The user uses TACACS server authentication to login S5700 but always failed case

Publication Date:  2014-11-29 Views:  5843 Downloads:  0
Issue Description
The customer uses TACACS server as the authentication method, after he configures on the switch S5700, but he always can’t login the switch S5700.  
Alarm Information
None
Handling Process
Firstly,To check basic configuration, I find that the Tacacs configuration isn’t complete on S5700, there are some important configuration lost. As following:

aaa
authentication-scheme default
authentication-scheme test
  authentication-mode hwtacacs

authorization-scheme default
authorization-scheme test               
  authorization-mode hwtacacs

  authorization-cmd 3 hwtacacs
  authorization-cmd 15 hwtacacs
accounting-scheme default
accounting-scheme test
  accounting-mode hwtacacs

domain default
domain default_admin

 // There is no domain configuration for the hwtacacs authentication, need to configure.

And then ask the customer to add the following domain configuraion:

domain test
  authentication-scheme test
  authorization-scheme test
  hwtacacs-server test

After added above configuration, the customer test again but still failed. At this time, he find that the authentication on the Tacacs server shows login successfully, as following:



This information shows the authentication on the server side is normal now,maybe there are some especial configuration lost on the switch. And then to confirm with customer about the login detailed information (such as login method, which protocol and so on).The customer tells us that he used SSH method to login the switch.

So I check the configuration related SSH again, I find that for Tacacs authentication, there is an important command missed, as following:

[S5700]ssh authentication-type default password       //for SSH via HWTACACS, need to configure this command

After configure the above commands, the customer can login the switch now, the problem is resolved.
Root Cause
The root cause is that the configuration is not complete on the switch S5700. There are some important configurations lost, include domain and SSH configuration.
Solution
The solution is to add the lost commands and complete the domain and SSH method configuration. 

END