Users are authenticating from local-user even after switch added in Tacacs

Publication Date:  2016-05-20 Views:  342 Downloads:  0
Issue Description

Switch is added in tacacs server but still are authenticated through local username and password and AAA server password also. AAAConfiguration on the switch as follows

#

hwtacacs-server template XYZ

 hwtacacs-server authentication 10.0.0.1

 hwtacacs-server authorization 10.0.0.1

 hwtacacs-server accounting 10.0.0.1

 hwtacacs-server shared-key cipher ***

#

hwtacacs-server template tacacs

 hwtacacs-server authentication 192.168.1.1

 hwtacacs-server authorization 192.168.1.1

 hwtacacs-server accounting 192.168.1.1

#

aaa

authentication-scheme default            

  authentication-mode hwtacacs local

 authentication-scheme acs1

  authentication-mode hwtacacs local

authorization-scheme default

  authorization-mode hwtacacs local

  authorization-cmd 15 hwtacacs local

 authorization-scheme acs1

  authorization-mode hwtacacs local

  authorization-cmd 15 hwtacacs local

 

 accounting-scheme default

 accounting-scheme acs1

  accounting-mode hwtacacs

  accounting realtime 1

  accounting start-fail online

 

 domain default

  hwtacacs-server xyz

domain default_admin

 authentication-scheme acs1

 accounting-scheme acs1

 authorization-scheme acs1

 hwtacacs-server xyz

 

domain abc

  authentication-scheme acs1

  authorization-scheme acs1     

authorization-scheme acs1

  hwtacacs-server xyz

 

 local-user admin password cipher ***

 local-user admin privilege level 15

 local-user admin ftp-directory flash:/

 local-user admin service-type telnet ssh ftp http

#

Alarm Information

none

Handling Process

1.first step that we have to check the network reachablitiy to the tacacs server from the switch by pinging server ip,if its fine we move to next step

2. Then we suggest the customer to use only one tacacs template and if they have two tacacs server then mark it as secondary in the same  and map it to default_admin domain,changed configuration as follows

hwtacacs-server template XYZ

 hwtacacs-server authentication 10.0.0.1

 hwtacacs-server authorization 10.0.0.1

 hwtacacs-server accounting 10.0.0.1

hwtacacs-server authentication 192.168.1.1 secondary

 hwtacacs-server authorization 192.168.1.1 secondary

 hwtacacs-server accounting 192.168.1.1 secondary

 hwtacacs-server shared-key cipher *** 

#

aaa

authentication-scheme acs1

  authentication-mode hwtacacs local

 authorization-scheme acs1

  authorization-mode hwtacacs local

  authorization-cmd 15 hwtacacs local

accounting-scheme acs1

  accounting-mode hwtacacs

  accounting realtime 1

  accounting start-fail online

domain default_admin

  authentication-scheme acs1

  accounting-scheme acs1

  authorization-scheme acs1

  hwtacacs-server XYZ

 

3.Then issue is still not resolved then I suggest him to share the debug logs using following command

<huawei>deb hwtacacs all

<huawei>deb aaa all

<huawei>deb cm

<huawei>t m

<huawei>t d

<huawei>d t 0

 

closing debugging:

<huawei>u t m

<huawei>undo deb all

<huawei>u t d


Root Cause

Duplicacy of the user account (admin) on both the switch and Tacacs server.

Solution

After checking debug logs we'll find out that authentication has been done through only Tacacs server and customer configure the same user account on switch and server both ,so Customer  have to use seprate username and password for local or tacacs authentication

TAC_MESSAGE for TAC->AAA: 

UserID:849  RequestID:0x4  TemplateNO:0

Bitmap:1 0 0 0 0 0 

SourceMessage:0x7

<testing_Okha211>plz 

Apr 13 2016 17:32:09.850.4-05:13 testing_Okha211 TACACS/7/Event:

ServerMsg=username:   Echo=REPLY_FLAG_ECHO

 

<testing_Okha211>plz 

Apr 13 2016 17:32:09.880.1-05:13 testing_Okha211 AAA/7/DEBUG:


 AAA receive AAA_TAC_MSG_AUTHENREPLY message from TAC module.


Suggestions
user accounts on the server and switch should be different to avoid any future confusion.

END