AR1200V200R007C00SPC900配置Telnet server服务与Hwtacacs服务器联动远程用户登录成功无配置权限

发布时间:  2017-04-17 浏览次数:  146 下载次数:  0
问题描述

AR1200V200R007C00SPC900配置Telnet server并与Hwtacacs服务联动远程用户登录成功授权失败无配置权限
设备关键配置:
#
hwtacacs-server template ABC
hwtacacs-server authentication x.x.x.x
hwtacacs-server authorization x.x.x.x
hwtacacs-server accounting x.x.x.x
hwtacacs-server source-ip x.x.x.1
hwtacacs-server shared-key cipher xxxxxxxx
undo hwtacacs-server user-name domain-included
#
aaa
authentication-scheme ABC
  authentication-mode hwtacacs local
#
authorization-scheme ABC
  authorization-mode hwtacacs local
#
accounting-scheme ABC
  accounting-mode hwtacacs
  accounting start-fail online
#
domain default_admin
  authentication-scheme ABC
  accounting-scheme ABC
  authorization-scheme ABC
  hwtacacs-server ABC
#

通过display user-interface查看登录用户对应vty的实际权限级别,如果是0,表明TACACS服务器没有下发用户权限级别

解决方案

解决方案:
TACACS服务器无法下发权限级别,可在设备上添加如下配配置,由设备下发用户权限级别:
[AR-aaa]service-scheme test (创建业务方案)
[AR-aaa-service-test] admin-user privilege  level 15 (配置管理用户权限级别)
[AR-aaa]domain default_admin      
[AR-aaa-domain-default_admin]service-scheme test (在域下绑定业务方案)

END