06-03-2008 02:53 AM - edited 02-21-2020 03:45 PM
Hi,
The switch will prompt us the local switch password after we key in wrong username and password when prompt by the switch. We are wondering is this behave correct or normal?
This is because any hacker can just try on first the login which is prompt by TACACS then they can try hacking to the switch using the switch local password.
This there any work around that each attend is prompts for TACACS login? Only when TACACS server is down will be prompt by the switch local login?
06-03-2008 05:13 AM
That is not normal behavior. What are your ASA logs saying (lost connectivity to AAA server?) anything in your AAA server logs?
06-03-2008 07:00 AM
Check your connectivity between the NAS device and the ACS.
Also is it possible to post the aaa method lists? aaa authentication login...
Regards
Farrukh
06-03-2008 08:46 AM
This is not a normal behavior. We need to see if request is actually hitting acs. Please get debug tacacs and debug aaa authentication after recreating the issue.
It seems that request is not even reaching acs.
Also let me know the IOS running on switch.
Regards,
~JG
06-03-2008 04:58 PM
Hi Igambhir,
The Fail Attempt log in the ACS did capture the wrong entry, below is the snapshot for the fail attempt and the switch IOS version.
06/04/2008 08:55:27 Authen failed abcd
Switch Ports Model SW Version SW Image
* 1 52 WS-C3560-48PS 12.2(44)SE1 C3560-IPSERVICESK9-M
Thanks and regards,
Siah
06-03-2008 09:55 PM
Hi Happs,
Here is aaa from my switch:
aaa authentication attempts login 4
aaa authentication login default group tacacs+ enable
aaa authentication login no_tacacs none
aaa authentication enable default group tacacs+ enable
Thanks and regards,
Siah
06-03-2008 04:42 PM
Hi Collin,
This is just login between switches and TACACS.
Let me explain:
When telnet to the switch, the first prompt is the username and follow by password.
If I key in a non username that is not within TACACS's user database, the following prompt will be ask for local switch password.
Example 1.
Username: abcd (wrong name)
Password:
Password: (this is the prompt for switch local password)
If I key in a correct username but wrong password, the next prompt will ask for Username and password again. This is petty alright.
Example2.
Username: siah88 (correct name)
Password:
% Authentication failed
User Access Verification
Username:
Therefore is Example 1 normal? If not is there any work round?
Thanks and regards,
Siah
06-03-2008 05:58 PM
No this is not normal, the NAS (Switch) should keep querying the AAA server unless and until the TACACS/Radius Service is unreachable.
In the AAA world, there is a difference between FAIL and ERROR, if wrong credentials are entered then that is considered a 'FAIL'. In such a scenario there should be no fall back to the secondary authentication method (at least not in the Cisco implementation).
However if the AAA server/service is down i.e. ERROR, then the NAS can go to the backup method configured by the user, for example the 'local' NAS database.
Regards
Farrukh
06-03-2008 09:53 PM
Hi Farrukh,
Do you have a solution to this?
Below is the aaa commmand for the switch:
aaa authentication attempts login 4
aaa authentication login default group tacacs+ enable
aaa authentication login no_tacacs none
aaa authentication enable default group tacacs+ enable
Thanks and regards,
Siah
06-03-2008 10:08 PM
To start of, please remove the following commands (just for testing purposes):
no aaa authentication attempts login 4
no aaa authentication login no_tacacs none
Also please provide all the 'tacacs-server' or aaa-server commands (if any).
And lastly if possible provide the debug output of the following:
debug aaa authentication
debug tacacs
debug tacacs authentication
Regards
Farrukh
06-04-2008 12:35 AM
Hi Farrukh,
Here is the tacacs-server setting:
tacacs-server host 10.130.209.23
tacacs-server host 10.130.209.24
tacacs-server directed-request
tacacs-server key xxx
Result is the same even I have remove those two commands.
I ahve attached the debug result obtain from the switch without those two commands.
And below is the scenario on the login when the debug is turn on:
Username: ivan
Password:
Password:
% Authentication failed
User Access Verification
Username: TanCH
Password:
Password:
% Authentication failed
User Access Verification
Username: siah
Password:
Password:
% Authentication failed
=---------------------------------------------------------------=
All Access to this system will be LOGGED.
All UNAUTHORISED access is PROHIBITED and will be dealt with seriously.
=---------------------------------------------------------------=
User Access Verification
Username: ivancheng
Password:
SWB1111>exit
06-04-2008 04:32 AM
What you are seeing is normal, your earlier description was a little different than the output above.
The command you removed was setting the number of authentication attempts to four (the default is three). So basically after three attempts you got the banner prompt.
Irrespective of the user being valid/invalid on ACS, if you put a 'blank' password, the ACS server asks you to re-enter a correct 'non-blank' password. A simple verification of this is, in the 'second' password prompt, try to put your 'enable' password, it will not work....had the switch falling back to the 'enable' password you would be able to login.
For example I did a similar thing on one of our routers (AAA enabled):
User Access Verification
Username: abcd
Password:
Change password sequence
Password:
So don't worry about this. Hope this helps.
Regards
Farrukh
06-04-2008 05:14 AM
I'm sorry, I should have seen your debugs more carefully, it seems there is some issue with your AAA server, can you do the following:
test aaa group tacacs+ validusername validpassword legacy
Also try to restart the AAA Server (of if its ACS the TACACS process)
Put any valid username/password in the above and paste the output.
What about other devices on the network?
Regards
Farrukh
06-04-2008 05:28 PM
Hi Farrukh,
Do not manage to see your this mail.
Here is result for this testing with debug as attached.
SWB11411#test aaa group tacacs+ siahwt88 siahwt88 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
SWB11411#test aaa group tacacs+ TanCH TanCH legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
Hope to hear from you soon.
Thanks for your great help.
Best regards,
Siah
06-04-2008 05:04 PM
Hi Farrukh,
I'm able to get into the switch using the switch local password at the "Second" password prompt.
For example:
User Access Verification
Username: abcd (wrong username)
Password: (wrong or no password)
Password: XXXX (local switch password)--2nd password prompt
Sw1111> (It allow me to access to the switch using the local switch password).
Is this normal?
Thanks and regards,
Siah
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide