Huawei devices and tac_plus

[Aleksander Roer Olsen]

Hi

Does anyone on the list use any Huawei network devices with tac_plus? The authentication itself works (as stated from the tac log) but the device doesn't log me in and prompts for wrong login info.

I have no idea, but probably something to do with the group section. I've tried a lot of different variables without any luck.

group = huawei_switch {

        default service = permit

        service = shell {

            default command = permit

            set priv-lvl = 15

        }

}

Of course, this might not have anything to do with the tac_plus config.

Anyone able to push me the correct way?

Thanks in advance! :)

Regards,

Aleksander

[b3bb...@gmail.com]

Alexander

Huawei and 3Com - then HP "joined forces" and in the event create their own "hybrid" TACACS protocol - HWTACACS - it's a cross between RADIUS and TACACS!


Try this :

default service = permit
 service = exec {
 priv-lvl = 15


HTH

Rich..

[b3bb...@gmail.com]

Aleksander

Huawei, 3COM/HP created their own "hybrid" TACACS+ protocol - HWTACACS - it's not TACACS but a hybrid between RADIUS and tacacs.... they created their own ACS - IMC - think it's been withdrawn now. Later versions of code have now reverted back to TACACS.

Try this:

default service = permit

 service = exec {
 priv-lvl = 15
HTH

Rich

On Thursday, 11 February 2016 17:07:10 UTC, Aleksander Olsen wrote:

[Adam Winnington]

It's been a while since I've played with Huawei switches, but the last time I did the switch had to be setup to play nice, and the tacacs priviledge had to be set to 1.

Below is what I did, test it on a lab switch to make sure you don't get locked out. 

---  On the switch ---

Go into system-view

Add users:

ssh user testadmin authentication-type password

ssh user testadmin service-type stelnet

set authentication scheme:

hwtacacs scheme hwtac

primary authorization 1.2.3.4 49 

primary accounting 1.2.3.4 49 

primary authentication 1.2.3.4 49 

key authentication magicKey

 key authorization magicKey

 key accounting magicKey

 user-name-format without-domain

quit

Set the default scheme:

domain hwtac

  scheme hwtacacs-scheme hwtac

domain default enable hwtac

--- On the TACACs server, the stanza looked like this ---

service = h3c_shell {

   default cmd = permit

   default command = permit

   default attribute = permit

   set priv-lvl = 1

}

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Aleksander Roer Olsen]

Hi

Thank you both for your replies and suggestions, b3bbr1ch and Adam.

So, up until now we've been using this for Cisco mainly but also Check Point and IBM. For IBM and Cisco this has been a easy thing where you setup the aaa and thats it. No local users except the last resort service user. 

From what I understand Huawei needs the local users just like Check Point to make this work. I need to keep a local userdb with a local password to make this work. I haven't gotten it to work with only defining a "ssh user username" yet, but it works at the moment like that for the defined "aaa local-users". Will make it work, but now I at least know a little bit more of whats been stopping the login.

Again, thank you very much for your input.

Regards,

Aleksander

[Adam Winnington]

Yes the switch needs to know the local users, but it doesnt need those users to have passwords. 

Sent from my iPhone