Got it
Huawei Enterprise Support Community
Community Forums Security
HWTACACS authentication i...

HWTACACS authentication is not working in HUAWEI NE40E-X3 (V600R009C20SPC600)

Created: Mar 22, 2022 04:37:11Latest reply: Mar 22, 2022 12:13:28 180 9 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

I have configured an HWTACACS server template names "hwtacacs" in NE40E-X3 router. and configured AAA as below:

aaa

 authentication-scheme huawei

  authentication-mode hwtacacs local

 #

 authorization-scheme huawei

  authorization-mode hwtacacs local

 #

 accounting-scheme huawei

  accounting-mode hwtacacs

 #

domain default_admin

  authentication-scheme huawei

  authorization-scheme huawei

  accounting-scheme huawei

  adminuser-priority 15

  hwtacacs-server hwtacacs

#

 domain huawei

  authentication-scheme huawei

  authorization-scheme huawei

  accounting-scheme huawei

  adminuser-priority 15

  hwtacacs-server hwtacacs

 #

Now only the local user that exists in the router is sent to TACACS server for authentication. but the users who do not exist in the router are not sent to the TACACS server for authentication and authentication became failed.

Can anyone help me to find how all users will be sent to TACACS server for authentication?

Like (0) Dislike (0) Favorite(0) Share Report
Previous: To SSH into A Switch - SVI or Loopback Interface
Next: Huawei HiSec Solution
Featured Answers

Recommended answer

(0) (0)
fuzi_yao
Admin Created Mar 22, 2022 05:06:11

Hi, friend!
I checked your configuration and found that HWTACACS authentication was performed first and then local authentication was performed. If the login account is not created on the remote server but exists on the local server, the remote authentication fails and the local authentication is not performed. Local authentication is performed only when the remote authentication server is Down. Can the command be modified to perform local authentication and then HWTACACS authentication?

Also, I want to make sure that you have some users on the RADIUS server.

View more
  • x
  • convention:

AlSafy
AlSafy Created Mar 22, 2022 05:34:38 (0) (0)
let me clear to you, For Example: an user name "Test" want to ssh to device and user "Test" is not a local user, then Router did not sent the user Test to tacacs for authentication. But if the user is a local user then Router sent it to TACACS server for authentication.  
fuzi_yao
fuzi_yao Reply AlSafy  Created Mar 22, 2022 05:49:10 (0) (0)
You mean that you enter a non-existent user to try to authenticate. However, the device does not send the request packet to the HWTACACS server?  
All Answers
(0) (0)
2#
fuzi_yao
fuzi_yao Admin Created Mar 22, 2022 04:45:44

Hi, friend!
please wait, We will get back to you later.
View more
  • x
  • convention:
(0) (0)
3#
fuzi_yao
fuzi_yao Admin Created Mar 22, 2022 05:06:11

Hi, friend!
I checked your configuration and found that HWTACACS authentication was performed first and then local authentication was performed. If the login account is not created on the remote server but exists on the local server, the remote authentication fails and the local authentication is not performed. Local authentication is performed only when the remote authentication server is Down. Can the command be modified to perform local authentication and then HWTACACS authentication?

Also, I want to make sure that you have some users on the RADIUS server.

View more
  • x
  • convention:

AlSafy
AlSafy Created Mar 22, 2022 05:34:38 (0) (0)
let me clear to you, For Example: an user name "Test" want to ssh to device and user "Test" is not a local user, then Router did not sent the user Test to tacacs for authentication. But if the user is a local user then Router sent it to TACACS server for authentication.  
fuzi_yao
fuzi_yao Reply AlSafy  Created Mar 22, 2022 05:49:10 (0) (0)
You mean that you enter a non-existent user to try to authenticate. However, the device does not send the request packet to the HWTACACS server?  
(0) (0)
4#
AlSafy
AlSafy Created Mar 22, 2022 12:13:28

After i run this command "ssh authentication-type default password" now tacacs authentication is working properly for SSH User.
View more
  • x
  • convention:

fuzi_yao
fuzi_yao Created Mar 24, 2022 05:35:48 (0) (0)
alright, Do you mean that after you configure this command, your problem is solved? This command is used to configure the SSH protocol.  
AlSafy
AlSafy Reply fuzi_yao  Created Mar 24, 2022 09:15:41 (0) (0)
Yes, and I got this solution from TAC. And it worked.  
fuzi_yao
fuzi_yao Reply AlSafy  Created Mar 24, 2022 09:18:31 (0) (0)
alright, As long as the problem is solved, that's a good solution.  
AlSafy
AlSafy Created Mar 27, 2022 04:35:21 (0) (0)
Admin, please change it to solve.  
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.