service the user can use.

Accounting: records the network resource utilization of the user.

AAA adopts the client/server model, in which the client runs on the resource side and the server stores information about the user. This model is extensible and provides an effective way to manage users.

The two communication protocols used between the client and the server are as follows:

Remote Authentication Dial-In User Service (RADIUS) protocol

Huawei Terminal Access Controller Access Control System (HWTACACS) protocol (HWTACACS is an enhancement of TACACS)

Nortel Secure Router 8000 Series

Troubleshooting - VAS

RADIUS

RADIUS is used for communication between the Network Access Server (NAS) and the RADIUS server on the application layer.

RADIUS adopts the client/server model in which the client runs on the resource side and the server stores information about the user.

To ensure reliability, RADIUS supports User Datagram Protocol (UDP) packets and a retransmission and backup server mechanism. The authentication and accounting ports used by RADIUS are 1645/1646 or 1812/1813.

Figure 1-1 shows the RADIUS packet format.

Figure 1-1 RADIUS message structure

01234567012345670123456701234567

Cod e Identi fier Length

Attribute......

Authenticator

The following list describes the RADIUS message structure:

Code—contains 1 byte, indicating the RADIUS message type. The common code values are as follows.

1-2 Nortel Networks Inc. Issue 01.01 (30 March 2009)

Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting

Value Packet type Indication Description

1 Access-request Sending an

authentication request

2 Access-accept Accepting the

authentication request

NAS sends an authentication request to a RADIUS server.

A RADIUS server sends a response packet to accept the authentication request.

3 Access-request Rejecting the

authentication request

A RADIUS server sends a response packet to reject the authentication request.

4 Accounting-request Sending an

accounting request

5 Accounting-response Responding to the

accounting request

NAS sends an accounting request to a RADIUS server.

A RADIUS server responds to an accounting request packet.

The three types of accounting packets are as follows. They are distinguished by the No.40 attributes area.

value of No.40 attributes area is 1: accounting start packets

value of No.40 attributes area is 2: hot billing packets

value of No.40 attributes area is 3: accounting stop packets

Identifier—contains 1 byte, used to match request packets or response packets.

Length—contains 2 bytes, indicating the total length of all fields.

Authenticator—contains 16 bytes. This value is used to authenticate the reply from the RADIUS server, and is used in the password hiding algorithm.

Attribute—has a flexible length and consists of various attributes. Figure 1-2 shows the attribute format.

Figure 1-2 Attribute format

01234567012345670123456701234567

Type Length Value

− Type—indicates the attribute type.

− Length—indicates the length of every attribute and contains 1 byte.

− Value—indicates the attribute value and is flexible.

The NAS works as the RADIUS client and supports the following:

− standard RADIUS protocol and extended attributes, including RFC2865 and

RFC2866

− Nortel extended RADIUS+1.1 protocol

− active detection on the RADIUS server state

Issue 01.01 (30 March 2009) Nortel Networks Inc. 1-3

1 AAA troubleshooting

After receiving an AAA authentication or accounting message, the NAS enables server detection if the status of the server is Down. It then transforms the message into a packet and sends the packet to the current server. The NAS regards the server as normal only after receiving a response packet from the current server.

− local buffer retransmission of Accounting Stop packets

If the number of retransmission events exceeds the value configured, packets are saved to the buffer queue. The system timer periodically scans the queue, extracts the packets, sends them to the specific server, and enables the waiting timer. If the transmission fails or no response packet is received from the server within the timeout period, the packet is again put back into the buffer queue.

− autoswitch of the RADIUS server

If the waiting timer expires and the current server is Down or the number of retransmission events exceeds the maximum, another server in the server group assumes the role of the current server to transmit packets.

1.1.2 Domains and address pool

Domains

Nortel Secure Router 8000 Series

Troubleshooting - VAS

Address pool

Most AAA configurations are related to domains. NAS divides users into different groups based on the character string that follows the @ symbol in user names. For example, user0001@isp1 belongs to the domain isp1 and user0002@isp2 belongs to isp2.

