I'm attempting to deploy TACACS+ on several HPE 5120 switches remotely to integrate authentication via Active Directory instead of using generic accounts. However, I'm encountering an issue when applying the TACACS+ configuration via SSH.
Applied Configuration:
hwtacacs scheme clearpass_tacacs
primary authentication 172.17.10.x
primary authorization 172.17.10.x
primary accounting 172.17.10.x
key authentication cipher <cipher_key>
key authorization cipher <cipher_key>
key accounting cipher <cipher_key>
user-name-format without-domain
nas-ip 192.168.1.x
domain ghtncb
authentication login hwtacacs-scheme clearpass_tacacs local
authorization login hwtacacs-scheme clearpass_tacacs local
accounting login hwtacacs-scheme clearpass_tacacs
accounting command hwtacacs-scheme clearpass_tacacs
authorization command hwtacacs-scheme clearpass_tacacs
user-interface aux 0
authentication-mode password
set authentication password cipher <password_cipher>
user-interface vty 0 2
authentication-mode scheme
command authorization
command accounting
protocol inbound ssh
After applying this configuration, I should no longer be able to connect with the generic account, but I find not only can I still connect with this account, but I also cannot execute commands due to insufficient permissions. Furthermore, it is impossible for me to connect with an AD account.
When applying this configuration:
user-interface aux 0
authentication-mode password
set authentication password cipher <password_cipher>
user-interface vty 0 2
authentication-mode scheme
command authorization
command accounting
protocol inbound ssh
hwtacacs scheme clearpass_tacacs
primary authentication 172.17.10.x
primary authorization 172.17.10.x
primary accounting 172.17.10.x
key authentication cipher <cipher_key>
key authorization cipher <cipher_key>
key accounting cipher <cipher_key>
user-name-format without-domain
nas-ip 192.168.1.x
domain ghtncb
authentication login hwtacacs-scheme clearpass_tacacs local
authorization login hwtacacs-scheme clearpass_tacacs local
accounting login hwtacacs-scheme clearpass_tacacs
accounting command hwtacacs-scheme clearpass_tacacs
authorization command hwtacacs-scheme clearpass_tacacs
When I try to apply the configuration related to the ghtncb domain, I receive the following error message for each command:
There are user(s) online, can not be configured.
This prevents me from applying the necessary configuration to enable authentication, authorization, and accounting via TACACS+, forcing me to consider on-site visits, which I'm trying to avoid. Has anyone encountered this problem or has any idea on how to solve this configuration blockage due to the presence of online users? Any help or suggestion would be greatly appreciated.