【Problem Description】
Customer feedback:
aaa command authorization is not working on NE40E-X8A V8R10
The customer has authorization configured on TACACS server, they have a list of commands that are allowed for an accounthowever after authenticaiton all commands are accepted
【Problem Analysis】
Collect information as follow:
1、 Display diag file at NE40
2、 Debug inform at NE40.
<HUAWEI>debug hwtacacs all
[~HUAWEI-diagnose]debugging aaa all
<HUAWEI>t m
Info: Current terminal monitor is on.
<HUAWEI>t d
3、User information
<HUAWEI> display access-user username xxx verbose
<HUAWEI> display user-interface
After analysis the logs, we found the access privi level is 3
=======================================
display user-interface
=======================================
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
0 CON 0 9600 - 3 - P 9
1 CON 0 9600 - 3 - P 10
33 AUX 0 9600 - 0 - - -
+ 34 VTY 0 - 0 3 A -
+ 35 VTY 1 - 0 3 A -
But from configuration hwtacacs is controller the level 15 user
authorization-scheme hwscheme
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs local
【Root Cause】
Configuration not match between tacacs server and device
【Solution Description】
So there have two way:
1 change the tacacs server make sure use lever is 15
2 change at device make the authorization-cmd to 3
authorization-scheme hwscheme
authorization-mode hwtacacs local
authorization-cmd 3 hwtacacs local
For more detail please reference:
http://support.huawei.com/hedex/pages/EDOC110003860131180AHD/05/EDOC110003860131180AHD/05/resources/software/nev8r10_vrpv8r16/user/vrp/authorization-cmd.html?ft=0&fe=10&hib=9.1.20.1.60&id=authorization-cmd&text=authorization-cmd&docid=EDOC1100038601