HWtacas configurations dont work on eNSP

Created: Oct 8, 2019 11:25:08Latest reply: Oct 10, 2019 01:30:37 168 5 0 0
  Rewarded Hi-coins: 1 (problem resolved)

Dear ;


kindly note that i've configure the hwtacacs on router AR3200 V200R003C00 (on eNSP environement) , but it seems not working ;


NB : my tacacs server is in Vmware


<AR3200>display current-configuration 

[V200R003C00]

#

 sysname AR3200

#

 snmp-agent local-engineid 800007DB03000000000000

 snmp-agent 

#

 clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load flash:/portalpage.zip

#

 drop illegal-mac alarm

#

domain huawei

#

 wlan ac-global carrier id other ac id 0

#

 set cpu-usage threshold 80 restore 75

#

hwtacacs-server template ht

 hwtacacs-server authentication 192.168.254.129

 hwtacacs-server authorization 192.168.254.129

 hwtacacs-server accounting 192.168.254.129

 hwtacacs-server source-ip 192.168.254.20

 hwtacacs-server shared-key cipher %$%$lzLFI.Oay/$_~2V`V2&4lWg9%$%$

#

aaa 

 authentication-scheme default

 authentication-scheme hwtacacs

  authentication-mode hwtacacs

 authorization-scheme default

 authorization-scheme hwtacacs

  authorization-mode hwtacacs

  authorization-cmd 3 hwtacacs

 accounting-scheme default

 accounting-scheme hwtacacs

  accounting-mode hwtacacs 

  accounting realtime 3

 domain default 

 domain default_admin 

 domain huawei  

  authentication-scheme hwtacacs 

  accounting-scheme hwtacacs

  authorization-scheme hwtacacs

 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

 local-user admin service-type http

#

firewall zone Local

 priority 15

#

interface GigabitEthernet0/0/0

 description g_0/0/0_to_Tacacs_server

 ip address 192.168.254.20 255.255.255.0 

#

interface GigabitEthernet0/0/1

#

interface GigabitEthernet0/0/2

#

interface NULL0

#

user-interface con 0

 authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return

<AR3200>


  • x
  • convention:

Featured Answers
chenhui
Admin Created Oct 10, 2019 01:30:37 Helpful(0) Helpful(0)

Posted by Lazhar at 2019-10-09 09:54@chenhui Hi & thanks for your reply; the configuration was done successfully and i can ping, ...

How about test the authentication on the router to check the connection to the TACACS+ server.
Also, you can check the number of the received authentication packets(display aaa statistics access-type-authenreq)
Or you can capture packet on the interface g0/0/0 to check whether the authentication packets sent to the TACACS+ server.
To do the test, you can use command test-aaa, please refer http://support.huawei.com/hedex/ ... 525253E&lang=en


  • x
  • convention:

All Answers
WDNJSQ
WDNJSQ Created Oct 8, 2019 12:18:13 Helpful(0) Helpful(0)

Hi,Can you send out the network topology?
  • x
  • convention:

Popeye_Wang
Popeye_Wang Admin Created Oct 9, 2019 00:42:06 Helpful(0) Helpful(0)

Hi Lazhar,

Please replace the router with the NE series. According to the help document, the AR series in eNSP does not support HWTacacs.

hwtac

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

chenhui
chenhui Admin Created Oct 9, 2019 01:58:16 Helpful(0) Helpful(0)

@Lazhar hello,
the configuration seems fine.
What do you mean by HWTACACS seems not working, the router connect to the HWTACACS server failed or the user cannot be authenticated online through HWTACACS?
  • x
  • convention:

Lazhar
Lazhar Created Oct 9, 2019 09:54:14 Helpful(0) Helpful(0)

Posted by chenhui at 2019-10-09 01:58 @Lazhar hello,the configuration seems fine.What do you mean by HWTACACS seems not working, the route ...
@chenhui Hi & thanks for your reply;

the configuration was done successfully and i can ping, but on Server LOG (tac_plus.conf) i can't see any event log
  • x
  • convention:

chenhui
chenhui Admin Created Oct 10, 2019 01:30:37 Helpful(0) Helpful(0)

Posted by Lazhar at 2019-10-09 09:54@chenhui Hi & thanks for your reply; the configuration was done successfully and i can ping, ...

How about test the authentication on the router to check the connection to the TACACS+ server.
Also, you can check the number of the received authentication packets(display aaa statistics access-type-authenreq)
Or you can capture packet on the interface g0/0/0 to check whether the authentication packets sent to the TACACS+ server.
To do the test, you can use command test-aaa, please refer http://support.huawei.com/hedex/ ... 525253E&lang=en


  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login