A customer wants to use HWTACACS to authenticate accounts used to log in to the device through Telnet. Two authentication methods (HWTACACS and local) have been configured, but the HWTACACS server has not been deployed yet. In normal cases, if HWTACACS does not respond, local authentication is performed. However, during the test, the customer finds that the account is immediately logged out after login using Telnet, and the following error message is displayed: "The server has disconnected with an error. Server message reads: A protocol error occurred. The connection is closed by SSH server."
Check the configurations. The configuration in the AAA view and HWTACACS configuration are both correct. The customer has configured authentication, authorization, and accounting profiles. Both HWTACACS and local modes are configured in the authentication and authorization profiles.
authentication-mode hwtacacs local
authorization-mode hwtacacs local
authorization-cmd 0 hwtacacs local
authorization-cmd 1 hwtacacs local
authorization-cmd 3 hwtacacs local
authorization-cmd 15 hwtacacs local
hwtacacs-server template icbc-ucm
hwtacacs-server authentication 87.1.X.X
hwtacacs-server authentication 87.1.X.X secondary
hwtacacs-server authorization 87.1.X.X
hwtacacs-server authorization 87.1.X.X secondary
hwtacacs-server accounting 87.1.X.X
hwtacacs-server accounting 87.1.X.X secondary
hwtacacs-server source-ip 87.224.X.X
hwtacacs-server shared-key cipher %#%#Gr]h&Wa<f6V~0AW,z"E9Oq1@$[izLWw|MB$.eP/"%#%#
undo hwtacacs-server user-name domain-included
The local accounting mode cannot be configured in the accounting profile, so the problem may be caused by the setting failure. Check the product documentation, and it is found that the default processing (accounting start-fail offline) will be followed if the accounting policy fails. The accounting start-fail offline command means that if an authentication scheme has been configured, the user will be directly logged out once the connection to the accounting server fails. Therefore, the immediate disconnection after successful login is caused by the setting.
Add the accounting start-fail online command to the icbc-ucm accounting scheme. This ensures that users can still go online even if the accounting server is unreachable. The test shows that local authentication can be performed.
After the configured accounting policy fails, the device follows the default accounting policy. That is, if the accounting server is unreachable, the device disconnects users even if authentication and authorization are performed locally, because local accounting cannot be implemented.
Add the accounting start-fail online command in the accounting profile.
If accounting is not required, do not configure an accounting scheme. This prevents local authentication failure in case of faults.
Change the default accounting policy in the accounting scheme to allow login upon accounting failure. This ensures that users can still log in to the device when the accounting server is unreachable.