If no @ symbol appears in the user name, the user belongs to the default domain.

Users in the same domain have similar attributes. Configuration in a domain view can affect all users in the domain, and domain resources can be used by all the users in the domain.

You can configure AAA schemes in a domain view. For the default domain, AAA uses the default schemes for the domain. You can also configure a RADIUS or HWTACACS server template.

Point-to-Point Protocol (PPP) users can use PPP address negotiation to obtain the IP address of the local interface from the NAS. The methods are as follows:

Use the remote address command in the interface view to allocate an IP address to the

peer.

Configure an address pool in the AAA view and then use the remote address pool

command to allocate the address from the address pool to the peer.

Allocating the address from the address pool is the more flexible approach. In addition, the address pool can be used together with the domain. Configure a global address pool in the AAA view and a domain address pool in the domain view. Users in the domain can use the domain address pool preferentially.

1.1.3 Schemes and modes

Authentication schemes and modes

AAA supports four authentication modes:

local authentication

1-4 Nortel Networks Inc. Issue 01.01 (30 March 2009)

Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting

non-authentication

RADIUS authentication

HWTACACS authentication

AAA also allows a random combination of the four modes.

Configure the authentication mode in the authentication scheme view. By default, local authentication is used. Use non-authentication mode only as a last option.

The authentication-mode radius local command uses the RADIUS authentication mode first.

If that fails, it uses the local authentication mode.

Authorization schemes and modes

AAA supports four authorization modes:

local authorization

direct authorization

if-authenticated authorization

HWTACACS authorization

AAA also allows a random combination of the four modes.

The authorization-mode hwtacacs local command indicates to use the HWTACACS

authorization mode first. When that fails, it uses the local authorization mode.

In a combination containing the direct authentication mode, direct authentication should be

last, such as authorization-mode hwtacacs local none.

By default, use the local authentication mode. RADIUS performs authentication together with authorization. RADIUS authorization does not exist.

Accounting schemes and modes

AAA supports six accounting modes:

local accounting

non-accounting

RADIUS accounting

HWTACACS accounting

combination of RADIUS and local accounting

combination of HWTACACS and local accounting

By default, the non-accounting mode is used.

Configure the hot billing interval in the accounting scheme. By default, the interval is 5 minutes.

1.1.4 Server templates

RADIUS server template

The RADIUS server template describes details of the RADIUS server. On the RADIUS server template, you can configure authentication and accounting servers or backup authentication and accounting servers as required.

Issue 01.01 (30 March 2009) Nortel Networks Inc. 1-5

1 AAA troubleshooting

Configure the shared key on the RADIUS server template. The shared key should be the same as that on the server side.

RADIUS supports a specified source address. You can configure the IP address of the specified loopback interface as the source address of RADIUS packets. You can then send the packets to a RADIUS server.

After configuring a RADIUS server template, associate the template name with a domain in the corresponding domain view.

HWTACACS server template

The HWTACACS server template is different from the RADIUS server template as follows:

It contains an authorization server and a backup authorization server.

It supports packets with the source address configured directly instead of the address of the loopback interface.

After configuring an HWTACACS template, associate the template name with a domain in the corresponding domain view.

Nortel Secure Router 8000 Series

Troubleshooting - VAS

1.2 Troubleshooting local user authentication

This section covers the following topics:

Typical networking

Configuration notes

Troubleshooting flowchart

Troubleshooting procedure

1.2.1 Typical networking

Figure 1-3 shows a typical networking diagram for local authentication.

Figure 1-3 Networking diagram of local authentication

Client

PPP Serial 4/ 0/0

9.1.1.1

Host

PPP Serial 1/ 1/0

9.1.1.2

1-6 Nortel Networks Inc. Issue 01.01 (30 March 2009)

Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting

1.2.2 Configuration notes

Item Sub-item Description

Configuring serial

interfaces on the client side

Configuring serial interfaces

Configure the IP address

Configure PAP user authentication

Configure the IP address

The IP address on the client side must be the same as that on the host side.

