Configuring TACACS in MA5800-X2Luis
After making the following configuration on the Huawei MA5800-X2 OLT, it didn’t work:
hwtacacs-server template “xx-servers”
hwtacacs-server authentication x.x.x.xx
hwtacacs-server authorization x.x.x.xx
hwtacacs-server accounting x.x.x.xx
hwtacacs-server shared-key “xxx
authentication-mode hwtacacs local
authorization-mode hwtacacs local
1. Verify configuration whether is completed
2. Check OLT to tacacs server communication
3. make debugging and capture packet at the OLT uplink :
For capturetacacs+ packets, only captured one process which in input the wrong [email protected], also the process not completed, before tactics server ask password, need two steps, request username, and input username;
Normally process example
Live network captured result, this can proof device make communication with tacacs server
4. But the customer input password still cannot get capture files, OLT doesn’t send tacacs+ packet to the server.
From debugging information, it shows the password is invalid and the process IAS_LINEADPT module verified failed.
OLT tacacs process nota standard with tacacs+ protocol, OLT will verify the password length firstly, if the password length matches the rule, then send to tacacs packets to the server, in a customer test scenario, the password length exceeds 16 characters, so it showing invalid password.
This issue will be resolved in V200R020C10SPH320, which will be released at the end of September. The new patch changes the password length from 16 bytes to 128 bytes.