TACACS login 1st attend fail and prompt for local switch password

Unanswered Question
Jun 3rd, 2008

Hi,

The switch will prompt us the local switch password after we key in wrong username and password when prompt by the switch. We are wondering is this behave correct or normal?

This is because any hacker can just try on first the login which is prompt by TACACS then they can try hacking to the switch using the switch local password.

This there any work around that each attend is prompts for TACACS login? Only when TACACS server is down will be prompt by the switch local login?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 06/03/2008 - 05:13

That is not normal behavior. What are your ASA logs saying (lost connectivity to AAA server?) anything in your AAA server logs?

Farrukh Haroon Tue, 06/03/2008 - 07:00

Check your connectivity between the NAS device and the ACS.

Also is it possible to post the aaa method lists? aaa authentication login...

Regards

Farrukh

Jagdeep Gambhir Tue, 06/03/2008 - 08:46

This is not a normal behavior. We need to see if request is actually hitting acs. Please get debug tacacs and debug aaa authentication after recreating the issue.

It seems that request is not even reaching acs.

Also let me know the IOS running on switch.

Regards,

~JG

siahchinchai Tue, 06/03/2008 - 16:58

Hi Igambhir,

The Fail Attempt log in the ACS did capture the wrong entry, below is the snapshot for the fail attempt and the switch IOS version.

06/04/2008 08:55:27 Authen failed abcd

Switch Ports Model SW Version SW Image

* 1 52 WS-C3560-48PS 12.2(44)SE1 C3560-IPSERVICESK9-M

Thanks and regards,

Siah

siahchinchai Tue, 06/03/2008 - 21:55

Hi Happs,

Here is aaa from my switch:

aaa authentication attempts login 4

aaa authentication login default group tacacs+ enable

aaa authentication login no_tacacs none

aaa authentication enable default group tacacs+ enable

Thanks and regards,

Siah

siahchinchai Tue, 06/03/2008 - 16:42

Hi Collin,

This is just login between switches and TACACS.

Let me explain:

When telnet to the switch, the first prompt is the username and follow by password.

If I key in a non username that is not within TACACS's user database, the following prompt will be ask for local switch password.

Example 1.

Username: abcd (wrong name)

Password:

Password: (this is the prompt for switch local password)

If I key in a correct username but wrong password, the next prompt will ask for Username and password again. This is petty alright.

Example2.

Username: siah88 (correct name)

Password:

% Authentication failed

User Access Verification

Username:

Therefore is Example 1 normal? If not is there any work round?

Thanks and regards,

Siah

Farrukh Haroon Tue, 06/03/2008 - 17:58

No this is not normal, the NAS (Switch) should keep querying the AAA server unless and until the TACACS/Radius Service is unreachable.

In the AAA world, there is a difference between FAIL and ERROR, if wrong credentials are entered then that is considered a 'FAIL'. In such a scenario there should be no fall back to the secondary authentication method (at least not in the Cisco implementation).

However if the AAA server/service is down i.e. ERROR, then the NAS can go to the backup method configured by the user, for example the 'local' NAS database.

Regards

Farrukh

siahchinchai Tue, 06/03/2008 - 21:53

Hi Farrukh,

Do you have a solution to this?

Below is the aaa commmand for the switch:

aaa authentication attempts login 4

aaa authentication login default group tacacs+ enable

aaa authentication login no_tacacs none

aaa authentication enable default group tacacs+ enable

Thanks and regards,

Siah

Farrukh Haroon Tue, 06/03/2008 - 22:08

To start of, please remove the following commands (just for testing purposes):

no aaa authentication attempts login 4

no aaa authentication login no_tacacs none

Also please provide all the 'tacacs-server' or aaa-server commands (if any).

And lastly if possible provide the debug output of the following:

debug aaa authentication

debug tacacs

debug tacacs authentication

Regards

Farrukh

siahchinchai Wed, 06/04/2008 - 00:35

Hi Farrukh,

Here is the tacacs-server setting:

tacacs-server host 10.130.209.23

tacacs-server host 10.130.209.24

tacacs-server directed-request

tacacs-server key xxx

Result is the same even I have remove those two commands.

I ahve attached the debug result obtain from the switch without those two commands.

