Jump to content
Калькуляторы

Huawei S6730 проблема с авторизацией tacacs+

Добрый день!

Подскажите пожалуйста, что может быть?

Настроен сервер tacacs+. К нему подключаются huawei s6730 через один из свитчей. Сами свитчи соединены по ospf.

Свитчи 1, 2, и 3 нормально авторизуются а остальные нет.

Настройки на всех свитчах идентичны:

 

aaa
 authentication-scheme default
  authentication-mode local hwtacacs
 authentication-scheme radius
  authentication-mode radius
 authorization-scheme default
  authorization-mode local hwtacacs
  authorization-cmd 1 hwtacacs
  authorization-cmd 5 hwtacacs
 accounting-scheme default
  accounting-mode hwtacacs
  accounting start-fail online
 recording-scheme sch0
  recording-mode hwtacacs t1
 cmd recording-scheme sch0
 outbound recording-scheme sch0
 system recording-scheme sch0
 local-aaa-user password policy administrator
  password history record number 0
  undo password alert original
  password expire 0
 domain default
  authentication-scheme radius
  accounting-scheme default
  radius-server default
 domain default_admin
  authentication-scheme default
  accounting-scheme default
  authorization-scheme default
  hwtacacs-server t1

 

hwtacacs-server template t1
 hwtacacs-server authentication 192.168.112.42
 hwtacacs-server authorization 192.168.112.42
 hwtacacs-server accounting 192.168.112.42
 hwtacacs-server source-ip 172.16.0.5
 hwtacacs-server shared-key cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX!!
 hwtacacs-server timer response-timeout 30

 

 

display hwtacacs-server template t1
  ---------------------------------------------------------------------------
  HWTACACS-server template name        : t1
  Primary-authentication-server        : 192.168.112.42:49 Vrf:  Status:UP
  Primary-authentication-ipv6-server   : -:0 Vrf:  Status:-
  Primary-authorization-server         : 192.168.112.42:49 Vrf:  Status:UP
  Primary-authorization-ipv6-server    : -:0 Vrf:  Status:-
  Primary-accounting-server            : 192.168.112.42:49 Vrf:  Status:UP
  Primary-accounting-ipv6-server       : -:0 Vrf:  Status:-
  Secondary-authentication-server      : -:0 Vrf:  Status:-
  Secondary-authentication-ipv6-server : -:0 Vrf:  Status:-
  Secondary-authorization-server       : -:0 Vrf:  Status:-
  Secondary-authorization-ipv6-server  : -:0 Vrf:  Status:-
  Secondary-accounting-server          : -:0 Vrf:  Status:-
  Secondary-accounting-ipv6-server     : -:0 Vrf:  Status:-
  Third-authentication-server          : -:0 Vrf:  Status:-
  Third-authentication-ipv6-server     : -:0 Vrf:  Status:-
  Third-authorization-server           : -:0 Vrf:  Status:-
  Third-authorization-ipv6-server      : -:0 Vrf:  Status:-
  Third-accounting-server              : -:0 Vrf:  Status:-
  Third-accounting-ipv6-server         : -:0 Vrf:  Status:-
  Fourth-authentication-server         : -:0 Vrf:  Status:-
  Fourth-authentication-ipv6-server    : -:0 Vrf:  Status:-
  Fourth-authorization-server          : -:0 Vrf:  Status:-
  Fourth-authorization-ipv6-server     : -:0 Vrf:  Status:-
  Fourth-accounting-server             : -:0 Vrf:  Status:-
  Fourth-accounting-ipv6-server        : -:0 Vrf:  Status:-
  Current-authentication-server        : 192.168.112.42:49 Vrf:  Status:UP
  Current-authentication-ipv6-server   : -:0 Vrf:  Status:-
  Current-authorization-server         : 192.168.112.42:49 Vrf:  Status:UP
  Current-authorization-ipv6-server    : -:0 Vrf:  Status:-
  Current-accounting-server            : -:0 Vrf:  Status:-
  Current-accounting-ipv6-server       : -:0 Vrf:  Status:-
  Source-IP-address                    : 172.16.0.5
  Source-LoopBack                      : -
  Source-Vlanif                        : -
  Source-IPv6-address                  : -
  IPv6 Source-LoopBack                 : -
  IPv6 Source-Vlanif                   : -
  Shared-key                           : ****************
  Quiet-interval(min)                  : 5
  Response-timeout-Interval(sec)       : 30
  Domain-included                      : Original
  Traffic-unit                         : B
  User name in authen-start message    : No
  ---------------------------------------------------------------------------

 

 

Логи

 

 %%01SSH/4/SSH_FAIL(s)[8]:Failed to login through SSH. (IP=172.20.55.4, VpnInstanceName= , UserName=test, Times=1, FailedReason=User password authentication failed)
 %%01TAC/4/TACAUTHENDOWN(l)[9]:Communication with the HWTACACS authentication server (IP:192.168.112.42)  is interrupted!
 %%01TAC/4/TACACCTDOWN(l)[11]:Communication with the HWTACACS accounting server (IP:192.168.112.42) is interrupted!

 

Тест

test-aaa test admin hwtacacs-template t1
Info: This operation may take a few seconds...
Info: Account test time out.

 

image.png

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.