PC------S6900---ACS
客户S6900交换机对接ACS做设备管理用户认证,配置之后发现终端登录输入账户密码之后没有任何反应,无法进入配置界面。
查看客户设备的配置,
# hwtacacs scheme acs
primary authentication 10.46.249.35
primary authorization 10.46.249.35
key authentication cipher $c$3$cqZlhf3f9NiIOLljv0OPHDU2zu/IUVrnYJXAH43xVA==
key authorization cipher $c$3$UNQ9cl0uSfQFpJc3zSa4sPLBEuzwGv+wa4WQYpe5ew==
user-name-format without-domain
nas-ip 10.47.139.195
#
domain idc
authentication login hwtacacs-scheme acs local
authorization login hwtacacs-scheme acs local
# line vty 0 15
authentication-mode scheme
user-role network-admin
protocol inbound ssh
idle-timeout 1800 0
# line vty 16 63 a
uthentication-mode scheme
user-role network-admin
protocol inbound ssh
查看配置没有发现明显问题,但是客户本地配置了一个账户,测试本地登录是可以的,收集debug调试查看,发现认证已经通过,之后也显示登录成功的日志,但是立马就弹登录失败的日志。
*Aug 2 10:46:07:672 2021 4F-G10-G11-TOR-IRF TACACS/7/EVENT: PAM_TACACS: TACACS authorization succeeded.
%Aug 2 10:46:07:673 2021 4F-G10-G11-TOR-IRF SSHS/6/SSHS_LOG: Accepted password for xqa from 10.46.253.20 port 57877.
%Aug 2 10:46:08:776 2021 4F-G10-G11-TOR-IRF SSHS/6/SSHS_CONNECT: SSH user xqa (IP: 10.46.253.20) connected to the server successfully.
%Aug 2 10:46:09:145 2021 4F-G10-G11-TOR-IRF LOGIN/5/LOGIN_FAILED: xqa failed to log in from 10.46.253.20.
%Aug 2 10:46:12:238 2021 4F-G10-G11-TOR-IRF SSHS/6/SSHS_DISCONNECT: SSH user xqa (IP: 10.46.253.20) disconnected from the server.
怀疑和计费有关,告知客户在domain下添加
accounting login none
之后可以正产正常登陆。
添加accounting login none可以正常认证进入配置界面。设备侧如果domain下不配置计费的话,会走本地计费,本地没有用户的时候就会导致计费失败,accounting login none就是本地计费的开关,配置之后就不走本地计费了。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作