S5700LI(V200R007C00SPC500 ) cannot authenticate on cisco TACACS server due to the wrong configuration

Created: Apr 26, 2017 08:27:45Latest reply: Apr 26, 2017 09:54:47 1110 1 0 0
S5700LI cannot authenticate on cisco TACACS server. 

Version:V2R7C00SPC500

Access Switch S5700-------------Aggregation Switch cisco S3750---------------cisco TACACS server
  • x
  • convention:

ms.america  Visitor   Created Apr 26, 2017 09:54:47 Helpful(0) Helpful(0)

<Access-switch-01>

Apr 12 2016 16:14:11.640.6+02:00 Access-switch-01 AAA/7/DEBUG:

    User:huawei Password:*** MAC:ffff-ffff-ffff

    Slot:9 SubSlot:255 Port:255 VLAN:0

    IP:10.41.9.52 AccessType:telnet AuthenType:PAP

    AdminLevel:0 EapSize:0 AuthenCode:ADMIN

    ulInterface:4294967295 ChallengeLen:255 ChapID:255

    LineType:3 LineIndex:0 PortType:5

    AcctSessionId:Access-092552550000000002d3524000002

< Access-switch-01>

Apr 12 2016 16:14:11.640.7+02:00 Access-switch-01 AAA/7/DEBUG:

AAA_MAIN initiate NormalAuthenReq event to AAA_AUTHEN module.

    CID:65 Result:0 Info:186192444

< Access-switch-01>

Apr 12 2016 16:14:11.640.8+02:00 Access-switch-01 AAA/7/DEBUG:User authentication domain name is default

< Access-switch-01>

Apr 12 2016 16:14:11.640.9+02:00 Access-switch-01 AAA/7/DEBUG:The authentication place can not have none-method when user type is admin.

< Access-switch-01>

Apr 12 2016 16:14:11.640.10+02:00 Access-switch-01 AAA/7/DEBUG:AAA get user group author info. (RadiusAuthenFlag=0)

< Access-switch-01>

Apr 12 2016 16:14:11.640.11+02:00 Access-switch-01 AAA/7/DEBUG:AAA get service scheme author info. (RadiusAuthenFlag=0)

< Access-switch-01>

Apr 12 2016 16:14:11.640.12+02:00 Access-switch-01 AAA/7/DEBUG:Author of DaaTariffLevel.(DaaEnableFlag=0, UpStat=0, DownStat=0, Acct=0)

< Access-switch-01>

Apr 12 2016 16:14:11.640.13+02:00 Access-switch-01 AAA/7/DEBUG:

AAA send AAA_SRV_MSG_AUTHEN_ACK message to UCM module.

< Access-switch-01>

Apr 12 2016 16:14:11.640.14+02:00 Access-switch-01 AAA/7/DEBUG:

    Result:1 DomainIndex:0 ServiceScheme:65535

    AuthedPalace:0 VLAN:4294967295 IsCallBackVerify:0 IsCallbackUser:0

    IfSessionTimeout:0 IfRemanentVolume:0 IfIdleCut:0

    SessionTimeout:4294967295 RemanentVolume:4294967295 IdleTimeout:4294967295

    EAPSessionTimeout:4294967295 EAPPasswordRetry:4294967295

    RTAcctInterval:4294967295 Priority:[255,255]

    AdminLevel:0 NextHop:4294967295

    EapSize:0 ReplyMessage:Authentication fail

    TunnelType:0 MediumType:0 PrivateGroupID:

< Access-switch-01>

Apr 12 2016 16:14:11.640.15+02:00 Access-switch-01 AAA/7/DEBUG:AAA Free Authen Session(cmOperIndex:2, CID:65, SrcNode:9, slot:9).

< Access-switch-01>

Apr 12 2016 16:14:11.640.16+02:00 Access-switch-01 CM/7/DEBUG:

[CM DBG]CM Msg To Event, Event = CM_EVENT_AUTH_FAIL

< Access-switch-01>

Apr 12 2016 16:14:11.640.17+02:00 Access-switch-01 CM/7/DEBUG:send authen ack to admin(0, 0)

< Access-switch-01>

Apr 12 2016 16:14:11.640.18+02:00 Access-switch-01 CM/7/DEBUG:send authen ack to admin(ucResetPassword:0)

< Access-switch-01>

Apr 12 2016 16:14:11.640.19+02:00 Access-switch-01 CM/7/DEBUG:get auth method.(0, 4)

< Access-switch-01>

Apr 12 2016 16:14:11.640.20+02:00 Access-switch-01 CM/7/DEBUG:

[CM DBG]MSG Send To:ADMIN Code:SRV_MSG_AUTH_ACK Src:2 Dst:28 Slot:9.

< Access-switch-01>

Apr 12 2016 16:14:11.640.21+02:00 Access-switch-01 CM/7/DEBUG:

[CM State], State From AUTH BUTT To DELETING BUTT. (Cib=2, Event=CONN_DOWN)

< Access-switch-01>

Apr 12 2016 16:14:11.640.22+02:00 Access-switch-01 CM/7/DEBUG:

[CM DBG][CM Clean ReAuthorize Info] Finished

< Access-switch-01>
transparent.gif Handling Process
1.S5700 can ping to the TACACS server,the connectivity is OK between S5700 and TACACS server.

2.cisco access switch can authenticate on the TACACS server,but Huawei access switch cannot.The problem is on Huawei Switch. 

3.After check the debug information, we found that the TACACS server did not receive the authentication packet from Huawei Switch. 

4.Check the TACACS configuration on S5700, the authentication sequence is tacacs, local, none.

5.After delete the none authentication configuration, S5700 can authenticate on the TACACS server.
transparent.gif Root Cause
In the aaa authentication,TACACS and none authentication-mode cannot be configured in the same time. 
transparent.gif Solution
Remove the none authentication-mode, the issue has been resolved. 

Change the command " authentication-mode hwtacacs local none" to "authentication-mode hwtacacs local"


The sample TACACS configuration is as below:
 
aaa

authentication-scheme default

authentication-scheme HW

  authentication-mode hwtacacs local none

authorization-scheme default

authorization-scheme HW

  authorization-mode  hwtacacs

accounting-scheme default

accounting-scheme HW                    

  accounting-mode hwtacacs

domain default

  authentication-scheme HW

  accounting-scheme HW

  authorization-scheme HW

  hwtacacs-server hw

domain default_admin

  authentication-scheme HW

  accounting-scheme HW

  authorization-scheme HW

  hwtacacs-server hw

domain ethek-acs

transparent.gif Suggestions
If the authentication-mode is not compatible, it should be not allowed to configure such miatake command. Then this kind of issue can be avoided.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top