Thank you very much for your reply. According to your prompts, I added configurations to Huawei equipment and streamlined tac_plus.cfg. I only want the demo user to be able to execute system-view and display commands and prohibit the execution of interface commands. . But now the demo user cannot execute system-view after logging in. Moreover, I found a phenomenon through the data packets captured by wireshark. During the authorization phase, the response packet given by the tac_plus server contained Privilege Level = 0, which made it impossible to enter the configuration mode. But if I configure set priv-lvl = xxx in the service, the response message will carry priv-lvl. This is when the cmd configured below does not work.
May I ask, what is the principle behind this phenomenon? I really appreciate you taking the time to help me resolve this issue.
The debug log is as follows:
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 New session
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 ---<start packet>---
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 key used: 12345678
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 version: 192, type: 1, seq no: 1, flags: unencrypted
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 session id: 36880f8b, data length: 29
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 AUTHEN/START, priv_lvl=0
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 action=login (1)
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 authen_type=ascii (1)
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 service=login (1)
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 user_len=4 port_len=4 rem_addr_len=13
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 data_len=0
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 user (len: 4): demo
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 port (len: 4): vty0
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 rem_addr (len: 13): 192.168.100.2
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 ---<end packet>---
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 authen: hdr->seq_no: 1
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 looking for user demo realm default
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 user lookup succeded
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 Writing AUTHEN/GETPASS size=29
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 ---<start packet>---
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 key used: 12345678
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 version: 192, type: 1, seq no: 2, flags: unencrypted
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 session id: 36880f8b, data length: 17
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 AUTHEN, status=5 (AUTHEN/GETPASS) flags=0x1
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 msg_len=11, data_len=0
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 msg (len: 11): \nPassword:
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 data (len: 0):
237: 10:08:01.888 0/8b0f8836: 192.168.100.201 ---<end packet>---
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 ---<start packet>---
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 key used: 12345678
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 version: 192, type: 1, seq no: 3, flags: unencrypted
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 session id: 36880f8b, data length: 9
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 AUTHEN/CONT user_msg_len=4, user_data_len=0
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 ---<end packet>---
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 authen: hdr->seq_no: 3
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 looking for user demo realm default
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 user lookup succeded
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 shell login for 'demo' from 192.168.100.2 on vty0 succeeded
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 Writing AUTHEN/PASS size=18
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 ---<start packet>---
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 key used: 12345678
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 version: 192, type: 1, seq no: 4, flags: unencrypted
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 session id: 36880f8b, data length: 6
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 AUTHEN, status=1 (AUTHEN/PASS) flags=0x0
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 msg_len=0, data_len=0
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 msg (len: 0):
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 data (len: 0):
237: 10:08:01.895 0/8b0f8836: 192.168.100.201 ---<end packet>---
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 New session
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 ---<start packet>---
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 key used: 12345678
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 version: 192, type: 2, seq no: 1, flags: unencrypted
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 session id: 1f1c70f6, data length: 48
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 AUTHOR, priv_lvl=0
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 authen_type=ascii (1)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 authen_method=tacacs+ (6)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 service=login (1)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 user_len=4 port_len=4 rem_addr_len=13 arg_cnt=2
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 user (len: 4): demo
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 port (len: 4): vty0
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 rem_addr (len: 13): 192.168.100.2
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 arg[0] (len: 13): service=shell
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 arg[1] (len: 4): cmd*
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 ---<end packet>---
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 Start authorization request
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 user 'demo' found
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 cfg_get: checking user/group demo, tag (NULL)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201
de...@192.168.100.201: not found: svcname=shell@world protocol=
237: 10:08:01.909 1/f6701c1f: 192.168.100.201
de...@192.168.100.201: found: svcname=shell protocol=
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 nas:service=shell (passed thru)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 nas:cmd* (passed thru)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 Writing AUTHOR/PASS_ADD size=18
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 ---<start packet>---
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 key used: 12345678
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 version: 192, type: 2, seq no: 2, flags: unencrypted
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 session id: 1f1c70f6, data length: 6
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 AUTHOR/REPLY, status=1 (AUTHOR/PASS_ADD)
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 msg_len=0, data_len=0, arg_cnt=0
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 msg (len: 0):
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 data (len: 0):
237: 10:08:01.909 1/f6701c1f: 192.168.100.201 ---<end packet>---
237: 10:08:01.931 2/6d16512c: 192.168.100.201 New session
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ---<start packet>---
237: 10:08:01.931 2/6d16512c: 192.168.100.201 key used: 12345678
237: 10:08:01.931 2/6d16512c: 192.168.100.201 version: 192, type: 3, seq no: 1, flags: unencrypted
237: 10:08:01.931 2/6d16512c: 192.168.100.201 session id: 2c51166d, data length: 66
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ACCT, priv_lvl=0 flags=0x2
237: 10:08:01.931 2/6d16512c: 192.168.100.201 authen_type=ascii (1)
237: 10:08:01.931 2/6d16512c: 192.168.100.201 authen_method=tacacs+ (6)
237: 10:08:01.931 2/6d16512c: 192.168.100.201 service=login (1)
237: 10:08:01.931 2/6d16512c: 192.168.100.201 user_len=4 port_len=4 rem_addr_len=13 arg_cnt=3
237: 10:08:01.931 2/6d16512c: 192.168.100.201 user (len: 4): demo
237: 10:08:01.931 2/6d16512c: 192.168.100.201 port (len: 4): vty0
237: 10:08:01.931 2/6d16512c: 192.168.100.201 rem_addr (len: 13): 192.168.100.2
237: 10:08:01.931 2/6d16512c: 192.168.100.201 arg[0] (len: 10): task_id=53
237: 10:08:01.931 2/6d16512c: 192.168.100.201 arg[1] (len: 10): timezone=0
237: 10:08:01.931 2/6d16512c: 192.168.100.201 arg[2] (len: 13): service=shell
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ---<end packet>---
237: 10:08:01.931 2/6d16512c: 192.168.100.201 Writing ACCT size=17
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ---<start packet>---
237: 10:08:01.931 2/6d16512c: 192.168.100.201 key used: 12345678
237: 10:08:01.931 2/6d16512c: 192.168.100.201 version: 192, type: 3, seq no: 2, flags: unencrypted
237: 10:08:01.931 2/6d16512c: 192.168.100.201 session id: 2c51166d, data length: 5
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ACCT/REPLY, status=1, msg_len=0, data_len=0
237: 10:08:01.931 2/6d16512c: 192.168.100.201 msg (len: 0):
237: 10:08:01.931 2/6d16512c: 192.168.100.201 data (len: 0):
237: 10:08:01.931 2/6d16512c: 192.168.100.201 ---<end packet>---
Cheers