Authentication to NE40 router using external TACACS server was not working for users configured in TACACS server.
After some checking, I could find that these users, in their attributes in the TACACS server, were configured with a privilige level of 15.
Debug of failed authentication attempt:
*0.66360430 NE40_NEURONA TAC/8/Event:The inputted user privilege is larger than 3, so donnot accept it
*0.66360560 NE40_NEURONA TAC/8/Event:Tac get attribute error
*0.66360630 NE40_NEURONA TAC/8/Event:
TAC_MESSAGE for TAC->AAA:
UserID:16384 RequestID:0xd TemplateNO:0
Bitmap:0 0 0 0
*0.66360850 NE40_NEURONA TAC/8/Event:
AuthorType=4 ServerMsg= DataMsg=
Acl=0 Idleimeout=0 PrivLevel=0 NoHangup=0
AutoExec= CallBackVerify=0 Callbackdialstring=
*0.66361091 NE40_NEURONA TAC/8/Event:statistics: transmit flag:2, server flag: 1,packet flag:0x1
*0.66361210 NE40_NEURONA TAC/8/Event: session is deleted due to finishing session:
Reconfigure the users in the TACACS server with a privilege of 3.
Huawei VRP only supports 4 levels of privilege (0, 1, 2, 3). If during the authentication process, the TACACS server pass a privilege greater than 3 to the router, the router fails the authentication since it only supports privileges up to 3.
I suggest that to really fix this issue, in the router there must be developed some feature to make it possible to configure that you can tell the router that it receives from the TACACS server a user with privilege above 3, to treat this user as a level 3 user.