And below is the scenario on the login when the debug is turn on:

Username: ivan

Password:

Password:

% Authentication failed

User Access Verification

Username: TanCH

Password:

Password:

% Authentication failed

User Access Verification

Username: siah

Password:

Password:

% Authentication failed

=---------------------------------------------------------------=

All Access to this system will be LOGGED.

All UNAUTHORISED access is PROHIBITED and will be dealt with seriously.

=---------------------------------------------------------------=

User Access Verification

Username: ivancheng

Password:

SWB1111>exit

Attachment: 
Farrukh Haroon Wed, 06/04/2008 - 04:32

What you are seeing is normal, your earlier description was a little different than the output above.

The command you removed was setting the number of authentication attempts to four (the default is three). So basically after three attempts you got the banner prompt.

Irrespective of the user being valid/invalid on ACS, if you put a 'blank' password, the ACS server asks you to re-enter a correct 'non-blank' password. A simple verification of this is, in the 'second' password prompt, try to put your 'enable' password, it will not work....had the switch falling back to the 'enable' password you would be able to login.

For example I did a similar thing on one of our routers (AAA enabled):

User Access Verification

Username: abcd

Password:

Change password sequence

Password:

So don't worry about this. Hope this helps.

Regards

Farrukh

Farrukh Haroon Wed, 06/04/2008 - 05:14

I'm sorry, I should have seen your debugs more carefully, it seems there is some issue with your AAA server, can you do the following:

test aaa group tacacs+ validusername validpassword legacy

Also try to restart the AAA Server (of if its ACS the TACACS process)

Put any valid username/password in the above and paste the output.

What about other devices on the network?

Regards

Farrukh

siahchinchai Wed, 06/04/2008 - 17:28

Hi Farrukh,

Do not manage to see your this mail.

Here is result for this testing with debug as attached.

SWB11411#test aaa group tacacs+ siahwt88 siahwt88 legacy

Attempting authentication test to server-group tacacs+ using tacacs+

User was successfully authenticated.

SWB11411#test aaa group tacacs+ TanCH TanCH legacy

Attempting authentication test to server-group tacacs+ using tacacs+

No authoritative response from any server.

Hope to hear from you soon.

Thanks for your great help.

Best regards,

Siah

Attachment: 
siahchinchai Wed, 06/04/2008 - 17:04

Hi Farrukh,

I'm able to get into the switch using the switch local password at the "Second" password prompt.

For example:

User Access Verification

Username: abcd (wrong username)

Password: (wrong or no password)

Password: XXXX (local switch password)--2nd password prompt

Sw1111> (It allow me to access to the switch using the local switch password).

Is this normal?

Thanks and regards,

Siah

Farrukh Haroon Wed, 06/04/2008 - 18:02

There is something wrong with your communication between the NAS and the ACS Server, are other network devices (Switches, Routers) having the same issue?

Can you try to increase the tacacs-server timeout using the 'tacacs-server timeout '.

Regards

Farrukh

siahchinchai Thu, 06/05/2008 - 00:06

Hi Farrukh,

All the devices give the same issue.

When provide wrong username and password during 1st prompt, 2nd will prompt you for the local switch password.

I have try to increase the timeout to 10sec and problem still the same.

Anymore I can test to resolve this issue?

Thanks for your great support.

Best regards,

Sia

Farrukh Haroon Thu, 06/05/2008 - 13:12

Is it possible for you to test with another AAA server, or switch to the radius protocol on any one device (just for testing)?

IS this only happening with one model of switches (running same software version), or there are multiple devices (like other model switches, different IOS, even routers etc.)?

Regards

Farrukh

siahchinchai Thu, 06/05/2008 - 17:14

Hi Farrukh,

I have try to use another AAA server, result is the same.

We have at less 5 different switches model, all show the same result, and they use

Thanks and regards,

Siah

Jagdeep Gambhir Fri, 06/06/2008 - 05:34

Can you provide me software ver of acs and switch IOS. Do we have users configured in AD or in acs ?

Also please set tacacs timeout to 20 secs.

Regards,

~JG

siahchinchai Sun, 06/08/2008 - 17:39

Hi JG,

Here is the detail for:

ACS ver - 4.1.1.23.4,

Switches IOS - 12.2(44)SE1, 12.2(40)SE, 12.2(35)SE, 12.2(33)SXH1.

Only users that are allow to accessing to network devices are created in ACS.

We do has ACS point to AD but this is only for wireless access.

Thanks and regards,

Siah

Actions

This Discussion