S5700LI(V200R007C00SPC500 ) cannot authenticate on cisco TACACS server due to the wrong configuration

Publication Date:  2016-06-27 Views:  776 Downloads:  0
Issue Description
S5700LI cannot authenticate on cisco TACACS server. 

Version:V2R7C00SPC500

Access Switch S5700-------------Aggregation Switch cisco S3750---------------cisco TACACS server
Alarm Information
<Access-switch-01>

Apr 12 2016 16:14:11.640.6+02:00 Access-switch-01 AAA/7/DEBUG:

    User:huawei Password:*** MAC:ffff-ffff-ffff

    Slot:9 SubSlot:255 Port:255 VLAN:0

    IP:10.41.9.52 AccessType:telnet AuthenType:PAP

    AdminLevel:0 EapSize:0 AuthenCode:ADMIN

    ulInterface:4294967295 ChallengeLen:255 ChapID:255

    LineType:3 LineIndex:0 PortType:5

    AcctSessionId:Access-092552550000000002d3524000002

<Access-switch-01>

Apr 12 2016 16:14:11.640.7+02:00 Access-switch-01 AAA/7/DEBUG:

AAA_MAIN initiate NormalAuthenReq event to AAA_AUTHEN module.

    CID:65 Result:0 Info:186192444

<Access-switch-01>

Apr 12 2016 16:14:11.640.8+02:00 Access-switch-01 AAA/7/DEBUG:User authentication domain name is default

<Access-switch-01>

Apr 12 2016 16:14:11.640.9+02:00 Access-switch-01 AAA/7/DEBUG:The authentication place can not have none-method when user type is admin.

<Access-switch-01>

Apr 12 2016 16:14:11.640.10+02:00 Access-switch-01 AAA/7/DEBUG:AAA get user group author info. (RadiusAuthenFlag=0)

<Access-switch-01>

Apr 12 2016 16:14:11.640.11+02:00 Access-switch-01 AAA/7/DEBUG:AAA get service scheme author info. (RadiusAuthenFlag=0)

<Access-switch-01>

Apr 12 2016 16:14:11.640.12+02:00 Access-switch-01 AAA/7/DEBUG:Author of DaaTariffLevel.(DaaEnableFlag=0, UpStat=0, DownStat=0, Acct=0)

<Access-switch-01>

Apr 12 2016 16:14:11.640.13+02:00 Access-switch-01 AAA/7/DEBUG:

AAA send AAA_SRV_MSG_AUTHEN_ACK message to UCM module.

<Access-switch-01>

Apr 12 2016 16:14:11.640.14+02:00 Access-switch-01 AAA/7/DEBUG:

    Result:1 DomainIndex:0 ServiceScheme:65535

    AuthedPalace:0 VLAN:4294967295 IsCallBackVerify:0 IsCallbackUser:0

    IfSessionTimeout:0 IfRemanentVolume:0 IfIdleCut:0

    SessionTimeout:4294967295 RemanentVolume:4294967295 IdleTimeout:4294967295

    EAPSessionTimeout:4294967295 EAPPasswordRetry:4294967295

    RTAcctInterval:4294967295 Priority:[255,255]

    AdminLevel:0 NextHop:4294967295

    EapSize:0 ReplyMessage:Authentication fail

    TunnelType:0 MediumType:0 PrivateGroupID:

<Access-switch-01>

Apr 12 2016 16:14:11.640.15+02:00 Access-switch-01 AAA/7/DEBUG:AAA Free Authen Session(cmOperIndex:2, CID:65, SrcNode:9, slot:9).

<Access-switch-01>

Apr 12 2016 16:14:11.640.16+02:00 Access-switch-01 CM/7/DEBUG:

[CM DBG]CM Msg To Event, Event = CM_EVENT_AUTH_FAIL

<Access-switch-01>

Apr 12 2016 16:14:11.640.17+02:00 Access-switch-01 CM/7/DEBUG:send authen ack to admin(0, 0)

<Access-switch-01>

Apr 12 2016 16:14:11.640.18+02:00 Access-switch-01 CM/7/DEBUG:send authen ack to admin(ucResetPassword:0)

<Access-switch-01>

Apr 12 2016 16:14:11.640.19+02:00 Access-switch-01 CM/7/DEBUG:get auth method.(0, 4)

<Access-switch-01>

Apr 12 2016 16:14:11.640.20+02:00 Access-switch-01 CM/7/DEBUG:

[CM DBG]MSG Send To:ADMIN Code:SRV_MSG_AUTH_ACK Src:2 Dst:28 Slot:9.

<Access-switch-01>

Apr 12 2016 16:14:11.640.21+02:00 Access-switch-01 CM/7/DEBUG:

[CM State], State From AUTH BUTT To DELETING BUTT. (Cib=2, Event=CONN_DOWN)

<Access-switch-01>

Apr 12 2016 16:14:11.640.22+02:00 Access-switch-01 CM/7/DEBUG:

[CM DBG][CM Clean ReAuthorize Info] Finished

<Access-switch-01>
Handling Process
1.S5700 can ping to the TACACS server,the connectivity is OK between S5700 and TACACS server.

2.cisco access switch can authenticate on the TACACS server,but Huawei access switch cannot.The problem is on Huawei Switch. 

3.After check the debug information, we found that the TACACS server did not receive the authentication packet from Huawei Switch. 

4.Check the TACACS configuration on S5700, the authentication sequence is tacacs, local, none.

5.After delete the none authentication configuration, S5700 can authenticate on the TACACS server.
Root Cause
In the aaa authentication,TACACS and none authentication-mode cannot be configured in the same time. 
Solution
Remove the none authentication-mode, the issue has been resolved. 

Change the command " authentication-mode hwtacacs local none" to "authentication-mode hwtacacs local"


The sample TACACS configuration is as below:
 
aaa

authentication-scheme default

authentication-scheme HW

  authentication-mode hwtacacs local none

authorization-scheme default

authorization-scheme HW

  authorization-mode  hwtacacs

accounting-scheme default

accounting-scheme HW                    

  accounting-mode hwtacacs

domain default

  authentication-scheme HW

  accounting-scheme HW

  authorization-scheme HW

  hwtacacs-server hw

domain default_admin

  authentication-scheme HW

  accounting-scheme HW

  authorization-scheme HW

  hwtacacs-server hw

domain ethek-acs

Suggestions
If the authentication-mode is not compatible, it should be not allowed to configure such miatake command. Then this kind of issue can be avoided.

END