TACACS Authentication Failure on S5700 Series Switch


The customer uses TACACS server as the authentication method, after he configures on the switch S5700, but he always can’t login the switch S5700. 


Alarm Information


Handling Process
Firstly,To check basic configuration, I find that the Tacacs configuration isn’t complete on S5700, there are some important configuration lost. As following:

authentication-scheme default
authentication-scheme test
  authentication-mode hwtacacs
authorization-scheme default
authorization-scheme test               
  authorization-mode hwtacacs
  authorization-cmd 3 hwtacacs
  authorization-cmd 15 hwtacacs
accounting-scheme default
accounting-scheme test
  accounting-mode hwtacacs
domain default
domain default_admin

There is no domain configuration for the hwtacacs authentication, which needs to configure.

When we ask the customer to add the following domain configuraion:

domain test
  authentication-scheme test
  authorization-scheme test
  hwtacacs-server test

After added above configuration, the customer test again but still failed. At this time, he find that the authentication on the Tacacs server shows login successfully, as below:

This information shows the authentication on the server side is workable now, thus we propose that maybe there are some especial configuration lost on the switch.After checking the login detailed information (such as login method, which protocol and so on) with customer. We found customer used SSH method to login the switch.

 So  we check the configuration related to SSH again, we find that for Tacacs authentication, there is an important command missed, as following:
[S5700]ssh authentication-type default password       //for SSH via HWTACACS, need to configure this command
After configure the above commands, the customer can login the switch now, the problem is resolved.
Root Cause
The root cause is that the configuration is not complete on the switch S5700. There are some important configurations lost, include domain and SSH configuration.

The solution is to add the lost commands and complete the domain and SSH method configuration.