Authentication bypassed when ACS offline

Unanswered Question
Feb 22nd, 2007

Hi,

I have router that using ACS for its authentication login via telnet (VTY). I put the local as the second method. But whenever the ACS is offline, i can login into the router using any word i type in the username prompt. This is my configuration:

aaa new-model

!

aaa authentication login CMD-LOGIN group tacacs+ local none

!

username cisco321 secret 5 $1$lfUc$Xnf9.emDl.QFRWt/NSEjU0

!

line vty 0 15

login authentication CMD-LOGIN

!

end

Am i missing something in the configuration? why isn't the router use the local username and password as the second method ?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
aalshammari Fri, 02/23/2007 - 02:40

Hi,

Remove the keyword '' none ''

Try this

no aaa authentication login CMD-LOGIN group tacacs+ local none

aaa authentication login CMD-LOGIN group tacacs+ local

what will happen now the router first will try to auth. via TACACS if its offline will check the local database.

http://www.cisco.com/pcgi-bin/search/sr.pl?q=aaa%20authentication%20login&res=4&uid=&country=US&language=en&siteToSearch=cisco.com&filter=p&c_u=/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d2.html#18239

Hope this will resolve your issue.

Regards

Richard Burts Fri, 02/23/2007 - 09:14

Suwandy

I believe that the authentication is doing exactly what you have asked it to do. But there is an aspect of local authentication in aaa that is not well understood (I did not understand it for a long time and believe that others do not either). With aaa when we configure local authentication it will prompt for a user name and if one is entered it will check against the locally configured names and passwords. But if the name entered is not found in the config then aaa treats it as a failure of the method and if another method is configured it will use it. Which is what is happening as you describe it. I believe that most of us believe that if the name is not found it would count as a failed attempt and we should be denied access. But it does not count as a failed attempt but as a failed method. You can test this out if you wish: turn on dubug aaa authentication. Then try to login to the router as cisco321 (the configured name) but with a different password. I believe that you will see your attempt refused. Then attempt to login to the router using some different name. I believe that you will see aaa attempt local authentication and then go on to line authentication.

HTH

Rick

Actions

This Discussion