Case study on troubleshooting white page issue when logging into device WEB via hwtacacs on WX3510X at a certain site
- 0 Followed
- 0Collected ,161Browsed
Problem Description
The on-site AC model is WX3820X, and the current version is R1411P01. The site uses hwtacacs to verify device WEB login. After entering the username and password, it directly shows a white page. There are no issues when using SSH and console hwtacacs for login verification. Direct local WEB login without verification also works fine.
Process Analysis
1、First check the device configuration:
hwtacacs scheme acs-scheme
primary authentication X.X.X.204
primary authorization X.X.X.204
primary accounting X.X.X.204
secondary authentication X.X.X.205
secondary authorization X.X.X.205
secondary accounting X.X.X.205
key authentication cipher $c$3$Bj/PLTxaF/WCclixCTyYNITlXX2v19wNmc4/jA==
key authorization cipher $c$3$/zvkdF6CQknUiy+qwbChBaU74hnTMbqZ+3+vdQ==
key accounting cipher $c$3$kwItVJtxQIIpQZtq24RuurJhjUWGHH7EMXOZLw==
timer response-timeout 3
user-name-format without-domain
nas-ip X.X.X.180
#
domain name acs
authorization command hwtacacs-scheme acs-scheme local
authentication default hwtacacs-scheme acs-scheme local
authorization default hwtacacs-scheme acs-scheme local
accounting default hwtacacs-scheme acs-scheme local
#
line vty 0 4
authentication-mode scheme
user-role network-operator
idle-timeout 5 0
command authorization
command accounting
2、Collect debug information: It can be seen that the hwtacacs authentication is successful but the role assigned by the server to this account is incorrect. The assigned level-1 permission does not include web page access which requires level-15 permission.
<WX5540E-V7>display role name level-1
Role: level-1
Description: Predefined level-1 role
VLAN policy: Permit (default)
Interface policy: Permit (default)
VPN instance policy: Permit (default)
Location policy: Permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
sys-1 permit command tracert *
sys-2 permit command telnet *
sys-3 permit command ping *
sys-4 permit command ssh2 *
sys-5 permit command display *
sys-6 permit command super *
sys-7 deny command display history-command all
R:Read W:Write X:Execute
<WX3820X>display role name level-15
Role: level-15
Description: Predefined level-15 role
VLAN policy: Permit (default)
Interface policy: Permit (default)
VPN instance policy: Permit (default)
Location policy: Permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
sys-1 permit command *
sys-2 permit RWX web-menu -
sys-3 permit RWX xml-element -
sys-4 deny command display security-logfile summary
sys-5 deny command system-view ; info-center securi
ty-logfile directory *
sys-6 deny command security-logfile save
sys-7 permit RW- oid 1
R:Read W:Write X:Execute
Solution
Modify the account role issued by the server to level-15.