Got it

Remote Login to the Switch Fails

135 0 0 0 0

Hi,

This case is about remote Login to the S5700 Fails Due to Incorrect User Domain 

Problem Description

When a user logs in to the S5700 through SSH, TACACS authentication fails. As a result, the user cannot access the S5300.

Handling Process

1. Check the login failure cause and confirm that the login failure cause is an authentication failure.

<CG_xxx_S57_MSW1>disp aaa online-fail-record  all

  ------------------------------------------------------------------------------

  User name               : xxx

  Domain name             : default

  User MAC                : -

  User access type        : SSH

  User IP address         : 10.254.xx.xx

  User ID                 : 4

  User login time         : 2020/12/30 14:21:15

  User online fail reason : Authenticate fail

  Authen reply message    : -

  ------------------------------------------------------------------------------

2. Check the AAA configuration. It is found that the current administrator uses HWTACACS authentication in the default_admin domain, but the block command is run in the default domain. In addition, the login failure cause indicates that the user belongs to the default domain.

aaa

authentication-scheme default

authentication-scheme xxbi

  authentication-mode radius local

authentication-scheme xxbitacas

  authentication-mode hwtacacs local

authorization-scheme default

authorization-scheme xxbi

  authorization-mode hwtacacs local

authorization-scheme xxbitacas

  authorization-mode hwtacacs local

accounting-scheme default

accounting-scheme xxbi

  accounting realtime 3

accounting-scheme xxbitacas

  accounting-mode hwtacacs

  accounting realtime 3

  accounting start-fail online

domain default

  state block

domain default_admin

  authentication-scheme xxbitacas

  accounting-scheme xxbitacas

  authorization-scheme xxbitacas

  hwtacacs-server xxbitacacs

 ... ...


3. In normal cases, the administrator should use the default_admin domain instead of the default domain. After the further check, the configuration is modified in the system view to change the default domain to the management domain. As a result, the authentication mode in the default domain is preferentially selected during user login, resulting in authentication failure.

[CG_xxx_S57_MSW1]disp cur | in domain

domain default admin

undo hwtacacs-server user-name domain-included

domain default

domain default_admin

Root Cause

The domain default admin command is run in the system view to change the default domain to the administrative domain. As a result, the authentication mode in the default domain is preferentially selected during user login, causing authentication failures.

Solution

Delete the domain default admin command in the system view.

[CG_xxx_S57_MSW1]undo domain default admin


  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.