HPE Community
Comware Based
1827524 Members
2660 Online
109965 Solutions
New Discussion

Re: A5500 with TAC_PLUS authentication problem

 
plachon11
Occasional Contributor

‎02-14-2012 12:28 AM

‎02-14-2012 12:28 AM

A5500 with TAC_PLUS authentication problem

Please, help me. I have a problem with authentication users on A5500 with cooperation tac_plus.  Communication between switch and linux OK. Unfortunately I have no experience with HP vendor.

 

----------------------------------------------------------------------------------

A5500 config:

 

]hwtacacs nas-ip 192.168.1.123

 

#

interface Vlan-interface100

ip address 192.168.1.156 255.255.255.0

#

 

[A5500-48G-PoE-hwtacacs-tac]display this

#

hwtacacs scheme tac

primary authentication 192.168.1.125

nas-ip 192.168.1.123

key authentication test

user-name-format without-domain

#

return

[A5500-48G-PoE-hwtacacs-tac]

[A5500-48G-PoE-isp-system]display this

#

domain system

authentication default hwtacacs-scheme tac local

access-limit disable

state active

idle-cut disable

self-service-url disable

#

return

[A5500-48G-PoE-isp-system]

[A5500-48G-PoE-ui-vty0-15]display this

#

user-interface aux 0

user-interface vty 0 15

authentication-mode scheme

#

return

[A5500-48G-PoE-ui-vty0-15]

-----------------------------------------------------------------------------------

Log from A5500:

 

Username:HW_test0

Password:

Rejected by Local server

 

 

Fri Feb 10 12:52:57 2012 [1213]: forked 1218

Fri Feb 10 12:52:57 2012 [1218]: login query for 'HW_test0' vty0 from 192.168.1.123 accepted

Fri Feb 10 12:52:57 2012 [1218]: exit status=0

---------------------------------------------------------------------------------

*Feb 10 11:44:41:302 2012 A5500-48G-PoE TAC/7/Event:  Create HWTACACS authentication request packet success
*Feb 10 11:44:41:434 2012 A5500-48G-PoE TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*Feb 10 11:44:41:536 2012 A5500-48G-PoE TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=58  PacketType=3  AuthenType=1
AuthenService=1  PrivLevel=0  Version=c0  TemplateNum=0
UserName=HW_test0  PortName=vty0  RemAddress=192.168.1.1
UserMsg=  DataMsg=

*Feb 10 11:44:41:865 2012 A5500-48G-PoE TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*Feb 10 11:44:41:970 2012 A5500-48G-PoE TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=58  PacketType=3  AuthenType=1
AuthenService=1  PrivLevel=0  Version=c0  TemplateNum=0
UserName=HW_test0  PortName=vty0  RemAddress=192.168.1.1
UserMsg=  DataMsg=

*Feb 10 11:44:42:295 2012 A5500-48G-PoE TAC/7/Event: Got nas-ip 192.168.1.123 and VPN 0 of server 192.168.1.125.
*Feb 10 11:44:42:437 2012 A5500-48G-PoE TAC/7/Event: Successfully set socket VPN attribute (VPN index: 0).
*Feb 10 11:44:42:569 2012 A5500-48G-PoE TAC/7/Event:
 hwtacacs create new session :
 session id: 30467, user id: 58, server ip: 192.168.1.125
*Feb 10 11:44:42:762 2012 A5500-48G-PoE TAC/7/Event:
version:c0  type:AUTHEN_REQUEST
seq_no:1  flag:ENCRYPTED_FLAG
session_id:7703  length:31
action:AUTHEN_LOGIN  priv_lvl:VISIT  authen_type:AUTHEN_TYPE_ASCII
service:AUTHEN_SVC_LOGIN
user len:8       port len:4      rem_addr len:11         data len:0
user name:HW_test0  port:vty0  rem_addr:192.168.1.1  data:

*Feb 10 11:44:43:207 2012 A5500-48G-PoE TAC/7/Event: statistic: transmit flag:1, server flag: 0,packet flag:0xff
*Feb 10 11:44:43:349 2012 A5500-48G-PoE TAC/7/Event:
 hwtacacs packet sending success!
 version:c0 type:01 sequence:01 flag:00 session id:30467 length:31
*Feb 10 11:44:43:562 2012 A5500-48G-PoE TAC/7/Event: Authentication sending(Result = 0)
*Feb 10 11:44:43:673 2012 A5500-48G-PoE TAC/7/Event:
version:c0  type:AUTHEN_REPLY
seq_no:2  flag:ENCRYPTED_FLAG
session_id:7703  length:16
status:AUTHEN_STATUS_GETPASS  flag:REPLY_FLAG_NOECHO
server_msg len:10  data len:0
server_msg:Password:   data:

