Enterprise
Community Forums Groups Collections Rewards FAQ
Community Forums Switches local authorization failu...
Mark.hu
(Adept)
Send a Message

RECOMMENDED

local authorization failure Highlighted

Created Sep 29, 2018 11:28:57Latest reply Oct 12, 2018 16:00:07 1156 5 12 1
1#
[Problem Description]Customer have issue with SSH user rights (privilege level).

Whenever any user connects to switch by SSH with certificate he gets his privilege level from VTY configuration – not from local AAA settings.

[Problem Analysis] 

Let user provide diagnose information

check SSH Configuration is fine

ssh user v_lutyi

ssh user v_lutyi authentication-type rsa

ssh user v_lutyi assign rsa-key v_lutyi_rsa_key

ssh user v_lutyi service-type all

ssh user vit_lutyi

ssh user vit_lutyi authentication-type rsa

 

Check RSA due to user Rsa certification is fine 

rsa peer-public-key v_lutyi_rsa_key

 public-key-code begin

  30820109

    02820100

 

Check the aaa authentication and find the following privilege configured as 0.

aaa

 authentication-scheme default

 authentication-scheme radius

  authentication-mode radius

 authorization-scheme default

 accounting-scheme default

 local-aaa-user password policy administrator

  password history record number 0

  password expire 0

 domain default

  authentication-scheme radius

  radius-server default

 domain default_admin

  authentication-scheme default

 local-user admin password irreversible-cipher $1a$^k~:)_a5D~$}LmtLIOF$=Zr1B!w,w3Qg"nzPrFim$hm9"DL6&H=$

 local-user admin privilege level 15

 local-user admin service-type terminal http

 local-user v_lutyi password irreversible-cipher $1a$$IoD%bQG;N$h-N>'X.7(DSta68<E@JGsR2"VC*O2GgWr|Q0kyC,$

 local-user v_lutyi privilege level 0

 local-user v_lutyi service-type terminal ssh http

 

Found the following privilege is 0, try to modify to 15

 

user-interface con 0

 authentication-mode aaa

user-interface vty 0 4

 authentication-mode aaa

 protocol inbound all

user-interface vty 16 20

 authentication-mode aaa

 protocol inbound all

 

if the account is RSA authentication, you can only obtain the user level from vty, so you need to add command user privilege level 3   under vty.

[Root Cause]
f the account is RSA authentication, only can obtain the user level from vty


This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

Helpful (12) Favorite(1) Share Reply Comment
No.9527  Mentor   Created Sep 29, 2018 13:52:49 Helpful(0) Helpful(0)

I am very interested for this post, which is very helpful to our daily troubleshooting. I always have similar problems in my daily work, but I do not know how to deal with them. Now I have a clear idea. Thank you very much for your sharing. Hope you can update continue like this
  • x
  • convention:
Skay  Adept   Created Sep 29, 2018 14:19:58 Helpful(0) Helpful(0)

I am very interested for this post, which is very helpful to our daily troubleshooting. Is there a number of commands for the user authorization method? If all or none of the configurations are configured, the commands in that view take precedence. Or what is the default user privilege level, can you help explain it.
  • x
  • convention:
SupperRobin  Novice   Created Sep 29, 2018 14:38:50 Helpful(0) Helpful(0)

Routers support the multi-route mode, which allows you to configure multiple routes with the same destination and preference. If the destinations and costs of multiple routes discovered by the same routing protocol are the same, load balancing can be performed among the routes.

During load balancing, a router forwards packets based on the packets' 5-tuple (source IP address, destination IP address, source port, destination port, and transport protocol). When the 5-tuple information is the same, the router always chooses the next-hop address that is the same as the last one to send packets. When the 5-tuple information is different, the router forwards packets over idle paths.

This post was last edited by SupperRobin at 2018-10-31 15:08.
  • x
  • convention:
wissal     Created Sep 30, 2018 01:34:07 Helpful(0) Helpful(0)

Helpful information, thanks
  • x
  • convention:
criss_tee_an  Adept   Created Oct 12, 2018 16:00:07 Helpful(0) Helpful(0)

I had a similar case but the user was from RADIUS. Helpful!:)
  • x
  • convention:
Back to list

Responses

Reply
Advanced text editor
B Color Image Link Quote Code Smilies
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Huawei website Support About Huawei Privacy Terms of Use
Huawei Enterprise Huawei Developer Forum Training & Certification

Copyright © Huawei Technologies Co., Ltd. 1998-2019. All rights reserved.

Fast reply Scroll to top