Got it

[NE Router-Troubleshooting] User Login Fails When User Names Carry Domain Names During HWTACAS Authentication

Latest reply: Jun 25, 2021 17:46:04 254 1 1 0 0

Fault Symptom

The device uses HWTACAS authentication. When a user enters a user name including a domain name, the login fails. The debugging hwtacacs all command output shows the information "status:AUTHEN_STATUS_FAIL."

Fault Analysis

1.     Check the HWTACACS server configurations. The results show that the configurations are correct.

#
aaa
authentication-scheme tacacs
authentication-mode hwtacacs local
authentication-super hwtacacs super
#
authorization-scheme tacacs
authorization-mode hwtacacs local
authorization-cmd 3 hwtacacs
#
accounting-scheme tacacs
accounting-mode hwtacacs
#
domain default_admin
authentication-scheme tacacs
authorization-scheme tacacs
accounting-scheme tacacs
hwtacacs-server tacacs
#
hwtacacs-server template tacacs
hwtacacs-server authentication 18.6.1.25
hwtacacs-server authorization 18.6.1.25
hwtacacs-server accounting 18.6.1.25
hwtacacs-server source-ip 20.1.1.1
hwtacacs-server shared-key simple hello

2.     The user name is huawei@default_admin and including the domain name "default_admin." However, the HWTACACS server does not support a user name including a domain name. As a result, the authentication fails. Therefore, you must configure a user name not to include a domain name. After the configuration is complete, the client deletes the domain name from the user name when requesting the HWTACACS server for authentication or authorization.

Procedure

1.     Run the hwtacacs-server template tacacs command to enter the HWTACACS server template view.

2.     Run the undo hwtacacs-server user-name domain-included command to configure a user name not to include a domain name.

After the preceding operations, users can log in to the device. The fault is rectified.

Summary

A user name is usually in the format of "user name@domain name." If the HWTACACS server does not support a user name including a domain name, delete the domain name and then send the user name without the domain name to the HWTACACS server.


  • x
  • convention:

andersoncf1
MVE Author Created Jun 25, 2021 17:46:04

Thanks for sharing knowledge. Very useful
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.