Do S series switches perform local authentication when authentication accounts do not exist on the HWTACACS server

8

After the authentication-mode hwtacacs local command is executed on an S series switch to configure the authentication mode, the switch starts local authentication after the HWTACACS server does not respond.
If an authentication account does not exist on an HWTACACS server, the server returns an authentication denial packet to the switch. In this case, the switch does not perform local authentication.

Other related questions:
If both RADIUS authentication and local authentication are configured, in which situation do S series switches perform local authentication
If multiple authentication modes are configured, an S series switch chooses these authentication modes in the configuration order. It uses the authentication mode that was configured later only when it does not receive any response in the current authentication. If the user fails in an authentication, the switch does not use another authentication mode. For example, if both RADIUS authentication and local authentication are configured on a switch and the RADIUS authentication is configured first, the switch performs local authentication only when the connection with the RADIUS server times out. This rule also applies to switches configured with both HWTACACS authentication and local authentication.

Both RADIUS authentication and local authentication are configured. Is local authentication performed when RADIUS authentication fails
The AR first performs RADIUS authentication. If RADIUS authentication fails, the AR does not perform local authentication. The AR performs local authentication only when the RADIUS server has no response.

Can S series switches perform RADIUS authentication and local authentication in master/backup mode
If RADIUS authentication is configured, you can also configure local authentication as the backup to prevent authentication failures caused by RADIUS server faults or network congestion. The configuration on an S series switch (except the S1700 switch) is as follows: [HUAWEI] aaa [HUAWEI-aaa] authentication-scheme scheme0 [HUAWEI-aaa-authen-scheme0] authentication-mode radius local

Can S series switches be configured to lock the HWTACACS accounts that fail the authentication for certain times
HWTACACS servers can be configured to lock the accounts that fail authentication for certain times, but S series switches cannot.

Local and remote RADIUS or HWTACACS authentication is configured on an S series switch. When the remote authentication server does not respond, local users cannot log in and the message "aaa user cut" is displayed. Why
Users fail to log in because accounting fails. The S series switch is configured with authentication and accounting, but does not support accounting. To solve the problem, run the following command to configure the switch to keep users online after accounting fails. [HUAWEI] aaa [HUAWEI-aaa] accounting-scheme scheme1 [HUAWEI-aaa-accounting-scheme1] accounting start-fail online

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top