Login Enhacements

xbanchon · ‎06-05-2007

Hi...

I tried to configure cisco Login Enhacements on a cat 3560 like this...

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt_login.htm

and when I attempt to access via telnet I cant generate the usser name for the log messasg

00:55:11: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: 192.168.1.1] [localport: 23] at 00:55:10 UTC Mon Mar 1 1993

[user: ]

Does somebody know what could be happening?

Richard Burts · ‎06-05-2007

Xavier

It would be helpful to have some details of the config of your 3560, especially details of how you authenticate telnet users.

But without having that detail I will make a guess about what is happening. My guess is that you are authenticating telnet users based on the line password. In this case the 3560 has no information about who the user is. It only knows that someone from source address 192.168.1.1 successfully created a telnet session (entered the correct password). So it reports what it knows (source address, local port, time) and has no information to report about [user]

HTH

Rick

HTH

Rick

xbanchon · ‎06-06-2007

Thanks Rick

Of course, this is the config of my lab switch...

I hope it is useful to solve my issue...

I have tried as success o failed access but allways failed the usser name

Switch#show running-config

Building configuration...

Current configuration : 2481 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

enable password cisco

!

username patricio password 0 cisco1

username alfonso password 0 cisco2

aaa new-model

aaa authentication login default local enable

aaa authentication enable default enable

aaa authorization exec default local

aaa accounting suppress null-username

aaa accounting update newinfo

!

aaa session-id common

ip subnet-zero

no ip domain-lookup

!

login on-failure log

login on-success log

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

<<...>>

!

interface Vlan1

ip address 192.168.1.2 255.255.255.0

!

ip classless

ip http server

ip http secure-server

!

radius-server source-ports 1645-1646

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line vty 0 4

password cisco

transport input telnet

line vty 5 15

!

end

Richard Burts · ‎06-06-2007

Xavier

Thanks for the additional information. According to the config it is possible to login using a locally defined username or by entering just a password. Can you tell us whether the messages you originally posted are from a login using just the password (this is the scenario that I suggested in my previous post where the switch does not have any user name to put into the message) or was from a login using a username and password?

HTH

Rick

HTH

Rick

xbanchon · ‎06-06-2007

Of course...

It was trying to access using the user name

and passwork configured...

Something similar happened when I generate a snmp tty trap...

snmp-server enable traps tty

snmp-server enable traps stpx root-inconsistency loop-inconsistency

snmp-server host 192.168.1.1 version 2c ptvtps

I realy need to identify the user trying to access to a cat 3560...

thanks Rick.

xbanchon · ‎06-07-2007

I have tried with aaa comands because I am using a tacacs server...

When I access using a tacacs server every thing seems to be ok, but for local users not...

The config looks lije this,

Switch#show running-config

Building configuration...

Current configuration : 2427 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

username xxx password xxx

aaa new-model

aaa authentication login lineas local

!

aaa session-id common

ip subnet-zero

no ip domain-lookup

!

login on-failure log

login on-success log

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

!

...

!

interface GigabitEthernet0/4

!

interface Vlan1

ip address 192.168.1.2 255.255.255.0

!

ip classless

ip http server

ip http secure-server

!

radius-server source-ports 1645-1646

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line vty 0 4

logging synchronous

login authentication lineas

transport input telnet

line vty 5 15

!

end