Issue Description
Q:
Why the TACACS server fails to receive the commands sent by the NAS (Router, Switch, etc.)?
Handling Process
A:
First check the HWTACACS configuration, NAS IP address, HWTACACS server, and the keys of the servers
Check the follow configuration of TACACS:
hwtacacs nas-ip X.X.X.X
hwtacacs scheme system
primary authentication A.A.A.A
primary authorization B.B.B.B
primary accounting C.C.C.C
nas-ip X.X.X.X
key authentication “KEY1”
key authorization “KEY2”
key accounting “KEY3”
domain system
scheme hwtacacs-scheme system local
authentication hwtacacs-scheme system local
authorization hwtacacs-scheme system
accounting hwtacacs-scheme system
- Where X.X.X.X is a local address
- Where A.A.A.A is the Authentication TACACS server
- Where B.B.B.B is the Authorization TACACS server
- Where C.C.C.C is the Accounting TACACS server
The TACACS configuration can be good, but if the user view is incomplete the commands never will be sent, please check the follow configuration in the USER VIEW
In the example is implemented in the USER VTY view:
user-interface vty 0 4
authentication-mode scheme command-authorization
accounting commands scheme
