No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

TACACS user failed to login on S5300

Publication Date:  2018-05-16 Views:  312 Downloads:  0
Issue Description

After the switch S5300 with software version:V200R001C00SPC300 was configured to use also TACACS authentication with the bellow configuration, the TACACS user failed to login on device with the fallowing error message: 


"Error: Failed to send authen-req".


Alarm Information

"Error: Failed to send authen-req".


Handling Process

1. Double-check the TACACS configuration on S5300 V200R001C00SPC300.
2. Start the debugging : "debugging hwtacacs all"
3. Try ro login on device with a TACACS user
4. Check the debugging result.
Remark1: no authentication request packet is generated by the device S5300 V200R001C00SPC300.
Remark2: the tacacs user doesn't have the fallowing format : xxx@huawei, only the fallowing format: xxx.
Remark3: a user whose domain cannot be identified is managed by the configured global default domain.

 

HWTACACS configuration:

 

#
hwtacacs-server template ht
hwtacacs-server authentication <Tacacs server IP> 1049
hwtacacs-server authorization <Tacacs server IP> 1049
hwtacacs-server accounting <Tacacs server IP> 1049
hwtacacs-server source-ip x.x.x.x
hwtacacs-server shared-key simple xxxx
undo hwtacacs-server user-name domain-included
#

#
aaa
authentication-scheme default
authentication-scheme hwtacacs
  authentication-mode hwtacacs local
  authentication-super hwtacacs super
authorization-scheme default
authorization-scheme hwtacacs
  authorization-mode  hwtacacs local
accounting-scheme default
accounting-scheme hwtacacs
  accounting-mode hwtacacs
  accounting start-fail online
recording-scheme scheme0
  recording-mode hwtacacs ht
  cmd recording-scheme scheme0
  outbound recording-scheme scheme0
  system recording-scheme scheme0
domain default
domain default_admin
domain huawei 
  authentication-scheme hwtacacs
  accounting-scheme hwtacacs
  authorization-scheme hwtacacs
  hwtacacs-server ht

 


Root Cause

The device S5300 V200R001C00SPC300 didn't generate the authentication request packet because the domain huawei was a common domain and not an administration domain.


Solution

The device S5300 V200R001C00SPC300 didn't generate the authentication request packet because the domain huawei was a common domain and not an administration domain.


END