Got it

[Q&A] NE40E TACACS+ server can't login

Latest reply: Jun 30, 2018 09:53:44 3010 3 0 0 0

The device is NE40E-X3A, version is V8, the TACACS server is UBUNTU 14.04 LTS (open source ).

The network toplogy is below:

c498f7ac38ea43b5b74aa5b88f9b0ba9

The issue description: After configuring TACACS on TACACS server and NE40E, it is not working fine.

The configuration of NE40E and TACACS server is below.

NE40E configuration:

#
hwtacacs-server template ht
 hwtacacs-server authentication 10.10.10.3
 hwtacacs-server authorization 10.10.10.3
 hwtacacs-server accounting 10.10.10.3
 hwtacacs-server shared-key cipher %^%#LiU':*~4bVhi+$ON{sn)9>Q]{s)v${GYO2jb'5{,jX$
#
aaa
 local-user admin password irreversible-cipher $1c$O0/O>=I$_Ark./K(X5+j-KT{K3U#tcF8kLNC+F}eF:dpz,%^%#
 local-user admin service-type terminal telnet ssh
 local-user admin level 3
 local-user admin state block fail-times 3 interval 5
 #
 authentication-scheme default0
 #
 authentication-scheme default1
 #
 authentication-scheme default
  authentication-mode local radius
 #
 authentication-scheme hw
  authentication-mode hwtacacs local
 #
 authorization-scheme default
 #
 authorization-scheme hw
  authorization-mode hwtacacs
  authorization-cmd 3 hwtacacs
 #
 accounting-scheme default0
 #
 accounting-scheme default1
 #
 accounting-scheme hw
  accounting-mode hwtacacs
  accounting interim interval 3
  accounting start-fail online
 #
 domain default0
 #
 domain default1
 #
 domain default_admin
 #
 domain test
  authentication-scheme hw
  authorization-scheme hw
  accounting-scheme hw
  hwtacacs-server ht
#

TACACS server configuration:

# Encryption key
key = "tac_test"

# Set where to send accounting records
accounting syslog;
accounting file = /var/log/tac_plus/tac_plus.acct

group = stpmnetwork  {
        default service = permit

service = exec {
                priv-lvl = 15
                idletime = 30
                shell:roles="\"network-operator vdc-operator\""
                }

service = junos-exec {
                bug-fix = "first pair is lost"
                local-user-name = "SU"
                allow-commands = ".*"
                allow-configuration = ""
                deny-configuration = ""
                }
}
user = test {
        member = stpmnetwork
        login = des g7Rw21kxUVAV6
        enable = des  2vGG8.l/nMBD6
        }

 

Because the hwtacacs server templete is default configure,  in default, the username will contain domain. so it can't login.

 

Solution:

run the command "undo hwtacacs-server user-name domain-included" under hwtacacs server templete and login use contained domain username.

  • x
  • convention:

SupperRobin
Created May 31, 2018 01:12:23

great document, thanks for you sharing [Q&A] NE40E TACACS+ server can't login-2675219-1[Q&A] NE40E TACACS+ server can't login-2675219-2[Q&A] NE40E TACACS+ server can't login-2675219-3[Q&A] NE40E TACACS+ server can't login-2675219-4
View more
  • x
  • convention:

Finn92
Created May 31, 2018 01:14:41

[Q&A] NE40E TACACS+ server can't login-2675223-1[Q&A] NE40E TACACS+ server can't login-2675223-2[Q&A] NE40E TACACS+ server can't login-2675223-3[Q&A] NE40E TACACS+ server can't login-2675223-4[Q&A] NE40E TACACS+ server can't login-2675223-5
so amazing~
View more
  • x
  • convention:

4am
Created Jun 30, 2018 09:53:44

Great share! I get it .
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.