Filter
Top Products
3. Troubleshooting Functional Failures in Operation
25
3.3.3 Login Authentication Using RADIUS/TACACS+ Is Disabled
If login authentication using RADIUS/TACACS+ is failed, check the following:
1. Communication with the RADIUS/TACACS+ server
Use the ping command to see if communication from this system to the RADIUS/TACACS+ server is achieved. If it
is not possible to communicate with the server, see "3.6.1 Communication Is Disabled or Is Disconnected." If a local
address has been defined in configuration, check the connectivity between this system and RADIUS/ TACACS+
servers by issuing ping from the local address.
2. Setting timeout value and retry count
For the RADIUS authentication, you can use configuration commands radius-server host,
radius-server retransmit, and radius-server timeout to determine the maximum value of the
timeout, which determines that communication between this system and the RADIUS server is faulty. This value is
calculated by <set timeout value (sec.)> × <set retry count> × <set number of RADIUS servers>.
For the TACACS+ authentication, you can use configuration commands tacacs-server host and
tacacs-server timeout to determine the mazimum value of the timeout, which determines that
communication between this system and TACACS+ server is faulty. This value is calculated by <set timeout value
(sec.)> × <set number of TACACS+ servers>. If this time is extremely long, applications such as telnet on the remote
operation terminal may be terminated as a result of timeout. If this is the case, edit the value on the RADIUS/
TACACS+ configuration or the timeout value on the application running on the remote operation terminal. If telnet
or ftp fails despite the "RADIUS/TACACS+ authentication successful" message appears in the operation log, the
application on the remote operation terminal may have timed out until it can connect to the running RADIUS/
TACACS+ server out of multiple RADIUS server specified in the configuration. In this case, make sure you set up
that the running RADIUS/TACACS+ server will take precedence or decrease the <Timeout value (in seconds)> ×
<Number of retries> value.
3.3.4 Command Authorization Using RADIUS/TACACS+ Is Disabled
If command authorization fails even when login to this system through RADIUS/TACACS+ authentication was
successful, or if an authorization error message is displayed and command cannot be executed, check the following:
1. Check using the show whoami command
Using the show whoami command on this system, the list of operation commands permitted/limited for the current
user can be displayed and checked. Confirm that the command list has been acquired according to the setting on the
RADIUS or TACACS+ server.
2. Check for server settings
Confirm that setting on command authorization on this system is correct on the RADIUS/TACACS+ server. For
RADIUS, beware the settings for vendor-specific attributes. For TACACS+, beware service and attribute name. For
detail on the RADIUS/TACACS+ server settings, see the manual "Configuration Settings."
3 Key entry rejected. Determine the cause by following the steps below:
1. Data sending/receiving may be interrupted by the XON/XOFF flow control. Restart the
data sending/receiving (press [Q] key with the [Ctrl] key pressed). If key entry is still
disabled, check No. 2 or later.
2. Check to see if the communication software is configured properly.
3. The screen may be suspended by [Ctrl]+[S]. Press any key.
4 Some users remain in the login
state.
Wait for automatic logout or log in again and use the killuser command to delete users
in the login state. If editing the configuration is on the way, the possibly changed
configuration information has not been saved. Log in again and enter the configuration mode
to save the change and exit from the editing.
No. Symptom Action to Be Taken or Reference