No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S5700LI(V200R007C00SPC500 ) cannot authenticate on CXX TACACS server due to the wrong configuration

Publication Date:  2019-07-22 Views:  2016 Downloads:  0

Issue Description

S5700LI cannot authenticate on CXX TACACS server. 


Access Switch S5700-------------Aggregation Switch CXX S3750---------------CXX TACACS server

Alarm Information


Apr 12 2016 16:14:11.640.6+02:00 Access-switch-01 AAA/7/DEBUG:

    User:huawei Password:*** MAC:ffff-ffff-ffff

    Slot:9 SubSlot:255 Port:255 VLAN:0

    IP: AccessType:telnet AuthenType:PAP

    AdminLevel:0 EapSize:0 AuthenCode:ADMIN

    ulInterface:4294967295 ChallengeLen:255 ChapID:255

    LineType:3 LineIndex:0 PortType:5



Apr 12 2016 16:14:11.640.7+02:00 Access-switch-01 AAA/7/DEBUG:

AAA_MAIN initiate NormalAuthenReq event to AAA_AUTHEN module.

    CID:65 Result:0 Info:186192444


Apr 12 2016 16:14:11.640.8+02:00 Access-switch-01 AAA/7/DEBUG:User authentication domain name is default


Apr 12 2016 16:14:11.640.9+02:00 Access-switch-01 AAA/7/DEBUG:The authentication place can not have none-method when user type is admin.


Apr 12 2016 16:14:11.640.10+02:00 Access-switch-01 AAA/7/DEBUG:AAA get user group author info. (RadiusAuthenFlag=0)


Apr 12 2016 16:14:11.640.11+02:00 Access-switch-01 AAA/7/DEBUG:AAA get service scheme author info. (RadiusAuthenFlag=0)


Apr 12 2016 16:14:11.640.12+02:00 Access-switch-01 AAA/7/DEBUG:Author of DaaTariffLevel.(DaaEnableFlag=0, UpStat=0, DownStat=0, Acct=0)


Apr 12 2016 16:14:11.640.13+02:00 Access-switch-01 AAA/7/DEBUG:

AAA send AAA_SRV_MSG_AUTHEN_ACK message to UCM module.


Apr 12 2016 16:14:11.640.14+02:00 Access-switch-01 AAA/7/DEBUG:

    Result:1 DomainIndex:0 ServiceScheme:65535

    AuthedPalace:0 VLAN:4294967295 IsCallBackVerify:0 IsCallbackUser:0

    IfSessionTimeout:0 IfRemanentVolume:0 IfIdleCut:0

    SessionTimeout:4294967295 RemanentVolume:4294967295 IdleTimeout:4294967295

    EAPSessionTimeout:4294967295 EAPPasswordRetry:4294967295

    RTAcctInterval:4294967295 Priority:[255,255]

    AdminLevel:0 NextHop:4294967295

    EapSize:0 ReplyMessage:Authentication fail

    TunnelType:0 MediumType:0 PrivateGroupID:


Apr 12 2016 16:14:11.640.15+02:00 Access-switch-01 AAA/7/DEBUG:AAA Free Authen Session(cmOperIndex:2, CID:65, SrcNode:9, slot:9).


Apr 12 2016 16:14:11.640.16+02:00 Access-switch-01 CM/7/DEBUG:



Apr 12 2016 16:14:11.640.17+02:00 Access-switch-01 CM/7/DEBUG:send authen ack to admin(0, 0)


Apr 12 2016 16:14:11.640.18+02:00 Access-switch-01 CM/7/DEBUG:send authen ack to admin(ucResetPassword:0)


Apr 12 2016 16:14:11.640.19+02:00 Access-switch-01 CM/7/DEBUG:get auth method.(0, 4)


Apr 12 2016 16:14:11.640.20+02:00 Access-switch-01 CM/7/DEBUG:

[CM DBG]MSG Send To:ADMIN Code:SRV_MSG_AUTH_ACK Src:2 Dst:28 Slot:9.


Apr 12 2016 16:14:11.640.21+02:00 Access-switch-01 CM/7/DEBUG:

[CM State], State From AUTH BUTT To DELETING BUTT. (Cib=2, Event=CONN_DOWN)


Apr 12 2016 16:14:11.640.22+02:00 Access-switch-01 CM/7/DEBUG:

[CM DBG][CM Clean ReAuthorize Info] Finished


Handling Process

1.S5700 can ping to the TACACS server,the connectivity is OK between S5700 and TACACS server.

2.CXX access switch can authenticate on the TACACS server,but Huawei access switch cannot.The problem is on Huawei Switch. 

3.After check the debug information, we found that the TACACS server did not receive the authentication packet from Huawei Switch. 

4.Check the TACACS configuration on S5700, the authentication sequence is tacacs, local, none.

5.After delete the none authentication configuration, S5700 can authenticate on the TACACS server.

Root Cause

In the aaa authentication,TACACS and none authentication-mode cannot be configured in the same time. 


Remove the none authentication-mode, the issue has been resolved. 

Change the command " authentication-mode hwtacacs local none" to "authentication-mode hwtacacs local"

The sample TACACS configuration is as below:

authentication-scheme default

authentication-scheme HW

  authentication-mode hwtacacs local none

authorization-scheme default

authorization-scheme HW

  authorization-mode  hwtacacs

accounting-scheme default

accounting-scheme HW                    

  accounting-mode hwtacacs

domain default

  authentication-scheme HW

  accounting-scheme HW

  authorization-scheme HW

  hwtacacs-server hw

domain default_admin

  authentication-scheme HW

  accounting-scheme HW

  authorization-scheme HW

  hwtacacs-server hw

domain ethek-acs


If the authentication-mode is not compatible, it should be not allowed to configure such miatake command. Then this kind of issue can be avoided.