l
If the user information does not exist on the authentication server, create the user name and
password on the authentication server.
l
If user attributes on the authentication server contain VLAN authorization information but
the VLAN is not created on the AR2200-S, user authorization fails. To rectify the fault, create
the VLAN.
l
If user attributes on the authentication server contain ACL authorization information (ACL
number or ACL content), but the ACL is not created on the AR2200-S or the ACL format is
different from that required by the AR2200-S, user authorization fails. To rectify the fault,
create the ACL. Ensure that the ACL format used by the authentication server is the same
that required by the AR2200-S.
NOTE
The AR2200-S requires the following ACL format in the user attributes:
acl
acl-num
key1
key-value1
...
keyN
key-valueN
permit
/
deny
If the
display access-user
user-id
command output contains the user IP address and
Dynamic ACL
desc (Effective)
, the ACL specified in the user attribute takes effect.
Table 10-1
Description
Field
Description
Field
Description
acl
Delivers the ACL
content.
acl-num
Specifies the ACL
number. The value
ranges from 10000
to 10999.
permit
Allows users
matching the rules
to access the
network.
deny
Prohibits users
matching the rules
from accessing the
network.
keyM
(1
≤
M
≤
N) ndicates a keyword
in the ACL,
including src-ip
(source IP address),
src-ipmask (mask of
source IP address),
and tcp-srcport
(source TCP port
number).
key-valueM
(1 < M
< N)
Specifies the value
of a keyword, which
can be an IP address,
a mask, or a port
number.
If the configurations of the AR2200-S and the authentication server are correct, go to step 5.
Step 5
Check that the user name and password entered by the user are correct.
If RADIUS authentication is used and the authentication method is CHAP or PAP, run the
test-
aaa
command to check whether the user name and password can pass the RADIUS
authentication.
l
If the authentication fails, check the configuration of the RADIUS server and RADIUS
configuration on the AR2200-S. For details, see
.
Huawei AR2200-S Series Enterprise Routers
Troubleshooting
10 Security
Issue 01 (2012-01-06)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
300