hwtacacs authentication problem

Created: Jun 17, 2019 02:28:09Latest reply: Jun 17, 2019 02:37:47 153 4 0 0
  Rewarded Hi-coins: 0 (problem resolved)

Topology:

AC-Campus <-> Server Switch <-> Core Switch<-> Access Switch

Switch Configuration

hwtacacs-server template ht

hwtacacs-server authentication 10.23.0.11

hwtacacs-server authorization 10.23.0.11

hwtacacs-server accounting 10.23.0.11

hwtacacs-server shared-key cipher ***

aaa

authentication-scheme default

authentication-mode hwtacacs local

authorization-scheme default

authorization-mode hwtacacs local

accounting-scheme default

accounting-mode hwtacacs

accounting start-fail online

accounting realtime 1

domain admin

authentication-scheme default

authorization-scheme default

accounting-scheme default

hwtacacs-server ht

local-user admin password irreversible-cipher ***

local-user admin privilege level 15

    local-user admin service-type ssh terminal


Our problem: We didn't create the user admin on the server, but the user admin can still access to the switch. We want to use local authentication only if AC-Campus Server are inaccessible.

 

  • x
  • convention:

Featured Answers
Popeye_Wang
Admin Created Jun 17, 2019 02:36:30 Helpful(0) Helpful(0)

Posted by Hobbit at 2019-06-17 02:29 S5720-52P-LI-ACVersion 5.170 (S5720 V200R011C00SPC200)Agile Controller-CampusVersion: V100R003C30S ...
The problem is caused by the agile version.
In your version, Agile will cut the TCP link if this USERNAME does not create at the Agiler server. The switch will not receive the packet. Then going to local authentication. For the new version, this mechanism has been changed that Agile will send the packet to reject the authentication packet to switch and record the tacacs logs.
Please upgrade to the new version Agile_Controller-Campus_V100R003C50SPC302, download link as follow:
https://support.huawei.com/enterprise/en/software/23760331-ESW2000109495
Upgrade guide
https://support.huawei.com/enterprise/en/doc/EDOC1100081926?idPath=7919710|21782050|22318419|22318457|21085964
  • x
  • convention:

All Answers
Popeye_Wang
Popeye_Wang Admin Created Jun 17, 2019 02:29:07 Helpful(0) Helpful(0)

Hi, Hobbit,
what's the device version?
  • x
  • convention:

Hobbit
Hobbit Created Jun 17, 2019 02:29:42 Helpful(0) Helpful(0)

Posted by Popeye_Wang at 2019-06-17 02:29 Hi, Hobbit,what's the device version?
S5720-52P-LI-AC
Version 5.170 (S5720 V200R011C00SPC200)

Agile Controller-Campus
Version: V100R003C30SPC100
  • x
  • convention:

Popeye_Wang
Popeye_Wang Admin Created Jun 17, 2019 02:36:30 Helpful(0) Helpful(0)

Posted by Hobbit at 2019-06-17 02:29 S5720-52P-LI-ACVersion 5.170 (S5720 V200R011C00SPC200)Agile Controller-CampusVersion: V100R003C30S ...
The problem is caused by the agile version.
In your version, Agile will cut the TCP link if this USERNAME does not create at the Agiler server. The switch will not receive the packet. Then going to local authentication. For the new version, this mechanism has been changed that Agile will send the packet to reject the authentication packet to switch and record the tacacs logs.
Please upgrade to the new version Agile_Controller-Campus_V100R003C50SPC302, download link as follow:
https://support.huawei.com/enterprise/en/software/23760331-ESW2000109495
Upgrade guide
https://support.huawei.com/enterprise/en/doc/EDOC1100081926?idPath=7919710|21782050|22318419|22318457|21085964
  • x
  • convention:

Hobbit
Hobbit Created Jun 17, 2019 02:37:47 Helpful(0) Helpful(0)

Posted by Popeye_Wang at 2019-06-17 02:36 The problem is caused by the agile version.In your version, Agile will cut the TCP link if this US ...
Thank you very much
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login