某局点WX3510X 使用hwtacacs登陆设备WEB异常空白页面问题处理经验案例

现场AC型号是WX3510X，当前版本是R1411P01，现场使用hwtacacs方式校验设备WEB登录，输入用户名密码之后就直接是空白页面；使用SSH和console hwtacacs校验登陆没有问题。直接使用本地WEB登陆，不校验也没问题。

1、 首先检查设备配置：

hwtacacs scheme acs-scheme

primary authentication  X.X.X.204

primary authorization  X.X.X.204

primary accounting  X.X.X.204

secondary authentication  X.X.X.205

secondary authorization  X.X.X.205

secondary accounting  X.X.X.205

key authentication cipher $c$3$Bj/PLTxaF/WCclixCTyYNITlXX2v19wNmc4/jA==

key authorization cipher $c$3$/zvkdF6CQknUiy+qwbChBaU74hnTMbqZ+3+vdQ==

key accounting cipher $c$3$kwItVJtxQIIpQZtq24RuurJhjUWGHH7EMXOZLw==

timer response-timeout 3

user-name-format without-domain

nas-ip X.X.X.180

#

domain name acs

authorization command hwtacacs-scheme acs-scheme local

authentication default hwtacacs-scheme acs-scheme local

authorization default hwtacacs-scheme acs-scheme local

accounting default hwtacacs-scheme acs-scheme local

#

line vty 0 4

authentication-mode scheme

user-role network-operator

idle-timeout 5 0

command authorization

command accounting

2、 收集debug信息：可以看到hwtacacs认证是成功的，但是服务器给该账号下发的角色不对，下发的是level-1 的权限，但是level-1是没有web页面权限的，需要给leve-15 权限。

<WX5540E-V7>display role name level-1

Role: level-1

  Description: Predefined level-1 role

  VLAN policy: Permit (default)

  Interface policy: Permit (default)

  VPN instance policy: Permit (default)

  Location policy: Permit (default)

  -------------------------------------------------------------------

  Rule    Perm   Type  Scope         Entity

  -------------------------------------------------------------------

  sys-1   permit       command       tracert *

  sys-2   permit       command       telnet *

  sys-3   permit       command       ping *

  sys-4   permit       command       ssh2 *

  sys-5   permit       command       display *

  sys-6   permit       command       super *

  sys-7   deny         command       display history-command all

  R:Read W:Write X:Execute

<WX5540E-V7>display role name level-15

Role: level-15

  Description: Predefined level-15 role

  VLAN policy: Permit (default)

  Interface policy: Permit (default)

  VPN instance policy: Permit (default)

  Location policy: Permit (default)

  -------------------------------------------------------------------

  Rule    Perm   Type  Scope         Entity

  -------------------------------------------------------------------

  sys-1   permit       command       *

  sys-2   permit RWX   web-menu      -

  sys-3   permit RWX   xml-element   -

  sys-4   deny         command       display security-logfile summary

  sys-5   deny         command       system-view ; info-center securi

                                     ty-logfile directory *

  sys-6   deny         command       security-logfile save

  sys-7   permit RW-   oid           1

  R:Read W:Write X:Execute

修改服务器下发的账号角色为level-15。