Receive a message from AAA of cutting user on S5700

Publication Date:  2013-08-29 Views:  1452 Downloads:  0
Issue Description
Customer configure hwtacacs service. After uplink connect to hwtacacs server is down, they found one issue.
There is a local use on S5700. When they login device using that user,  they will be cut off by AAA and give below error:                                                    
Info: Receive a message from AAA of cutting user. 
Alarm Information
Info: Receive a message from AAA of cutting user. 
Handling Process
1. Check the configuration. Customer use hwtacacs to provide authentication and accounting service.
aaa
authentication-scheme default
authentication-scheme login
  authentication-mode hwtacacs local
  authentication-super hwtacacs super
authorization-scheme default
authorization-scheme consle
  authorization-cmd 0 hwtacacs local
  authorization-cmd 1 hwtacacs local
  authorization-cmd 15 hwtacacs local
accounting-scheme default
accounting-scheme exec
  accounting-mode hwtacacs
domain default
domain default_admin
  authentication-scheme login
  accounting-scheme exec
  hwtacacs-server XXXX
2. Analyze the service process. When user login device, first S5700 will try to send packets to tacacs server. If there is no responce, S5700 will use local authentication. But, for accounting serivce, by default, users cannot go online if accounting-start fails. That is why user is cut off by AAA module. Add below command and test it works fine.
accounting start-fail online
Root Cause
None
Suggestions
None

END