Got it

S5720, S5735 AAA (HWTACACS+local users)

Created: May 22, 2020 10:51:52Latest reply: May 28, 2020 12:23:23 194 7 0 0
  Rewarded HiCoins: 3 (problem resolved)

Hello Huawei Community,

We want to achieve following:
- TACACS authentication

- fallback to local users with priviliges

We have S5720-LI series switches.

On V200R011C00SPC200 we could achieve that.

We did the exact, same config at an other customer (running V200R011C10SPC600), same services at AAA server side (we use Aruba ClearPass). Problems: we can not manage the privilige levels. What we tried:
#1. enter user priv level 15 under user-interface vty. But it logins all users with priv 15 both with TACACS and local fallback, but we have a priv 3 and a priv 15 user configured.
#2. clear this from user-interface vtys, but apply a service-scheme.

We also faced the problem that some of the switches (same model, sw version and so) can not work with TACACS without service-scheme command, the TACACS process got stuck after AAA server sends the GETUSER and GETPASS packets.


Current config is for this. (We have the hwtacacs-server template properly configured). But with it, all local-users would logged in with priv 15 and all users are requested priv 15 from TACACS server.


Any ideas about this? I did not find any documentation relating HWTACACS and fallback to local-user at the same time....


regards,

David


aaa
authentication-scheme default
authentication-scheme radius
 authentication-mode radius
authentication-scheme TACACS-LOCAL
 authentication-mode hwtacacs local
authorization-scheme default
authorization-scheme TACACS-LOCAL
 authorization-mode if-authenticated hwtacacs local
accounting-scheme default
accounting-scheme TACACS-LOCAL
 accounting-mode hwtacacs
 accounting realtime 3
 accounting start-fail online
local-aaa-user password policy administrator
 password history record number 0
 undo password alert original
 password expire 0
service-scheme TACACS-LOCAL
 admin-user privilege level 15
domain default
 authentication-scheme radius
 radius-server default
domain default_admin
 authentication-scheme TACACS-LOCAL
 accounting-scheme TACACS-LOCAL
 authorization-scheme TACACS-LOCAL
 service-scheme TACACS-LOCAL
 hwtacacs-server hdt_tacacs
local-aaa-user wrong-password retry-interval 5 retry-time 5 block-time 10
undo local-user admin
local-user ahnoc password irreversible-cipher **** access-limit 5
local-user ahnoc privilege level 15
local-user ahnoc service-type telnet terminal ssh

ssh user ahnoc
ssh user ahnoc authentication-type password
ssh user ahnoc service-type stelnet
user-interface vty 0 4
authentication-mode aaa
protocol inbound all
user-interface vty 16 20
authentication-mode aaa
protocol inbound all

  • x
  • convention:

Featured Answers

Recommended answer

Created May 25, 2020 14:03:43 Helpful(1) Helpful(1)

Hello,
Are you sending the HW-Exec-Privilege(26-29) attribute from your server ? This is needed to specify the privilege level for your users.
If not, please send those attributes and try again.

NOTE: I saw you're using 'authentication-mode hwtacacs local' -> in this way, the local authentication will take place only if the ping to server is not working. I would suggest to use local hwtacacs to always have access to the switch using admin created locally.
View more
  • x
  • convention:

BEST%20ANSWER!%20If%20you%20think%20I%20earn%20it!%3Cbr%2F%3E%3Cbr%2F%3EIf%20this%20post%20was%20useful%20to%20you%2C%20please%20click%20the%20%3Cimg%20id%3D%22aimg_eYhFO%22%20onclick%3D%22zoom(this%2C%20this.src%2C%200%2C%200%2C%200)%22%20class%3D%22zoom%22%20src%3D%22https%3A%2F%2Fforum.huawei.com%2Fenterprise%2Fen%2Fstatic%2Fimage%2Fcommon%2Fsupport01.png%22%20onmouseover%3D%22img_onmouseoverfunc(this)%22%20onload%3D%22thumbImg(this)%22%20border%3D%220%22%20alt%3D%22%22%20%2F%3E%20%3Cfont%20color%3D%22DarkOrange%22%3EHelpful%3C%2Ffont%3E%20button%20and%20flag%20my%20post%20as%20a%20%26quot%3BBEST%20ANSWER%26quot%3B%20so%20others%20can%20benefit.%20Thank%20you%20%3Cimg%20id%3D%22aimg_H808i%22%20onclick%3D%22zoom(this%2C
All Answers
jason_hu Admin Created May 22, 2020 10:55:51 Helpful(0) Helpful(0)

Hello,
Do I need to fall back to logging in using local SSH now?