The Password Authentication Protocol (PAP) user name and password configured on the client side must be consistent with those on the host side.

The IP address on the host side must be in the same network segment as that on the client side.

on the host side

Configure PPP authentication

The PAP user name and password configured on the host side must be consistent with those on the client side.

AAA on the

Configure the domain

Configure the domain to which a PAP user belongs. Configuring

host side

Configure the

Configure the local user in the AAA view.

local user

The following sections cover part of the commands for configuring AAA, RADIUS, and HWTACACS . For more information, see Nortel Secure Router 8000 Series Configuration Guide - Security (NN46240-600).

Configuring the serial interface on the client side

Configure an IP address for the serial interface. In PPP/PAP mode, you need to configure the user name and password.

<Nortel> system-view [Nortel] interface Serial 4/0/0 [Nortel-Serial4/0/0] ip address 9.1.1.1 255.255.255.0 [Nortel-Serial4/0/0] ppp pap local-user user001@nortel password simple abc123 [Nortel-Serial4/0/0] quit

Configuring the serial interface on the host side

Configure an IP address for the serial interface and set the PPP authentication mode to PAP.

[Nortel] interface Serial 1/1/0 [Nortel-Serial1/1/0] ip address 9.1.1.2 255.255.255.0 [Nortel-Serial1/1/0] ppp authentication-mode pap [Nortel-Serial1/1/0] quit

Configuring AAA on the host side

Configure local authentication mode.

[Nortel] aaa [Nortel-aaa] display this

Issue 01.01 (30 March 2009) Nortel Networks Inc. 1-7

1 AAA troubleshooting

# aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # #

Configure the local user and the domain. Configure a PAP user user001@nortel on the client side as the local user.

[Nortel-aaa] local-user user001@nortel password simple abc123 [Nortel-aaa] domain nortel

By default, the newly configured domain is in local authentication mode, so the PAP user user001@nortel also uses this mode. After passing through local authentication, PPP link authentication succeeds.

Nortel Secure Router 8000 Series

Troubleshooting - VAS

1-8 Nortel Networks Inc. Issue 01.01 (30 March 2009)

Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting

1.2.3 Troubleshooting flowchart

Figure 1-4 Troubleshooting flowchart of local user authentication

In PAP mode, the

local user

authentication fails

Ensure the PPP in

Normal PPP link?

up state when no

authentication mode

is configured

The fault

disappears?

Yes

Correct PAP

configuration?

Yes

Correct AAA

configuration?

Yes

Modify PAP

Is the user domain

configured?

The fault

disappears?

Is the local

authentication mode

configured?

Ensure the password

of the local user is

the same as that

used in PAP

End

Yes

Seek technical

support

The fault

disappears?

Yes

End

Troubleshooting procedure

Step 1 Check the PPP link.

Issue 01.01 (30 March 2009) Nortel Networks Inc. 1-9

1 AAA troubleshooting

If PAP mode is not used, check that the PPP link is Up.

# Configure the serial interface on the client side.

[Nortel] interface Serial 4/0/0 [Nortel-Serial4/0/0] ip address 9.1.1.1 255.255.255.0 [Nortel-Serial4/0/0] quit

# Configure the serial interface on the host side.

[Nortel] interface Serial 1/1/0 [Nortel-Serial1/1/0] ip address 9.1.1.2 255.255.255.0 [Nortel-Serial1/1/0] quit

In normal situations, the host can ping through 9.1.1.1. Use the display this interface

command in the interface view to view that Link Control Protocol (LCP) and IP Control Protocol (IPCP) are “opened.” If the PPP link is Up, continue with the following steps.

Step 2 Check PAP.

Debug PAP on each interface. The following display indicates that PAP is not configured on the peer and LCP negotiation fails.

%Sep 16 14:01:54 2005 Nortel PPP/5/NEGOTIATEFAIL:Slot=3;Serial3/0/0:0: We want to negotiate pap , but the peer doesn't have pap configuration. So LCP negotiate fail, PPP session will be closed.

