Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
15
Helpful
2
Replies

Authentication bypassed when ACS offline

0600648902
Level 1
Level 1

‎02-22-2007 08:22 PM - edited ‎03-10-2019 03:00 PM

Hi,

I have router that using ACS for its authentication login via telnet (VTY). I put the local as the second method. But whenever the ACS is offline, i can login into the router using any word i type in the username prompt. This is my configuration:

aaa new-model

!

aaa authentication login CMD-LOGIN group tacacs+ local none

!

username cisco321 secret 5 $1$lfUc$Xnf9.emDl.QFRWt/NSEjU0

!

line vty 0 15

login authentication CMD-LOGIN

!

end

Am i missing something in the configuration? why isn't the router use the local username and password as the second method ?

Thanks

Labels:
0 Helpful
2 Replies 2

aalshammari
Level 1
Level 1

‎02-23-2007 02:40 AM

Hi,

Remove the keyword '' none ''

Try this

no aaa authentication login CMD-LOGIN group tacacs+ local none

aaa authentication login CMD-LOGIN group tacacs+ local

what will happen now the router first will try to auth. via TACACS if its offline will check the local database.

http://www.cisco.com/pcgi-bin/search/sr.pl?q=aaa%20authentication%20login&res=4&uid=&country=US&language=en&siteToSearch=cisco.com&filter=p&c_u=/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d2.html#18239

Hope this will resolve your issue.

Regards

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to aalshammari

‎02-23-2007 09:14 AM

Suwandy

I believe that the authentication is doing exactly what you have asked it to do. But there is an aspect of local authentication in aaa that is not well understood (I did not understand it for a long time and believe that others do not either). With aaa when we configure local authentication it will prompt for a user name and if one is entered it will check against the locally configured names and passwords. But if the name entered is not found in the config then aaa treats it as a failure of the method and if another method is configured it will use it. Which is what is happening as you describe it. I believe that most of us believe that if the name is not found it would count as a failed attempt and we should be denied access. But it does not count as a failed attempt but as a failed method. You can test this out if you wish: turn on dubug aaa authentication. Then try to login to the router as cisco321 (the configured name) but with a different password. I believe that you will see your attempt refused. Then attempt to login to the router using some different name. I believe that you will see aaa attempt local authentication and then go on to line authentication.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents