Can S series switches be configured to lock the HWTACACS accounts that fail the authentication for certain times

21

HWTACACS servers can be configured to lock the accounts that fail authentication for certain times, but S series switches cannot.

Other related questions:
Why does HWTACACS authentication fail when the HWTACACS configuration is correct
The HWTACACS server template configuration of the AR is correct. In AAA mode, the HWTACACS authentication configuration and configuration of the remote TACACS server are correct. The possible causes for HWTACACS authentication failures are as follows: - The client's IP address is not configured on the TACACS server, so the TACACS server does not send authentication packets. - Different shared keys are configured on the AR and TACACS server.

Do S series switches perform local authentication when authentication accounts do not exist on the HWTACACS server
After the authentication-mode hwtacacs local command is executed on an S series switch to configure the authentication mode, the switch starts local authentication after the HWTACACS server does not respond. If an authentication account does not exist on an HWTACACS server, the server returns an authentication denial packet to the switch. In this case, the switch does not perform local authentication.

How to configure HWTACACS authentication on a CE series switch
Configure HWTACACS authentication on a CE series switch as follows:
<HUAWEI> system-view
[~HUAWEI] hwtacacs enable //Enable the HWTACACS protocol.
[*HUAWEI] hwtacacs server template ht //Create an HWTACACS server template and enter its view.
[*HUAWEI-hwtacacs-ht] hwtacacs server authentication 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS authentication server.
[*HUAWEI-hwtacacs-ht] hwtacacs server authorization 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS authorization server.
[*HUAWEI-hwtacacs-ht] hwtacacs server accounting 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS accounting server.
[*HUAWEI-hwtacacs-ht] commit
[~HUAWEI-hwtacacs-ht] quit
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme 1-h //Create an authentication scheme and enter its view.
[*HUAWEI-aaa-authen-1-h] authentication-mode hwtacacs //Set the authentication mode to HWTACACS authentication.
[*HUAWEI-aaa-authen-1-h] commit
[~HUAWEI-aaa-authen-1-h] quit
[~HUAWEI-aaa] authorization-scheme hwtacacs //Create an authorization scheme and enter its view.
[*HUAWEI-aaa-author-hwtacacs] authorization-mode hwtacacs //Set the authorization mode to HWTACACS authorization.
[*HUAWEI-aaa-author-hwtacacs] commit
[~HUAWEI-aaa-author-hwtacacs] quit
[~HUAWEI-aaa] accounting-scheme hwtacacs //Create an accounting scheme and enter its view.
[*HUAWEI-aaa-accounting-hwtacacs] accounting-mode hwtacacs //Set the accounting mode to HWTACACS accounting.
[*HUAWEI-aaa-accounting-hwtacacs] commit
[~HUAWEI-aaa-accounting-hwtacacs] quit
[~HUAWEI-aaa] domain huawei //Create a domain and enter the domain view.
[*HUAWEI-aaa-domain-huawei] authentication-scheme l-h //Configure an authentication scheme for the domain.
[*HUAWEI-aaa-domain-huawei] authorization-scheme hwtacacs //Configure an authorization scheme for the domain.
[*HUAWEI-aaa-domain-huawei] accounting-scheme hwtacacs //Configure an accounting scheme for the domain.
[*HUAWEI-aaa-domain-huawei] hwtacacs server ht //Configure an HWTACACS server template for the domain.
[*HUAWEI-aaa-domain-huawei] commit
[~HUAWEI-aaa-domain-huawei] quit
[~HUAWEI-aaa] quit
[~HUAWEI] quit

When authorization is not required, why the HWTACACS authentication of S series switches fails
When configuring the HWTACACS server template on an S series switch (except the S1700 switch), specify an authorization server even if authorization is not required. If not, the HWTACACS authentication will fail.

Why does HWTACACS authentication fail when the HWTACACS server template and HWTACACS server are properly configured
This failure has the following possible causes: -The IP address of the router (a client) is not configured on the HWTACACS server, so the HWTACACS server cannot send an authentication response packet to the router . -Different shared keys are configured on the router and the HWTACACS server.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top