You can refer to this https://support.huawei.com/hedex/hdx.do?docid=EDOC1000101619&id=dc_s_ccase_aaa_003_2&lang=en

View more
  • x
  • convention:

Sapte Created May 22, 2020 11:30:23 Helpful(0) Helpful(0)

Hi @IDSx,

Your problem root cause : Since you are using  default_admin domain all users associated with this domain will have admin rights which stands for privilege level of 15

Solution : Please use different domain by manually created such as in the below

domain test
authentication-scheme TACACS-LOCAL
accounting-scheme TACACS-LOCAL
authorization-scheme TACACS-LOCAL
service-scheme TACACS-LOCAL
hwtacacs-server hdt_tacacs

View more
  • x
  • convention:

Sapte Created May 28, 2020 17:23:35
Hi @IDSx

Did you try with different domain,if you tried and worked could you please mark my answer as best answer ?  
IDSx
IDSx Created May 23, 2020 21:12:22 Helpful(1) Helpful(1)

Hello @Sapte,

default_admin domain is for remote users as I know, while default domain is for network users (clients). it is nowhere mentioned it means all of my AAA and local users are authorized for priv15 by default and local-user or AAA priv setting can not overwrite this.

we use default_admin domain for other customer (configuration: literally the same), we have a local-user with priv3 and it logs as priv3 after fallback. I'll give a try for a different domain.
View more
  • x
  • convention:

Sapte Created May 25, 2020 05:46:17
Hi IDSx,

Default_domain is used for admin managaments,please check this link in the below

https://support.huawei.com/hedex/pages/EDOC1100126530AEI02128/01/EDOC1100126530AEI02128/01/resources/dc/dc_cfg_aaa_6022.html?ft=0&fe=10&hib=4.2.12.2.2.1&id=EN-US_CONCEPT_0176366033&text=Domain-based%2520User%2520Management&docid=EDOC1100126530  
Sergio93 Created May 25, 2020 14:03:43 Helpful(1) Helpful(1)

Hello,
Are you sending the HW-Exec-Privilege(26-29) attribute from your server ? This is needed to specify the privilege level for your users.
If not, please send those attributes and try again.

NOTE: I saw you're using 'authentication-mode hwtacacs local' -> in this way, the local authentication will take place only if the ping to server is not working. I would suggest to use local hwtacacs to always have access to the switch using admin created locally.
View more
  • x
  • convention:

BEST%20ANSWER!%20If%20you%20think%20I%20earn%20it!%3Cbr%2F%3E%3Cbr%2F%3EIf%20this%20post%20was%20useful%20to%20you%2C%20please%20click%20the%20%3Cimg%20id%3D%22aimg_eYhFO%22%20onclick%3D%22zoom(this%2C%20this.src%2C%200%2C%200%2C%200)%22%20class%3D%22zoom%22%20src%3D%22https%3A%2F%2Fforum.huawei.com%2Fenterprise%2Fen%2Fstatic%2Fimage%2Fcommon%2Fsupport01.png%22%20onmouseover%3D%22img_onmouseoverfunc(this)%22%20onload%3D%22thumbImg(this)%22%20border%3D%220%22%20alt%3D%22%22%20%2F%3E%20%3Cfont%20color%3D%22DarkOrange%22%3EHelpful%3C%2Ffont%3E%20button%20and%20flag%20my%20post%20as%20a%20%26quot%3BBEST%20ANSWER%26quot%3B%20so%20others%20can%20benefit.%20Thank%20you%20%3Cimg%20id%3D%22aimg_H808i%22%20onclick%3D%22zoom(this%2C
benslimane Created May 28, 2020 12:23:23 Helpful(1) Helpful(1)

I agreed with @Sergio93
View more
  • x
  • convention:

Huawei%20Certified%20System%20Instructor%20HCSI

Comment

Comment
You need to log in to comment to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login

Huawei Enterprise Support Community
Huawei Enterprise Support Community
Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.