How to configure HWTACACS authentication on a CE series switch

7

Configure HWTACACS authentication on a CE series switch as follows:

<HUAWEI> system-view
[~HUAWEI] hwtacacs enable //Enable the HWTACACS protocol.
[*HUAWEI] hwtacacs server template ht //Create an HWTACACS server template and enter its view.
[*HUAWEI-hwtacacs-ht] hwtacacs server authentication 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS authentication server.

[*HUAWEI-hwtacacs-ht] hwtacacs server authorization 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS authorization server.
[*HUAWEI-hwtacacs-ht] hwtacacs server accounting 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS accounting server.

[*HUAWEI-hwtacacs-ht] commit
[~HUAWEI-hwtacacs-ht] quit
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme 1-h //Create an authentication scheme and enter its view.

[*HUAWEI-aaa-authen-1-h] authentication-mode hwtacacs //Set the authentication mode to HWTACACS authentication.

[*HUAWEI-aaa-authen-1-h] commit
[~HUAWEI-aaa-authen-1-h] quit
[~HUAWEI-aaa] authorization-scheme hwtacacs //Create an authorization scheme and enter its view.
[*HUAWEI-aaa-author-hwtacacs] authorization-mode hwtacacs //Set the authorization mode to HWTACACS authorization.
[*HUAWEI-aaa-author-hwtacacs] commit
[~HUAWEI-aaa-author-hwtacacs] quit
[~HUAWEI-aaa] accounting-scheme hwtacacs //Create an accounting scheme and enter its view.
[*HUAWEI-aaa-accounting-hwtacacs] accounting-mode hwtacacs //Set the accounting mode to HWTACACS accounting.
[*HUAWEI-aaa-accounting-hwtacacs] commit
[~HUAWEI-aaa-accounting-hwtacacs] quit
[~HUAWEI-aaa] domain huawei //Create a domain and enter the domain view.
[*HUAWEI-aaa-domain-huawei] authentication-scheme l-h //Configure an authentication scheme for the domain.
[*HUAWEI-aaa-domain-huawei] authorization-scheme hwtacacs //Configure an authorization scheme for the domain.
[*HUAWEI-aaa-domain-huawei] accounting-scheme hwtacacs //Configure an accounting scheme for the domain.
[*HUAWEI-aaa-domain-huawei] hwtacacs server ht //Configure an HWTACACS server template for the domain.
[*HUAWEI-aaa-domain-huawei] commit
[~HUAWEI-aaa-domain-huawei] quit
[~HUAWEI-aaa] quit
[~HUAWEI] quit

Other related questions:
Why does HWTACACS authentication fail when the HWTACACS configuration is correct
The HWTACACS server template configuration of the AR is correct. In AAA mode, the HWTACACS authentication configuration and configuration of the remote TACACS server are correct. The possible causes for HWTACACS authentication failures are as follows: - The client's IP address is not configured on the TACACS server, so the TACACS server does not send authentication packets. - Different shared keys are configured on the AR and TACACS server.

Can S series switches be configured to lock the HWTACACS accounts that fail the authentication for certain times
HWTACACS servers can be configured to lock the accounts that fail authentication for certain times, but S series switches cannot.

What are the differences of the HWTACACS authentication configuration between CE switches and other Huawei data communication devices
If an HWTACACS server does not accept user names carrying domain names, enable a switch not to encapsulate the domain name in the user name in HWTACACS packets to be sent to an HWTACACS server. The command used on CE series switches is hwtacacs server user-name domain-excluded, and the command used on firewalls, S series switches, and routers is undo hwtacacs-server user-name domain-included. To ensure that CE series switches can log in to the HWTACACS server, pay attention to the configuration differences between devices before configuring HWTACACS authentication.

Why does HWTACACS authentication fail when the HWTACACS server template and HWTACACS server are properly configured
This failure has the following possible causes: -The IP address of the router (a client) is not configured on the HWTACACS server, so the HWTACACS server cannot send an authentication response packet to the router . -Different shared keys are configured on the router and the HWTACACS server.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top