*Feb 10 11:44:43:997 2012 A5500-48G-PoE TAC/7/Event: statistic: transmit flag:2, server flag: 0,packet flag:0x5
*Feb 10 11:44:44:140 2012 A5500-48G-PoE TAC/7/Event:
version:c0  type:AUTHEN_CONTINUE
seq_no:3  flag:ENCRYPTED_FLAG
session_id:7703  length:10
user_msg len:******  data len:0 flag:0
user_msg:******
data:

*Feb 10 11:44:44:404 2012 A5500-48G-PoE TAC/7/Event:
 hwtacacs packet sending success!
 version:c0 type:01 sequence:03 flag:00 session id:30467 length:10
*Feb 10 11:44:44:617 2012 A5500-48G-PoE TAC/7/Event: statistic: transmit flag:1, server flag: 0,packet flag:0xff
*Feb 10 11:44:44:759 2012 A5500-48G-PoE TAC/7/Event: Authentication sending(Result = 0)
*Feb 10 11:44:44:871 2012 A5500-48G-PoE TAC/7/Event:
version:c0  type:AUTHEN_REPLY
seq_no:4  flag:ENCRYPTED_FLAG
session_id:7703  length:6
status:AUTHEN_STATUS_PASS  flag:REPLY_FLAG_ECHO
server_msg len:0  data len:0
server_msg:  data:

*Feb 10 11:44:45:174 2012 A5500-48G-PoE TAC/7/Event:
TAC_MESSAGE for TAC->AAA:
*Feb 10 11:44:45:279 2012 A5500-48G-PoE TAC/7/Event:
TAC_MESSAGE for TAC->AAA:
ulUserID=58
ucTACTemplateNO=0
ucflag=1
Echo=0
ServerMsg=

*Feb 10 11:44:45:461 2012 A5500-48G-PoE TAC/7/Event: statistic: transmit flag:2, server flag: 0,packet flag:0x1
*Feb 10 11:44:45:603 2012 A5500-48G-PoE TAC/7/Event:
 hwtacacs session is deleted due to finishing session:
 session id: 30467, user id: 58, server ip: 192.168.1.125
*Feb 10 11:44:45:836 2012 A5500-48G-PoE TAC/7/Event: Tac receive 6 message, but cannot find according session.
*Feb 10 11:44:45:978 2012 A5500-48G-PoE TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*Feb 10 11:44:46:080 2012 A5500-48G-PoE TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=58  AuthorType=4  AuthenMethod=6  AuthenType=1  AuthenService=1
PrivLevel=0  TemplateNum=0  ArgNum=2
UserName=HW_test0  PortName=vty0
Service=shell  Protocol=cmd*  RemAddress=192.168.1.1

*Feb 10 11:44:46:435 2012 A5500-48G-PoE TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
*Feb 10 11:44:46:536 2012 A5500-48G-PoE TAC/7/Event:
TAC_MESSAGE for AAA->TAC:
UserID=58  AuthorType=4  AuthenMethod=6  AuthenType=1  AuthenService=1
PrivLevel=0  TemplateNum=0  ArgNum=2
UserName=HW_test0  PortName=vty0
Service=shell  Protocol=cmd*  RemAddress=192.168.1.1

*Feb 10 11:44:46:890 2012 A5500-48G-PoE TAC/7/Event: No useful server.
*Feb 10 11:44:46:982 2012 A5500-48G-PoE TAC/7/Event:
TAC_AUTHOR_EncapNode:no useful hwtac server!


-----------------------------------------------
AIS Network Infrastructure [2011]
CCNA
0 Kudos
3 REPLIES 3
Andrew_P
Occasional Visitor

‎09-05-2012 06:29 AM

‎09-05-2012 06:29 AM

Re: A5500 with TAC_PLUS authentication problem

Hi,

 

we have exactly the same problem.

We see the pass from the tacacs server, but we get a local rejection.

 

Did you ever get this resolved?

If so can you let me know what the fix was.

 

Many Thanks

Andrew

0 Kudos
Andrew_P
Occasional Visitor

‎09-05-2012 07:44 AM

‎09-05-2012 07:44 AM

Re: A5500 with TAC_PLUS authentication problem

Problem was fixed by using the config below

 


hwtacacs scheme tacacs
primary authentication A.B.C.D
primary accounting A.B.C.D
primary autho A.B.C.D
key authentication Key
key accounting Key
key author Key
user-name-format without-domain
nas-ip X.y.Z.1
#
domain system
authentication login  hwtacacs-scheme tacacs local
authorization login  hwtacacs-scheme tacacs local
accounting login  hwtacacs-scheme tacacs
access-limit disable
state active
idle-cut disable
self-service-url disable

 

0 Kudos
plachon11
Occasional Contributor

‎09-05-2012 10:32 PM

‎09-05-2012 10:32 PM

Re: A5500 with TAC_PLUS authentication problem

thanks a lot

-----------------------------------------------
AIS Network Infrastructure [2011]
CCNA
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.