Publication Date: 2019-07-19 | Views: 3312 | Downloads: 0 | Author: SU1001887712 | Document ID: EKB1000116729
Switch is added in tacacs server but still are authenticated through local username and password and AAA server password also. AAAConfiguration on the switch as follows
#
hwtacacs-server template XYZ
hwtacacs-server authentication 10.0.0.1
hwtacacs-server authorization 10.0.0.1
hwtacacs-server accounting 10.0.0.1
hwtacacs-server shared-key cipher ***
#
hwtacacs-server template tacacs
hwtacacs-server authentication 192.168.1.1
hwtacacs-server authorization 192.168.1.1
hwtacacs-server accounting 192.168.1.1
#
aaa
authentication-scheme default
authentication-mode hwtacacs local
authentication-scheme acs1
authentication-mode hwtacacs local
authorization-scheme default
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs local
authorization-scheme acs1
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs local
accounting-scheme default
accounting-scheme acs1
accounting-mode hwtacacs
accounting realtime 1
accounting start-fail online
domain default
hwtacacs-server xyz
domain default_admin
authentication-scheme acs1
accounting-scheme acs1
authorization-scheme acs1
hwtacacs-server xyz
domain abc
authentication-scheme acs1
authorization-scheme acs1
authorization-scheme acs1
hwtacacs-server xyz
local-user admin password cipher ***
local-user admin privilege level 15
local-user admin ftp-directory flash:/
local-user admin service-type telnet ssh ftp http
#
none
1.first step that we have to check the network reachablitiy to the tacacs server from the switch by pinging server ip,if its fine we move to next step
2. Then we suggest the customer to use only one tacacs template and if they have two tacacs server then mark it as secondary in the same and map it to default_admin domain,changed configuration as follows
hwtacacs-server template XYZ
hwtacacs-server authentication 10.0.0.1
hwtacacs-server authorization 10.0.0.1
hwtacacs-server accounting 10.0.0.1
hwtacacs-server authentication 192.168.1.1 secondary
hwtacacs-server authorization 192.168.1.1 secondary
hwtacacs-server accounting 192.168.1.1 secondary
hwtacacs-server shared-key cipher ***
#
aaa
authentication-scheme acs1
authentication-mode hwtacacs local
authorization-scheme acs1
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs local
accounting-scheme acs1
accounting-mode hwtacacs
accounting realtime 1
accounting start-fail online
domain default_admin
authentication-scheme acs1
accounting-scheme acs1
authorization-scheme acs1
hwtacacs-server XYZ
3.Then issue is still not resolved then I suggest him to share the debug logs using following command
<huawei>deb hwtacacs all
<huawei>deb aaa all
<huawei>deb cm
<huawei>t m
<huawei>t d
<huawei>d t 0
closing debugging:
<huawei>u t m
<huawei>undo deb all
<huawei>u t d
Duplicacy of the user account (admin) on both the switch and Tacacs server.
After checking debug logs we'll find out that authentication has been done through only Tacacs server and customer configure the same user account on switch and server both ,so Customer have to use seprate username and password for local or tacacs authentication
TAC_MESSAGE for TAC->AAA:
UserID:849 RequestID:0x4 TemplateNO:0
Bitmap:1 0 0 0 0 0
SourceMessage:0x7
<testing_Okha211>plz
Apr 13 2016 17:32:09.850.4-05:13 testing_Okha211 TACACS/7/Event:
ServerMsg=username: Echo=REPLY_FLAG_ECHO
<testing_Okha211>plz
Apr 13 2016 17:32:09.880.1-05:13 testing_Okha211 AAA/7/DEBUG:
AAA receive AAA_TAC_MSG_AUTHENREPLY message from TAC module.
Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.
