Issue Description
After making the following configuration on the Huawei MA5800-X2 OLT, it didn’t work:
hwtacacs-server template “xx-servers”
hwtacacs-server authentication x.x.x.xx
hwtacacs-server authorization x.x.x.xx
hwtacacs-server accounting x.x.x.xx
hwtacacs-server shared-key “xxx
aaa
authentication-scheme “default”
authentication-mode radius
authentication-scheme “xx-tacacs”
authentication-mode hwtacacs local
#
authorization-scheme “default”
authorization-mode hwtacacs local
#
accounting-scheme “default”
accounting-scheme “xx-tacacs”
#
domain “default”
authentication-scheme “xx-tacacs”
hwtacacs-server “xx-servers”
Alarm Information
Handling Process
1. Verify configuration whether is completed
2. Check OLT to tacacs server communication
3. make debugging and capture packet at the OLT uplink :
For capturetacacs+ packets, only captured one process which in input the wrong passwordHuawei@123, also the process not completed, before tactics server ask password, need two steps, request username, and input username;
Normally process example
Live network captured result, this can proof device make communication with tacacs server
4. But the customer input password still cannot get capture files, OLT doesn’t send tacacs+ packet to the server.
From debugging information, it shows the password is invalid and the process IAS_LINEADPT module verified failed.
Root Cause
OLT tacacs process nota standard with tacacs+ protocol, OLT will verify the password length firstly, if the password length matches the rule, then send to tacacs packets to the server, in a customer test scenario, the password length exceeds 16 characters, so it showing invalid password.
Solution
This issue will be resolved in V200R020C10SPH320, which will be released at the end of September. The new patch changes the password length from 16 bytes to 128 bytes.
Leave a comment