No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

An Account Is Immediately Logged Out After Login Using Telnet When HWTACACS Is Configured on the S7700

Publication Date:  2019-04-08 Views:  23 Downloads:  0
Issue Description

A customer wants to use HWTACACS to authenticate accounts used to log in to the device through Telnet. Two authentication methods (HWTACACS and local) have been configured, but the HWTACACS server has not been deployed yet. In normal cases, if HWTACACS does not respond, local authentication is performed. However, during the test, the customer finds that the account is immediately logged out after login using Telnet, and the following error message is displayed: "The server has disconnected with an error. Server message reads: A protocol error occurred. The connection is closed by SSH server."

Handling Process

Check the configurations. The configuration in the AAA view and HWTACACS configuration are both correct. The customer has configured authentication, authorization, and accounting profiles. Both HWTACACS and local modes are configured in the authentication and authorization profiles.

 

authentication-scheme icbc-ucm

authentication-mode hwtacacs local

authorization-scheme icbc-ucm

authorization-mode  hwtacacs local

authorization-cmd 0 hwtacacs local

authorization-cmd 1 hwtacacs local

authorization-cmd 3 hwtacacs local

authorization-cmd 15 hwtacacs local

accounting-scheme icbc-ucm

accounting-mode hwtacacs

hwtacacs-server template icbc-ucm

hwtacacs-server authentication 87.1.X.X

hwtacacs-server authentication 87.1.X.X secondary

hwtacacs-server authorization 87.1.X.X

hwtacacs-server authorization 87.1.X.X secondary

hwtacacs-server accounting 87.1.X.X

hwtacacs-server accounting 87.1.X.X secondary

hwtacacs-server source-ip 87.224.X.X

hwtacacs-server shared-key cipher %#%#Gr]h&Wa<f6V~0AW,z"E9Oq1@$[izLWw|MB$.eP/"%#%#

undo hwtacacs-server user-name domain-included 

The local accounting mode cannot be configured in the accounting profile, so the problem may be caused by the setting failure. Check the product documentation, and it is found that the default processing (accounting start-fail offline) will be followed if the accounting policy fails. The accounting start-fail offline command means that if an authentication scheme has been configured, the user will be directly logged out once the connection to the accounting server fails. Therefore, the immediate disconnection after successful login is caused by the setting.

Add the accounting start-fail online command to the icbc-ucm accounting scheme. This ensures that users can still go online even if the accounting server is unreachable. The test shows that local authentication can be performed.

Root Cause

After the configured accounting policy fails, the device follows the default accounting policy. That is, if the accounting server is unreachable, the device disconnects users even if authentication and authorization are performed locally, because local accounting cannot be implemented.

Solution

Add the accounting start-fail online command in the accounting profile.

Suggestions

If accounting is not required, do not configure an accounting scheme. This prevents local authentication failure in case of faults.

Change the default accounting policy in the accounting scheme to allow login upon accounting failure. This ensures that users can still log in to the device when the accounting server is unreachable.

END