Fault Symptom
The device uses HWTACAS authentication. When a user enters a user name including a domain name, the login fails. The debugging hwtacacs all command output shows the information "status:AUTHEN_STATUS_FAIL."
Fault Analysis
1. Check the HWTACACS server configurations. The results show that the configurations are correct.
#
aaa
authentication-scheme tacacs
authentication-mode hwtacacs local
authentication-super hwtacacs super
#
authorization-scheme tacacs
authorization-mode hwtacacs local
authorization-cmd 3 hwtacacs
#
accounting-scheme tacacs
accounting-mode hwtacacs
#
domain default_admin
authentication-scheme tacacs
authorization-scheme tacacs
accounting-scheme tacacs
hwtacacs-server tacacs
#
hwtacacs-server template tacacs
hwtacacs-server authentication 18.6.1.25
hwtacacs-server authorization 18.6.1.25
hwtacacs-server accounting 18.6.1.25
hwtacacs-server source-ip 20.1.1.1
hwtacacs-server shared-key simple hello
2. The user name is huawei@default_admin and including the domain name "default_admin." However, the HWTACACS server does not support a user name including a domain name. As a result, the authentication fails. Therefore, you must configure a user name not to include a domain name. After the configuration is complete, the client deletes the domain name from the user name when requesting the HWTACACS server for authentication or authorization.
Procedure
1. Run the hwtacacs-server template tacacs command to enter the HWTACACS server template view.
2. Run the undo hwtacacs-server user-name domain-included command to configure a user name not to include a domain name.
After the preceding operations, users can log in to the device. The fault is rectified.
Summary
A user name is usually in the format of "user name@domain name." If the HWTACACS server does not support a user name including a domain name, delete the domain name and then send the user name without the domain name to the HWTACACS server.