Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
HWTACACS template status ...

HWTACACS template status is not getting up at S5720

Created: Jun 22, 2021 10:07:09Latest reply: Jun 23, 2021 07:31:15 325 17 1 0 0
  Rewarded HiCoins: 5 (problem resolved)
View the author 1#

I have S5720 V200R010C00SPC600 switch, and i have configured hwtacacs server template as below:


hwtacacs-server template hwtacacs

 hwtacacs-server authentication 10.10.1.3

 hwtacacs-server authentication 10.10.1.4 secondary

 hwtacacs-server authorization 10.10.1.3

 hwtacacs-server authorization 10.10.1.4 secondary

 hwtacacs-server accounting 10.10.1.3

 hwtacacs-server accounting 10.10.1.4 secondary

 hwtacacs-server source-ip 10.10.8.115

 hwtacacs-server shared-key cipher %^%#/Kb%E(0sNJe}YO*"oh-),Y8wQ\*Gy&^K%0;8@Rs$%^%#

 undo hwtacacs-server user-name domain-included

#

here, Switch to server ping is ok and no shared-key mismatch.

And server site configuration is ok ( as two S5735 V200R019C10SPC500 switch is working properly with similar configuration)


but template status is not getting up at s5720 switch 


[SW]display hwtacacs-server template 

  ---------------------------------------------------------------------------

  HWTACACS-server template name   : hwtacacs

  Primary-authentication-server   : 10.10.1.3:49:-

  Primary-authorization-server    : 10.10.1.3:49:-

  Primary-accounting-server       : 10.10.1.3:49:-

  Secondary-authentication-server : 10.10.1.4:49:-

  Secondary-authorization-server  : 10.10.1.4:49:-

  Secondary-accounting-server     : 10.10.1.4:49:-

  Current-authentication-server   : 10.10.1.3:49:-

  Current-authorization-server    : 10.10.1.3:49:-

  Current-accounting-server       : 10.10.1.3:49:-

  Source-IP-address               : 10.10.8.115

  Shared-key                      : ****************

  Quiet-interval(min)             : 5

  Response-timeout-Interval(sec)  : 5

  Domain-included                 : No

  Traffic-unit                    : B

  ---------------------------------------------------------------------------

  Total 1,1 printed


I don't know why hwtwcacs template status is getting up?? 

Is there any special configuration needed for this model switch?

TIA

s5720

Like (1) Dislike (0) Favorite(0) Share Report
Previous: What is VRRP and Example configuration
Next: [NE Router-Troubleshooting] An OSPF Routing Loop Occurs Because Router IDs of Devices Conflict
Featured Answers

Recommended answer

(0) (0)
chenhui
Admin Created Jun 23, 2021 07:31:15

Posted by AlSafy at 2021-06-22 16:45 Does anyone has any other suggestion?? Except for version upgrade, any admin???@DDSN @Popeye_Wang, I ...
Hi,
First of all, since you configured the source IP, and I'm not sure whether the ping test you did specify the source IP address, if not, please retry specify the source address and do the ping test again.
If you have assigned the source address while doing the ping test, I would suggest that you do a telnet test on the switch (telnet the port 49) to check whether the HWTACACS service is enabled normally.
Besides that, you also need to check the HWTACACS server configuration, whether it blocks the IPs.
If all above are normal, please check the template verbose information through the command "display hwtacacs-server template verbose".
View more
  • x
  • convention:
All Answers
(0) (0)
2#
Abdussamed
Abdussamed Created Jun 22, 2021 10:08:19

Thanks for contacting the Huawei community!

We are checking your question and will provide an answer to you shortly...
View more
  • x
  • convention:
(0) (0)
3#
Abdussamed
Abdussamed Created Jun 22, 2021 10:15:16

Hi AlSafy
Dou you check AAA configuration ?

https://support.huawei.com/enterprise/en/doc/EDOC1000178178/74e8248d/example-for-configuring-hwtacacs-authentication-accounting-and-authorization

Configure authentication, authorization, and accounting schemes.
# Create an authentication scheme named l-h. Configure the authentication scheme to use HWTACACS authentication as the active authentication mode and local authentication as the backup.

[Switch] aaa
[Switch-aaa] authentication-scheme l-h
[Switch-aaa-authen-l-h] authentication-mode hwtacacs local
[Switch-aaa-authen-l-h] quit
# Create an authorization scheme named hwtacacs. Configure the authorization scheme to use HWTACACS authorization as the active authorization mode and local authorization as the backup.

[Switch-aaa] authorization-scheme hwtacacs
[Switch-aaa-author-hwtacacs] authorization-mode hwtacacs local
[Switch-aaa-author-hwtacacs] quit
# Create an accounting scheme named hwtacacs, and configure the accounting scheme to use the HWTACACS accounting mode. Configure a policy for the device to keep users online upon accounting-start failures.

[Switch-aaa] accounting-scheme hwtacacs
[Switch-aaa-accounting-hwtacacs] accounting-mode hwtacacs
[Switch-aaa-accounting-hwtacacs] accounting start-fail online
# Set the real-time accounting interval to 3 minutes.

