The system is configured to perform local authentication when the HWTACACS server is Down (there is no response to HWTACACS authentication). However, the configuration does not take effect.
Fault Symptom
The system is configured to perform local authentication when the HWTACACS server is Down (there is no response to HWTACACS authentication).
Despite the configuration, local authentication of Telnet users fails when the HWTACACS server is Down.
Fault Analysis
When the HWTACACS server is Up, Telnet users are authenticated by the HWTACACS server. This indicates that the HWTACACS server is properly configured. When the HWTACACS server is Down, local authentication is not performed. Therefore, it can be concluded that local authentication is not correctly configured.
Check configurations of the device, and you can find the following configurations
authentication-scheme tacacs authentication-mode hwtacacs local authentication-super hwtacacs super # authorization-scheme tacacs authorization-mode hwtacacs authorization-cmd 3 hwtacacs # accounting-scheme tacacs accounting-mode hwtacacs
The preceding configurations show that the authentication mode is hwtacacs local, which indicates that HWTACACS authentication is performed before local authentication, and the authorization mode and accounting mode are both hwtacacs. The authentication mode is properly configured. When the HWTACACS server goes Down, the system performs the local authentication. HWTACACS authorization and accounting, however, cannot be performed because the HWTACACS server is now unavailable. As a result, local authentication fails.
Procedure
Run the system-view command to enter the system view.
Run the aaa command to enter the AAA view.
Configure an authorization mode and an accounting mode.
Configuring the authorization mode as HWTACACS authorization before local authorization:
Run the authorization-scheme tacacs command to enter the authorization scheme view.
Run the authorization-mode hwtacacs local command to configure the authorization mode as HWTACACS authorization before local authorization.
Configuring the accounting mode as HWTACACS accounting before non-accounting:
Run the accounting-scheme tacacs command to enter the accounting scheme view.
Run the accounting-mode hwtacacs none command to configure the accounting mode as HWTACACS accounting before non-accounting.
You do not have to configure the accounting mode. This is because accounting does not take effect with administrator users, whose accounting mode is non-accounting by default.
After the preceding operations, local authentication is successfully performed on Telnet users when the HWTACACS server goes Down. The fault is cleared.
Summary
User management includes authentication, authorization, and accounting. When configuring the authentication mode, ensure the consistency between the authorization and accounting modes to guarantee successful login for Telnet users.
