Hi Francisco,
When you set the line "authentication login tacacs-scheme Nombre_Esquema local", you're telling it to authenticate using TACACS and only use "local" when TACACS is unavailable. That being said, I don't see anywhere in here where you are specifying what should use TACACS.
Here is the "script" I ran on a HPE 5130 with Comware to set up TACACS:
hwtacacs scheme clearpass
primary authentication //ip-clearpass-1//
primary authorization //ip-clearpass-1//
primary accounting //ip-clearpass-1//
secondary authentication //ip-clearpass-2//
secondary authorization //ip-clearpass-2//
secondary accounting //ip-clearpass-2//
key authentication simple //keyhere//
key authorization simple //keyhere//
key accounting simple //keyhere//
nas-ip #.#.#.#
user-name-format without-domain
exit
user-interface vty 0 15
authentication-mode scheme
protocol inbound ssh
exit
This portion sets up the primary authentication, authorization, and accounting for TACACS (Note you can put the "key" on the same line as primary, but I'm using two servers so it's easier to set the key once). Then I'm assigning that scheme ONLY to the first 16 VTY lines and ONLy for SSH.
Then I create the Domain:
domain clearpass
authentication login hwtacacs-scheme clearpass local
authorization login hwtacacs-scheme clearpass local
accounting login hwtacacs-scheme clearpass local
authorization command hwtacacs-scheme clearpass local
exit
domain default enable clearpass
domain if-unknown system
This tells the system to use TACACS as the default and then use Local is TACACS is completely offline, and to revert to the default domain if my domain is unavailable.
This lets me log in to the switch using TACACS in an SSH session, but when I console in, it doesn't ask for any credentials.
Original Message:
Sent: May 11, 2024 09:38 AM
From: Francisco Pinto
Subject: Comware With Tacacs
Hi.
I'm setting up some switches with tacacs but the local console user is not working for me
This is what I executed: