aaa auth failed via ACS, but prompts for enable password

dbobeldyk · ‎03-26-2007

I have aaa working on a switch in my network.

The prolem I have is when a user fails the password authentication with a known ldap user, it prompts them for the enable password. If that user enters the enable password, they are then logged into the switch.

I would like for the enable password prompt to only come up if the AAA server is unavailable. Oddly enough, if I was to type in a user that doesn't exist in our LDAP tree, and type a bogus password, the enable password prompt never comes up.

User Joe(In ldap tree)

username: joe

password: <mis types password>

enable password: <---they can now enter the enable password here

User Jimmy (not in ldap tree)

username: jimmy

password: <---anything cuz jimmy isn't in tree

username: <--prompts for username again

Regardless if they are in the tree or not, I want it to prompt for the username and force them to log in through ldap.

Any suggestions? Thanks in advance.

Vivek Santuka · ‎03-26-2007

Hi,

Looks like there is a failover on "Fail" instead of failover on "Error". Never seen it happen before.

What Radius/Tacacs Server are you using ?

Can you show the aaa config from the device and maybe debugs.

Regards,

Vivek

dbobeldyk · ‎03-27-2007

TACACS Server: Cisco Secure ACS 4.1

Config fragment (scrubbed):

aaa new-model

aaa group server tacacs+ siteTACACS

server x.x.x.x

!

aaa authentication banner ^C

Unauthorized use strictly prohibited.

Please login with your LDAP credentials

^C

aaa authentication fail-message ^C

I.m sorry, your login credentials failed. Please try again.

^C

aaa authentication password-prompt Enable-Password:

aaa authentication login default enable

aaa authentication login siteMethodList group tacacs+ enable

aaa accounting exec siteAccountingList start-stop group tacacs+

aaa accounting commands 15 siteAccountingList start-stop group tacacs+

aaa session-id common

line vty 0 4

access-class 50 in

exec-timeout 120 0

password 7 xxxxxxx

accounting commands 15 siteAccountingList

accounting exec siteAccountingList

logging synchronous

login authentication siteMethodList

Vivek Santuka · ‎03-27-2007

Hi,

Can you tell me what happens if a wrong password is entered after changing :-

aaa authentication login default enable

to

aaa authentication login default none

I don't think ACS would send an error on failed authentication. Looks more like an IOS problem.

Regards,

Vivek

dbobeldyk · ‎03-27-2007

Thanks for the reply.

I placed the aaa authen login default none command in, but the behavior is still the same.

dbobeldyk · ‎03-27-2007

Along the same sort of thinking I tried:

aaa authentication login siteMethodList group tacacs+ none

When I entered the wrong password.... it automatically let me in...

Not exactly the security I'd be looking for. My understanding is that if the first method returns a fail, it won't try the second one. Is there flag or hook somewhere I have to set to enforce that type of behavior?

mtechnology · ‎04-01-2007

Hi dbobeldyk,

I am facing the problem in loging through TACACS LDAP ID,but i can able to login through Local login.

configuration present in my router is:

aaa new-model

!

aaa authentication login Masis group tacacs+ local

aaa authorization console

aaa authorization config-commands

aaa authorization exec Masis group tacacs+ local

aaa authorization commands 10 Masis group tacacs+ local

aaa authorization commands 15 Masis group tacacs+ local

aaa accounting exec Masis start-stop group tacacs+

aaa accounting commands 1 Masis start-stop group tacacs+

aaa accounting commands 15 Masis start-stop group tacacs+

!

tacacs-server host 172.*.*.* key ****

!

line vty 0 4

exec-timeout 5 0

authorization commands 15 Masis

authorization commands 1 Masis

authorization exec Masis

accounting connection Masis

accounting commands 1 Masis

accounting commands 15 Masis

accounting exec Masis

login authentication Masis

!

line vty 5 15

exec-timeout 5 0

authorization commands 15 Masis

authorization commands 1 Masis

authorization exec Masis

accounting connection Masis

accounting commands 1 Masis

accounting commands 15 Masis

accounting exec Masis

login authentication Masis

What may be the problem and how to trouble shoot it..