[Switch-aaa-accounting-hwtacacs] accounting realtime 3
[Switch-aaa-accounting-hwtacacs] quit
Create a domain named huawei, and apply the authentication scheme l-h, authorization scheme hwtacacs, accounting scheme hwtacacs, and the HWTACACS server template ht to the domain.
[Switch-aaa] domain huawei
[Switch-aaa-domain-huawei] authentication-scheme l-h
[Switch-aaa-domain-huawei] authorization-scheme hwtacacs
[Switch-aaa-domain-huawei] accounting-scheme hwtacacs
[Switch-aaa-domain-huawei] hwtacacs-server ht
[Switch-aaa-domain-huawei] quit
[Switch-aaa] quit
Configure local authentication.
[Switch] aaa
[Switch-aaa] local-user user1 password irreversible-cipher Huawei@123
[Switch-aaa] local-user user1 service-type http
[Switch-aaa] local-user user1 privilege level 15
[Switch-aaa] quit
Configure the global default domain for administrations.
[Switch] domain huawei admin


View more
  • x
  • convention:

AlSafy
AlSafy Created Jun 22, 2021 10:25:03 (0) (0)
yes, i have checked aaa configure and its ok, first i need to up the template, my template status not showing up. below is my aaa conf
aaa
authentication-scheme huawei
authentication-mode hwtacacs local
authorization-scheme huawei
authorization-mode hwtacacs local
accounting-scheme huawei
accounting-mode hwtacacs
accounting start-fail online
domain default_admin
authentication-scheme huawei
accounting-scheme huawei
authorization-scheme huawei
hwtacacs-ser 
(0) (0)
4#
Abdussamed
Abdussamed Created Jun 22, 2021 10:31:47

Dou you Print
[Switch] display domain name default_admin
View more
  • x
  • convention:

AlSafy
AlSafy Created Jun 22, 2021 10:56:03 (0) (0)
<DC4-A02-MGMT-SW08>display domain name default_admin

Domain-name : default_admin
Domain-index : 1
Domain-state : Active
Authentication-scheme-name : huawei
Accounting-scheme-name : huawei
Authorization-scheme-name : huawei
Service-scheme-name : -
RADIUS-server-template : -
Accounting-copy-RADIUS-template : -
HWTACACS-server-template : hwtacacs  
(0) (0)
5#
Abdussamed
Abdussamed Created Jun 22, 2021 11:04:50

all them normally see..
I will suggest version upgrade
What's the full model S5720?-??-???
View more
  • x
  • convention:

AlSafy
AlSafy Created Jun 22, 2021 11:11:36 (0) (0)
S5720-32P-EI-AC (V200R010C00SPC600)  
ulrichwandja
ulrichwandja Created Jun 29, 2021 17:54:01 (0) (0)
Information  
(0) (0)
6#
Abdussamed
Abdussamed Created Jun 22, 2021 11:27:24

S5700 V200R010C00SPC600

Valid

2017-02-22


Upgrade to -->> S5700 V200R019C10SPC500 2020-05-15

Download link --> https://support.huawei.com/enterprise/en/switches/s5720-32p-ei-ac-pid-22347229/software?offeringId=6691579


Upgrade Guide Link --> https://support.huawei.com/enterprise/en/doc/EDOC1000113883?idPath=24030814|21782164|21782167|22318564|6691579

Upgrade Video Link--> 

https://www.youtube.com/watch?v=ehDETOSw0wU


Hope it can help you.!
View more
  • x
  • convention:

AlSafy
AlSafy Created Jun 22, 2021 11:50:22 (0) (0)
Thanks, We will try this.  
Abdussamed
Abdussamed Reply AlSafy  Created Jun 22, 2021 12:54:24 (0) (0)
 
AlSafy
AlSafy Created Jun 29, 2021 07:21:16 (0) (0)
As I communicated with TAC, they ensure that no update needed for TACACS integration.  
Abdussamed
Abdussamed Reply AlSafy  Created Jun 29, 2021 07:37:48 (0) (0)
Thank you Feedback  
ulrichwandja
ulrichwandja Created Jun 29, 2021 17:53:31 (0) (0)
 
(0) (0)
7#
AlSafy
AlSafy Created Jun 22, 2021 16:45:14

Does anyone has any other suggestion?? Except for version upgrade, any admin???@DDSN @Popeye_Wang, Is this version upgrade recommended??
View more
  • x
  • convention:
(0) (0)
8#
andersoncf1
andersoncf1 MVE Author Created Jun 22, 2021 17:44:57

Good answers
View more
  • x
  • convention:
(0) (0)
9#
chenhui
chenhui Admin Created Jun 23, 2021 07:31:15

Posted by AlSafy at 2021-06-22 16:45 Does anyone has any other suggestion?? Except for version upgrade, any admin???@DDSN @Popeye_Wang, I ...
Hi,
First of all, since you configured the source IP, and I'm not sure whether the ping test you did specify the source IP address, if not, please retry specify the source address and do the ping test again.
If you have assigned the source address while doing the ping test, I would suggest that you do a telnet test on the switch (telnet the port 49) to check whether the HWTACACS service is enabled normally.
Besides that, you also need to check the HWTACACS server configuration, whether it blocks the IPs.
If all above are normal, please check the template verbose information through the command "display hwtacacs-server template verbose".
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.