No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The Level-3 Telnet User Rights Became Level 0 Because the NE40E Was Unreachable to the RADIUS Server

Publication Date:  2013-10-08 Views:  64 Downloads:  0
Issue Description
A user used an NE40E to access a network. RADIUS authentication and local authentication were performed on the Telnet user. The default domain was used.
The accounts for the RADIUS authentication and local authentication were granted with Level-3 rights.
aaa    
 authentication-scheme  default0 
 authentication-mode radius local 
 local-user cs password simple cs
 local-user cs service-type telnet
 local-user cs level 3

Fault symptom: After a user logged in to the NE40E, he found that the account rights was only 0.
Login authentication
Username:cs
Password:
Info: The max number of VTY users is 20, and the number
      of current VTY users on line is 4.
<NE40E>?
User view commands:
  cluster        Run cluster command
  display        Mfib proxy module
  hwtacacs-user  HWTACACS user
  language-mode  Specify the language environment 
  local-user     Local user
  ping           Ping function 
  quit           Exit from current command view
  return         Exit to user view 
  save           Save file
  super          Privilege current user a specified priority level 
  telnet         Establish a Telnet connection 
  trace          Trace route (switch) to host on Data Link Layer
  tracert        Trace route to host 
Handling Process
To address the issue, Huawei performed the following operations and observed the following information:
1. The user rights was set to 1, meaning that the user had passed the authentication and authorization. However, the authentication level was different from the RADIUS authentication level. This indicated that the user was not authenticated and authorized by the RADIUS server.
2. Checked the user name used for the login and found that it did not have a domain name. Therefore, confirmed that the system used the default domain for the authentication and authorization.
Doubted that the issue was caused by an improper configuration.
<NE40E>disp c c aaa 
#
aaa
 local-user cs password simple cs
 local-user cs service-type telnet
 local-user cs level 3
 authentication-scheme default
  authentication-mode  radius  local
 #
 authorization-scheme default
  authorization-mode  if-authenticated//The authentication solution mode is if-authenticated.
 #
 accounting-scheme default
 accounting-scheme huawei
 #
 domain default

Found that the default authentication solution used the following authentication mode: RADIUS authentication mode and local authentication.
The authentication mode used was the if-authenticated mode.
When the Radius server was unreachable, the user used the local authentication mode. Because the configuration authentication mode was if-authenticated, which was invalid for local authentication, the system granted the user with the default VTY rights: Level-0.
If the authentication solution was local authentication, the system granted the configure rights (Level-3) to the user.
user-interface vty 0 4
 authentication-mode aaa
 idle-timeout 60 0

Re-configured the authentication solution: if-authenticated mode first and then local authentication.
The fault was rectified.
 authorization-scheme default
  authorization-mode  if-authenticated  local

Alternatively, changed the rights to Level-3 under user-interface vty 0 4:
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
Root Cause
The issue was caused by improper configurations.
For details, see the "Handling Process."
Solution
Re-configure the authentication solution: if-authenticated mode first and then local authentication.
The fault is rectified.
 authorization-scheme default
  authorization-mode  if-authenticated  local

Alternatively, change the rights to Level-3 under user-interface vty 0 4:
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
Suggestions
When a login user does not have a domain name, the system uses the default domain for authentication and authorization. If local authentication is used, the system grants a user the configured rights only when the authentication solution uses local authentication. Otherwise, the granted rights is default VTY rights: Level-0.
By default, the user interface of the Console port corresponds to the command access rights of Level 3. For other user interfaces, the level is 0.

END