Nortel Secure Router 8000 Series

Troubleshooting - VAS

If the PAP link is Up, continue with the following step.

Step 3 Check AAA.

Based on the preceding two steps, you can determine that a problem may exist with AAA. In this case, check AAA as follows:

1. Use the display this command in the AAA view to check that the domain nortel exists.

2. Check if the user type is consistent with that configured in AAA. You can use the

display local-user command in the user interface view.

3. Check if the authentication scheme of the domain nortel, the default authentication scheme, or the user-configured authentication scheme is in local authentication mode.

4. Check if user001@nortel is configured in the AAA view and the user001 password agrees with that of the PAP user.

If the fault persists, contact Nortel technical support.

----End

1.3 Troubleshooting RADIUS authentication

This section covers the following topics:

Typical networking

Configuration notes

Troubleshooting flowchart

Troubleshooting procedure

1-10 Nortel Networks Inc. Issue 01.01 (30 March 2009)

Nortel Secure Router 8000 Series Troubleshooting - VAS 1 AAA troubleshooting

1.3.1 Typical networking

Figure 1-5 shows the networking of RADIUS authentication.

Figure 1-5 Networking diagram of RADIUS authentication

ISDN/ PSDN

Remote User

1.3.2 Configuration notes

Item Sub-item Description

Configuring the RADIUS

server template

Configure the authentication server

NAS

RADIUS Server

The IP address and port of the RADIUS authentication server are configured.

Note that the port on the template has the same configuration as that on the RADIUS server.

Configure the accounting server

Configure the shared key

Configure the user name format

The IP address and port for the RADIUS accounting server are configured.

Note that the port on the template has the same configuration as that on the RADIUS server.

The shared key of the RADIUS server template should be the same as that on the RADIUS server.

The user name can either contain a domain name or not contain a domain name.

In this example, the user name does not contain a domain name.

Issue 01.01 (30 March 2009) Nortel Networks Inc. 1-11

1 AAA troubleshooting

Item Sub-item Description

Nortel Secure Router 8000 Series

Troubleshooting - VAS

Configuring AAA

Enabling FTP server

Configuring the RADIUS server

Configure the authentication scheme

Configure the accounting scheme

Configure the domain nortel

Enable the FTP server

Configure authentication and accounting ports

Configure the IP address and shared key for the NAS

Configure user001

The RADIUS authentication mode is used.

A domain named nortel is created and is associated with the authentication scheme, accounting scheme, and RADIUS server template in the domain.

None.

For example, 1812 is the authentication port number and 1813 is the accounting port number.

Note that the shared key of the NAS should be the same as that on the RAIDUS server template.

In this example, the domain name is not included in the user name. You need to configure the password for user001. In addition, you need to configure the delivery FTP directory on the RADIUS server.

The following sections cover part of the commands for configuring AAA, RADIUS, and HWTACACS. For more information, see Nortel Secure Router 8000 Series Configuration Guide - Security (NN46240-600).

RADIUS servers are configured differently, but they all support the preceding configurations.

Creating a RADIUS server template

Create a RAIDUS server template and configure the IP addresses and the port for the authentication server and accounting server. Note the following:

IP addresses of RADIUS servers are routable.

The port configuration on the NAS should be the same as the port configuration on the server.

The shared key on the NAS should be the same as the shared key on the servers.

In this example, the user name does not contain the domain name.

<Nortel> system-view [Nortel] radius-server template rt_nortel [Nortel-radius-rt_nortel] radius-server authentication 192.168.1.202 1812 [Nortel-radius-rt_nortel] radius-server accounting 192.168.1.202 1813 [Nortel-radius-rt_nortel] radius-server shared-key nortel [Nortel-radius-rt_nortel] undo radius-server user-name domain-included

1-12 Nortel Networks Inc. Issue 01.01 (30 March 2009)

+ 126 hidden pages