No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

No Permissions Exist After Telnet Login to an NE20E-8 V200R005 Configured with TACAS Authentication

Publication Date:  2019-07-12  |   Views:  176  |   Downloads:  0  |   Document ID:  EKB1100014929

Contents

Issue Description

No permissions exist after Telnet login to an NE20E-8 V200R005 configured with TACAS authentication. This problem does not occur on NE40Es.

 

<NE20E>telnet 127.0.0.1
Trying 127.0.0.1 ...
Press CTRL+T to abort
Connected to 127.0.0.1 ...
***********************************************************
*           All rights reserved (2000-2011)               *
*       Without the owner's prior written consent,        *
* no decompiling or reverse-engineering shall be allowed. *
* Notice:                                                 *
*      This is a private communication system.            *
*   Unauthorized access or use may lead to prosecution.   *
***********************************************************


Login authentication


Username:jiyutong
Password:
Note: The max number of VTY users is 5, and the current number
      of VTY users on line is 3.
<NE20E>sys
                       ^
Error:Unrecognized command found at '^' position.

Handling Process

Check the key configuration.

hwtacacs-server template remote-aaa
 hwtacacs-server authentication 172.xx.0.4
 hwtacacs-server authorization 172.xx.0.4
 hwtacacs-server accounting 172.xx.0.4
 hwtacacs-server source-ip xx.xx.188.243
 hwtacacs-server shared-key cipher xxx
 undo hwtacacs-server user-name domain-included
#
aaa
 authentication-scheme default
  authentication-mode  none
 authentication-scheme remote-aaa
  authentication-mode  local  hwtacacs
  authentication-super  hwtacacs  super
 #
 authorization-scheme default
  authorization-mode  none
 authorization-scheme remote-aaa
  authorization-mode  local  hwtacacs
  authorization-cmd 15 hwtacacs local
 #
 accounting-scheme default
 accounting-scheme remote-aaa
  accounting-mode hwtacacs 
  accounting start-fail online           
 #
 domain default
 domain default_admin
  authentication-scheme  remote-aaa
  authorization-scheme remote-aaa
  hwtacacs-server remote-aaa
 #
 recording-scheme remote-aaa
  recording-mode hwtacacs remote-aaa
 #
 cmd recording-scheme remote-aaa

The configuration is correct on NE40Es. The same template can be used to log in to NE20-8s, but there are no permissions to enter the system view.

It is confirmed that the default domain is named default on V200R005. However, the default domain is named default_domain on V8 versions and later V5 versions.

It is found that the default domain in V200R005 contains no configuration. The authentication, authorization, and accounting schemes all have the default configuration. However, the associated configurations in the default domain are all none. In this case, the user levels are low after login.
You can run the display user-interface command to check the actual level of a login user.
The none configurations are as follows:
 authentication-scheme default
  authentication-mode  none---Authentication is not implemented.
 authorization-scheme default
  authorization-mode  none  ---Authorization is not implemented.
 accounting-scheme default---Accounting is not implemented.
 
Configure the remote AAA mechanism for authentication, authorization, and accounting in the default domain.
For example:
In the AAA view:
 domain default
  authentication-scheme  remote-aaa
  authorization-scheme remote-aaa
  hwtacacs-server remote-aaa

Root Cause

In V200R005, the default domain is named default. In V8 and later V5 versions: the default domain is named default_admin.

Solution

Configure the remote AAA mechanism for authentication, authorization, and accounting in the default domain.
For example:
In the AAA view:
 domain default
  authentication-scheme  remote-aaa
  authorization-scheme remote-aaa
  hwtacacs-server remote-aaa

The test succeeds.