No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Users in external TACACS server configured with privilege above 3 cannot login

Publication Date:  2012-07-27 Views:  33 Downloads:  0
Issue Description
Authentication to NE40 router using external TACACS server was not working for users configured in TACACS server.
After some checking, I could find that these users, in their attributes in the TACACS server, were configured with a privilige level of 15. 
Alarm Information
Debug of failed authentication attempt:
*0.66360430 NE40_NEURONA TAC/8/Event:The inputted user privilege is larger than 3, so donnot accept it
*0.66360560 NE40_NEURONA TAC/8/Event:Tac get attribute error
*0.66360630 NE40_NEURONA TAC/8/Event:
TAC_MESSAGE for TAC->AAA: 
UserID:16384  RequestID:0xd  TemplateNO:0
Bitmap:0 0 0 0 
SourceMessage:0xffffffff  DataAddress:0x5611e68
*0.66360850 NE40_NEURONA TAC/8/Event:
AuthorType=4  ServerMsg=  DataMsg=
Acl=0  Idleimeout=0  PrivLevel=0  NoHangup=0
FtpDirectory=
AutoExec=  CallBackVerify=0  Callbackdialstring=
*0.66361091 NE40_NEURONA TAC/8/Event:statistics: transmit flag:2, server flag: 1,packet flag:0x1
*0.66361210 NE40_NEURONA TAC/8/Event: session is deleted due to finishing session:
Handling Process
Reconfigure the users in the TACACS server with a privilege of 3.
Root Cause
Huawei VRP only supports 4 levels of privilege (0, 1, 2, 3). If during the authentication process, the TACACS server pass a privilege greater than 3 to the router, the router fails the authentication since it only supports privileges up to 3.
Suggestions
I suggest that to really fix this issue, in the router there must be developed some feature to make it possible to configure that you can tell the router that it receives from the TACACS server a user with privilege above 3, to treat this user as a level 3 user.

END