The problems during the docking between S9300 and peer vendor’s ACS

Publication Date:  2012-12-13 Views:  186 Downloads:  0
Issue Description
Version imformation:VRP (R) software, Version 5.70 (S9300 V100R003C00SPC200)
Failure Symptom:
1、The S9300 and ACS docking put up hwtacacs certification, certification first do hwtacacs certified then do the local authentication. ACS account authentication is unsuccessful.
2. Deal with the first question, in the case of normal ACS client TELNET login S9300, you can also use the ACS account and local account (under normal circumstances, normal ACS server, the local account can’t be used .Only when ACS server exception, local account can be used).
Alarm Information
1. The information displayed in the first issue
Mar 17 2011 16:59:17+08:00 A_SZA_CAM_DS01 %%01SHELL/4/TELNETFAILED(l)[0]:Failed to login through telnet. (Ip=30.32.80.10, UserName=**, Times=1)
2. The information displayed in the second issue
Mar 17 2011 17:13:39.470.7+08:00 A_SZA_CAM_DS01 TAC/7/Event:HandleReqMsg: Session status is connect now.
Mar 17 2011 17:13:39.480.1+08:00 A_SZA_CAM_DS01 TAC/7/Event: Tac packet sending success!          
version:c0 type:1-authentication sequence:5 flag:0-ENCRYPTED_FLAG session id:93703 length:14 serverIP:30.32.8.11 vrf:0
Mar 17 2011 17:13:39.480.2+08:00 A_SZA_CAM_DS01 TAC/7/Event:statistics: transmit flag: 1-SENDPACKET, server flag: 0-authentication, packet flag: 0xff
Mar 17 2011 17:13:46.830.1+08:00 A_SZA_CAM_DS01 TAC/7/Event:statistics: transmit flag: 3-NORESPONSE, server flag: 0-authentication, packet flag: 0xff
Mar 17 2011 17:13:46.830.2+08:00 A_SZA_CAM_DS01 TAC/7/Event:Session is timeout when waiting for server's response.
Mar 17 2011 17:13:46.830.3+08:00 A_SZA_CAM_DS01 TAC/7/Event:No useful server.
Mar 17 2011 17:13:46.830.4+08:00 A_SZA_CAM_DS01 TAC/7/Event:TAC_FindServer [NoReply]: ucTemplateNum =0, ServerIpAddr =30.32.8.11
Mar 17 2011 17:13:46.830.5+08:00 A_SZA_CAM_DS01 TAC/7/Event:Can not find a valid server when receive AuthenResponese packet Timeout.
Handling Process
1. Confirm the IP between the S9300 and the ACS reach ability, confirm S9300 specify source address (loopback0) that is the client address which configured on the ACS
2. Open debugging hwtacacs all and implicit mode debugging aaa all to view delivery information.
3. Deal with the first problem and found the information displayed few, suspect not normal interaction between the device and the ACS. Later discovered hwtacacs-server acs configure under domain. Because of the V1R3 version the default domain change to default_admin, modifications to the default_admin,so problem 1will be solved.
aaa
domain default
domain default_admin
  hwtacacs-server acs
4. Deal with the first problem, compared to the local account and ACS account certification process, found a local account authentication send information to the ACS, has not been obvious rejection of the ACS, but just display the response time timeout waiting for ACS, so forwarding the successful certification. To view the ACS server configuration, find that the ACS External User Databases configuration select the second.
“Check the following external user databases”;
5.Modify the the External User Databases configuration select the first item “Fail the attempt” ,then problem solving.
Root Cause
1. S9300 from version V1R2 initial default domain change from default into default-admin, but the current configuration is under default.
aaa
domain default
  hwtacacs-server acs
domain default_admin
So S9300 and ACS have no hwtacacs normal interworking.
2. ACS configuration errors, configure the ACS database does not have the account continue to look for a database, rather than explicitly reject the account, so the ACS response timeout, turn into the local authentication.
Suggestions
1. The S9300 V1R1 version system's default domain is default, version V1R2 and later default domain is default_admin.
2. S53/33/23 V1R2 version and berore system's default domain is default, version V1R3 and later default domain is default_admin.
3. Equipment upgrades, pay attention to the change of the domain during the upgrade before and after, resulting in the upgrade can’t remote login.
4. No response turn local authentication when configuring the remote authentication, must pay attention to configuration accounting fails to keep users online strategy. Because local support billing, or the local account will because accounting failure CUT out cause could not land.
accounting-scheme default
  accounting-mode hwtacacs local
accounting start-fail  online

END