When authorization is not required, why the HWTACACS authentication of S series switches fails

23

When configuring the HWTACACS server template on an S series switch (except the S1700 switch), specify an authorization server even if authorization is not required. If not, the HWTACACS authentication will fail.

Other related questions:
Why does HWTACACS authentication fail when non-authorization is configured on the switch
When an HWTACACS server template is configured, the authorization server must be specified for the switch even if non-authorization is configured. Otherwise, HWTACACS authentication fails.

Why does HWTACACS authentication fail when the HWTACACS configuration is correct
The HWTACACS server template configuration of the AR is correct. In AAA mode, the HWTACACS authentication configuration and configuration of the remote TACACS server are correct. The possible causes for HWTACACS authentication failures are as follows: - The client's IP address is not configured on the TACACS server, so the TACACS server does not send authentication packets. - Different shared keys are configured on the AR and TACACS server.

Why does HWTACACS authentication fail when the HWTACACS server template and HWTACACS server are properly configured
This failure has the following possible causes: -The IP address of the router (a client) is not configured on the HWTACACS server, so the HWTACACS server cannot send an authentication response packet to the router . -Different shared keys are configured on the router and the HWTACACS server.

The authorization-cmd 4 hwtacacs local command is configured on an S series switch. How does the switch process each command when the HWTACACS server fails
In V100R006 and later versions, S series switches (except S1700 switches) check each command when the HWTACACS server fails. If the HWTACACS server does not respond, local authorization is used.

Can S series switches be configured to lock the HWTACACS accounts that fail the authentication for certain times
HWTACACS servers can be configured to lock the accounts that fail authentication for certain times, but S series switches cannot.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top