Wrong Source IP makes HWTACACS does not work fine on S7700

Publication Date:  2015-01-27 Views:  1273 Downloads:  0
Issue Description
Customer configured HWTACACS service on S7700 to authenticate Telnet user.
However, after customer finished the configuration, he found HWTACACS did not work fine.
The configuration is below:
hwtacacs-server template XXX
hwtacacs-server authentication X.X.X.X
hwtacacs-server authorization X.X.X.X
hwtacacs-server accounting X.X.X.X
hwtacacs-server shared-key cipher XXX

aaa
authentication-scheme default
  authentication-mode hwtacacs local
authentication-scheme test
  authentication-mode hwtacacs local
authorization-scheme default
  authorization-mode hwtacacs local
authorization-scheme test
  authorization-mode hwtacacs local
accounting-scheme default
  accounting-mode hwtacacs
  accounting start-fail online
accounting-scheme test
  accounting-mode hwtacacs
  accounting start-fail online
domain default
domain default_admin
domain huawei
  authentication-scheme test
  accounting-scheme test
  authorization-scheme test
  hwtacacs-server XXX

user-interface vty 0 4
authentication-mode aaa
user privilege level 15
idle-timeout 0 0
protocol inbound all
Handling Process
1.Checked the configuration on S7700 and confirmed Telnet service is enable.
2.Communicated with customer to confirm the Telnet username format. I get the username on ACS server is without domain. Also,customer used that username without domain name to access S7700
However, administrator user uses domain default_admin by default on S7700. Let customer try to use username "xxx@huawei" to access S7700.
And add below command under hwtacacs template because username on ACS is without domain.
hwtacacs-server template XXX
undo hwtacacs-server user-name domain-included
If the problem is not solved, let customer make below debugging to further analyze.
<huawei>debugging hwtacacs all
<huawei>debugging cm al
<huawei>debugging aaa  all
<huawei>t d
<huawei>t m

3. After customer changed the configuration as we suggested, he found the problem was still not solved.
According to the debugging information, we can confirm that S7700 authenticates Telnet in correct domain in this time
<Test>
Jan  6 2015 13:41:01.170.2-08:00 Test AAA/7/DEBUG:
    DestIndex:16000 SrcIndex:16000 Slot:0
    User:xxx@huawei Password:*** MAC:ffff-ffff-ffff
    Slot:0 SubSlot:255 Port:255 VLAN:0
    IP:10.166.93.2 AccessType:telnet AuthenType:PAP
    AdminLevel:15 EapSize:0 AuthenCode:ADMIN
    ulInterface:4294967295 ChallengeLen:255 ChapID:255
    LineType:3 LineIndex:1 PortType:5
    Option82:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    AcctSessionId:CommHua0025525500000000088e2e0016000
<Test>
Jan  6 2015 13:41:01.170.3-08:00 Test AAA/7/DEBUG:
AAA_MAIN initiate NormalAuthenReq event to AAA_AUTHEN module.
    CID:118 Result:0 Info:442112372
<Test>
Jan  6 2015 13:41:01.170.4-08:00 Test AAA/7/DEBUG:
[AAA INFO]User authentication domain name is huawei
<Test>
Jan  6 2015 13:41:01.170.5-08:00 Test AAA/7/DEBUG:
AAA send AAA_TAC_MSG_AUTHENREQ message to TAC module.

However, S7700 get below error. We can see that S7700 already send connection request to ACS server.
But ACS server closed the session by some reason.
<Test>
Jan  6 2015 13:41:01.180.6-08:00 Test TACACS/7/Event:Session status is not connect now. SessionID=546630.
<Test>
Jan  6 2015 13:41:01.180.7-08:00 Test TACACS/7/Event:statistics: transmit flag: SENDPACKET, server flag: authentication, packet flag: 0xff
<Test>
Jan  6 2015 13:41:01.220.1-08:00 Test TACACS/7/Event:Connect is received. SessionID=546630.
<Test>
Jan  6 2015 13:41:01.220.2-08:00 Test TACACS/7/Event: Tac packet sending success!          
version:c0 type:authentication sequence:1 flag:ENCRYPTED_FLAG session id:546630 length:23 serverIP:X.X.X.X vrf:0
<Test>
Jan  6 2015 13:41:01.270.1-08:00 Test TACACS/7/Event:PeerClose is received. SessionID=546630.
<Test>
Jan  6 2015 13:41:01.270.2-08:00 Test TACACS/7/Event:No useful server.
<Test>
Jan  6 2015 13:41:01.270.3-08:00 Test TACACS/7/Event:TAC_FindServer [NoReply]: ucTemplateNum =0, ServerIpAddr =X.X.X.X
<Test>
Jan  6 2015 13:41:01.270.4-08:00 Test TACACS/7/Event:Can not find a valid server when receive AuthenResponese packet Timeout.
<Test>

4.Let customer send me the configuration of ACS for S7700. And i found that S7700's IP address is YYYY on ACS server
Check the route to ACS Server(XXXX)
Tacacs IP is X.X.X.X. According to the routing table, the out interface is vlanif172 with IP Z.Z.Z.Z

     X.X.X.X/24  O_ASE   150  21          D   Z.Z.Z.Z    Vlanif172

The source IP of TACACS packet will be encapsulated with Z.Z.Z.Z which is different with configured IP Y.Y.Y.Y on ACS server.
We think this is the reason why ACS server close the connection session with S7700.
Let customer add below command under HWTACACS template and confirm the problem is solved.
hwtacacs-server template XXX
hwtacacs-server source-ip Y.Y.Y.Y
Root Cause

Customer lost below command on S7700 for HWTACACS which makes the connection session between S7700 and ACS server is failed.

hwtacacs-server source-ip Y.Y.Y.Y

Solution
Let customer add below command under HWTACACS template and confirm the problem is solved.
hwtacacs-server template XXX
hwtacacs-server source-ip Y.Y.Y.Y
Suggestions

For HWTACACS/Radius issue,Please follow below ways to check.

1.Before the troubleshooting, need to get the username format to confirm if it contains domain name.

2.Please make sure the access user is authenticated in correct domain. By default, there are two domains.

domain default is used for NAC acccess user. Domain default_admin is used for administrator user.

3.If above configuration is correct,need customer to check the setting on ACS server.

For some special user like ftp, there is some special setting on ACS server.

 

END