Firstly,To check basic configuration, I find that the Tacacs configuration isn’t complete on S5700, there are some important configuration lost. As following:
authorization-cmd 3 hwtacacs
authorization-cmd 15 hwtacacs
// There is no domain configuration for the hwtacacs authentication, need to configure.
And then ask the customer to add the following domain configuraion:
After added above configuration, the customer test again but still failed. At this time, he find that the authentication on the Tacacs server shows login successfully, as following:
This information shows the authentication on the server side is normal now,maybe there are some especial configuration lost on the switch. And then to confirm with customer about the login detailed information (such as login method, which protocol and so on).The customer tells us that he used SSH method to login the switch.
So I check the configuration related SSH again, I find that for Tacacs authentication, there is an important command missed, as following:
[S5700]ssh authentication-type default password //for SSH via HWTACACS, need to configure this command
After configure the above commands, the customer can login the switch now, the problem is resolved.