Please give the solution for my problem.

Thanks in advance.

Richard Burts · ‎04-01-2007

If I am understanding corretly the authentication through tacacs is not working but the authentication local is working. If authentication through tacacs is not working there are several things that it could be. I suggest that you check on these things:

- verify that the configured address for the tacacs server is correct.

- do you have IP connectivity to the tacacs server? Do an extended ping specifying the server address as the destination and specifying the source of the ping. If you have more than one interface that could be used to get to the tacacs server it is helpful to use ip tacacs source-address to specify which interface address to use (this can be important since the tacacs server can only be configured to recognize one address from this router). You want to be sure that you have a route and a valid path to the server and that the server has a route and a valid path back to you.

- if you do have IP connectivity, then look for the possibility that an access list somewhere is not permitting the tacacs request or response to go through.

- Verify that the key that you configured on the router is the same as the key you configured on the server.

- check the logs on the server. is it seeing the request from the router? if it is seeing the request and not authenticating then look in the failed attempts report and see why the server is not authenticating.

HTH

Rick

HTH

Rick

dbobeldyk · ‎04-05-2007

It seems that the ACS is returning an ERROR. I think it should be returning a FAIL perhaps?

debug log shown here:

MAN-209-TestSwitch#

Apr 5 10:25:33.413: AAA/AUTHEN/CONT (408942267): continue_login (user='bobeldde')

Apr 5 10:25:33.417: AAA/AUTHEN (408942267): status = GETPASS

Apr 5 10:25:33.417: AAA/AUTHEN (408942267): Method=tacacs+ (tacacs+)

Apr 5 10:25:33.417: TAC+: send AUTHEN/CONT packet id=408942267

Apr 5 10:25:33.417: TAC+: periodic timer started

Apr 5 10:25:33.417: TAC+: x.x.x.x req=80BC03B8 Qd id=408942267 ver=192 handle=0x80D7447C (ESTAB) expire=5 AUTHEN/CONT queued

Apr 5 10:25:33.417: TAC+: x.x.x.x (408942267) AUTHEN/CONT queued

Apr 5 10:25:33.517: TAC+: x.x.x.x ESTAB id=408942267 wrote 19 of 19 bytes

MAN-209-TestSwitch#

Apr 5 10:25:33.517: TAC+: x.x.x.x req=80BC03B8 Qd id=408942267 ver=192 handle=0x80D7447C (ESTAB) expire=4 AUTHEN/CONT sent

MAN-209-TestSwitch#

Apr 5 10:25:38.417: TAC+: x.x.x.x (408942267) AUTHEN/CONT -- TIMED OUT

Apr 5 10:25:38.417: TAC+: req=80BC03B8 Tx id=408942267 ver=192 handle=0x80D7447C (ESTAB) expire=0 AUTHEN/CONT processed

Apr 5 10:25:38.417: TAC+: (408942267) AUTHEN/CONT processed

Apr 5 10:25:38.417: TAC+: periodic timer stopped (queue empty)

Apr 5 10:25:38.417: TAC+: Error sending continue packet.

Apr 5 10:25:38.417: TAC+: Closing TCP/IP 0x80D7447C connection to x.x.x.x/49

Apr 5 10:25:38.421: AAA/AUTHEN (408942267): status = ERROR

Apr 5 10:25:38.421: AAA/AUTHEN/START (209030656): port='tty2' list='' action=LOGIN service=LOGIN

dbobeldyk · ‎04-12-2007

tacacs-server timeout 30

The above command solved my problem. It appears that there is a default of 5 seconds for the acs server to respond. The ldap query (and fail) was taking longer than the default 5 seconds. I up'ed the timeout to 30 seconds which allowed for enough time to return a FAIL, aso opposed to the ERROR it was returning.