Why does HWTACACS authentication fail when the HWTACACS configuration is correct

1

The HWTACACS server template configuration of the AR is correct. In AAA mode, the HWTACACS authentication configuration and configuration of the remote TACACS server are correct. The possible causes for HWTACACS authentication failures are as follows:
- The client's IP address is not configured on the TACACS server, so the TACACS server does not send authentication packets.
- Different shared keys are configured on the AR and TACACS server.

Other related questions:
Why does HWTACACS authentication fail when the HWTACACS server template and HWTACACS server are properly configured
This failure has the following possible causes: -The IP address of the router (a client) is not configured on the HWTACACS server, so the HWTACACS server cannot send an authentication response packet to the router . -Different shared keys are configured on the router and the HWTACACS server.

Why does HWTACACS authentication fail when non-authorization is configured on the switch
When an HWTACACS server template is configured, the authorization server must be specified for the switch even if non-authorization is configured. Otherwise, HWTACACS authentication fails.

When authorization is not required, why the HWTACACS authentication of S series switches fails
When configuring the HWTACACS server template on an S series switch (except the S1700 switch), specify an authorization server even if authorization is not required. If not, the HWTACACS authentication will fail.

How to configure HWTACACS authentication on a CE series switch
Configure HWTACACS authentication on a CE series switch as follows:
<HUAWEI> system-view
[~HUAWEI] hwtacacs enable //Enable the HWTACACS protocol.
[*HUAWEI] hwtacacs server template ht //Create an HWTACACS server template and enter its view.
[*HUAWEI-hwtacacs-ht] hwtacacs server authentication 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS authentication server.
[*HUAWEI-hwtacacs-ht] hwtacacs server authorization 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS authorization server.
[*HUAWEI-hwtacacs-ht] hwtacacs server accounting 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS accounting server.
[*HUAWEI-hwtacacs-ht] commit
[~HUAWEI-hwtacacs-ht] quit
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme 1-h //Create an authentication scheme and enter its view.
[*HUAWEI-aaa-authen-1-h] authentication-mode hwtacacs //Set the authentication mode to HWTACACS authentication.
[*HUAWEI-aaa-authen-1-h] commit
[~HUAWEI-aaa-authen-1-h] quit
[~HUAWEI-aaa] authorization-scheme hwtacacs //Create an authorization scheme and enter its view.
[*HUAWEI-aaa-author-hwtacacs] authorization-mode hwtacacs //Set the authorization mode to HWTACACS authorization.
[*HUAWEI-aaa-author-hwtacacs] commit
[~HUAWEI-aaa-author-hwtacacs] quit
[~HUAWEI-aaa] accounting-scheme hwtacacs //Create an accounting scheme and enter its view.
[*HUAWEI-aaa-accounting-hwtacacs] accounting-mode hwtacacs //Set the accounting mode to HWTACACS accounting.
[*HUAWEI-aaa-accounting-hwtacacs] commit
[~HUAWEI-aaa-accounting-hwtacacs] quit
[~HUAWEI-aaa] domain huawei //Create a domain and enter the domain view.
[*HUAWEI-aaa-domain-huawei] authentication-scheme l-h //Configure an authentication scheme for the domain.
[*HUAWEI-aaa-domain-huawei] authorization-scheme hwtacacs //Configure an authorization scheme for the domain.
[*HUAWEI-aaa-domain-huawei] accounting-scheme hwtacacs //Configure an accounting scheme for the domain.
[*HUAWEI-aaa-domain-huawei] hwtacacs server ht //Configure an HWTACACS server template for the domain.
[*HUAWEI-aaa-domain-huawei] commit
[~HUAWEI-aaa-domain-huawei] quit
[~HUAWEI-aaa] quit
[~HUAWEI] quit

Why does authentication fail when the RADIUS server template is correct and the AAA authentication mode is RADIUS
The possible causes are as follows: 1. The client's IP address is not configured on the server, the IP address is configured incorrectly, and the RADIUS server does not respond to authentication packets. 2. The shared keys on the AR and RADIUS server are different. 3. The user configuration of the RADIUS server is incorrect.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top