What are the differences of the HWTACACS authentication configuration between CE switches and other Huawei data communication devices

9

If an HWTACACS server does not accept user names carrying domain names, enable a switch not to encapsulate the domain name in the user name in HWTACACS packets to be sent to an HWTACACS server.
The command used on CE series switches is hwtacacs server user-name domain-excluded, and the command used on firewalls, S series switches, and routers is undo hwtacacs-server user-name domain-included. To ensure that CE series switches can log in to the HWTACACS server, pay attention to the configuration differences between devices before configuring HWTACACS authentication.

Other related questions:
How to configure HWTACACS authentication on a CE series switch
Configure HWTACACS authentication on a CE series switch as follows:
<HUAWEI> system-view
[~HUAWEI] hwtacacs enable //Enable the HWTACACS protocol.
[*HUAWEI] hwtacacs server template ht //Create an HWTACACS server template and enter its view.
[*HUAWEI-hwtacacs-ht] hwtacacs server authentication 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS authentication server.
[*HUAWEI-hwtacacs-ht] hwtacacs server authorization 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS authorization server.
[*HUAWEI-hwtacacs-ht] hwtacacs server accounting 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS accounting server.
[*HUAWEI-hwtacacs-ht] commit
[~HUAWEI-hwtacacs-ht] quit
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme 1-h //Create an authentication scheme and enter its view.
[*HUAWEI-aaa-authen-1-h] authentication-mode hwtacacs //Set the authentication mode to HWTACACS authentication.
[*HUAWEI-aaa-authen-1-h] commit
[~HUAWEI-aaa-authen-1-h] quit
[~HUAWEI-aaa] authorization-scheme hwtacacs //Create an authorization scheme and enter its view.
[*HUAWEI-aaa-author-hwtacacs] authorization-mode hwtacacs //Set the authorization mode to HWTACACS authorization.
[*HUAWEI-aaa-author-hwtacacs] commit
[~HUAWEI-aaa-author-hwtacacs] quit
[~HUAWEI-aaa] accounting-scheme hwtacacs //Create an accounting scheme and enter its view.
[*HUAWEI-aaa-accounting-hwtacacs] accounting-mode hwtacacs //Set the accounting mode to HWTACACS accounting.
[*HUAWEI-aaa-accounting-hwtacacs] commit
[~HUAWEI-aaa-accounting-hwtacacs] quit
[~HUAWEI-aaa] domain huawei //Create a domain and enter the domain view.
[*HUAWEI-aaa-domain-huawei] authentication-scheme l-h //Configure an authentication scheme for the domain.
[*HUAWEI-aaa-domain-huawei] authorization-scheme hwtacacs //Configure an authorization scheme for the domain.
[*HUAWEI-aaa-domain-huawei] accounting-scheme hwtacacs //Configure an accounting scheme for the domain.
[*HUAWEI-aaa-domain-huawei] hwtacacs server ht //Configure an HWTACACS server template for the domain.
[*HUAWEI-aaa-domain-huawei] commit
[~HUAWEI-aaa-domain-huawei] quit
[~HUAWEI-aaa] quit
[~HUAWEI] quit

Configuring communication between interfaces in different VLANs
A Fat AP can connect to a switch or router. If interfaces of a device are added to two VLANs, the interfaces can communicate with each other by default. If interfaces are added to two VLANs on different devices, routes need to be configured to enable communication between the interfaces.

Why does HWTACACS authentication fail when the HWTACACS configuration is correct
The HWTACACS server template configuration of the AR is correct. In AAA mode, the HWTACACS authentication configuration and configuration of the remote TACACS server are correct. The possible causes for HWTACACS authentication failures are as follows: - The client's IP address is not configured on the TACACS server, so the TACACS server does not send authentication packets. - Different shared keys are configured on the AR and TACACS server.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top