Check your connectivity between the NAS device and the ACS.

Also is it possible to post the aaa method lists? aaa authentication login...

Regards

Farrukh

This is not a normal behavior. We need to see if request is actually hitting acs. Please get debug tacacs and debug aaa authentication after recreating the issue.

It seems that request is not even reaching acs.

Also let me know the IOS running on switch.

Regards,

~JG

Hi Igambhir,

The Fail Attempt log in the ACS did capture the wrong entry, below is the snapshot for the fail attempt and the switch IOS version.

06/04/2008 08:55:27 Authen failed abcd

Switch Ports Model SW Version SW Image

* 1 52 WS-C3560-48PS 12.2(44)SE1 C3560-IPSERVICESK9-M

Thanks and regards,

Siah

Hi Happs,

Here is aaa from my switch:

aaa authentication attempts login 4

aaa authentication login default group tacacs+ enable

aaa authentication login no_tacacs none

aaa authentication enable default group tacacs+ enable

Thanks and regards,

Siah

Hi Collin,

This is just login between switches and TACACS.

Let me explain:

When telnet to the switch, the first prompt is the username and follow by password.

If I key in a non username that is not within TACACS's user database, the following prompt will be ask for local switch password.

Example 1.

Username: abcd (wrong name)

Password:

Password: (this is the prompt for switch local password)

If I key in a correct username but wrong password, the next prompt will ask for Username and password again. This is petty alright.

Example2.

Username: siah88 (correct name)

Password:

% Authentication failed

User Access Verification

Username:

Therefore is Example 1 normal? If not is there any work round?

Thanks and regards,

Siah

No this is not normal, the NAS (Switch) should keep querying the AAA server unless and until the TACACS/Radius Service is unreachable.

In the AAA world, there is a difference between FAIL and ERROR, if wrong credentials are entered then that is considered a 'FAIL'. In such a scenario there should be no fall back to the secondary authentication method (at least not in the Cisco implementation).

However if the AAA server/service is down i.e. ERROR, then the NAS can go to the backup method configured by the user, for example the 'local' NAS database.

Regards

Farrukh

Hi Farrukh,

Do you have a solution to this?

Below is the aaa commmand for the switch:

aaa authentication attempts login 4

aaa authentication login default group tacacs+ enable

aaa authentication login no_tacacs none

aaa authentication enable default group tacacs+ enable

Thanks and regards,

Siah

To start of, please remove the following commands (just for testing purposes):

no aaa authentication attempts login 4

no aaa authentication login no_tacacs none

Also please provide all the 'tacacs-server' or aaa-server commands (if any).

And lastly if possible provide the debug output of the following:

debug aaa authentication

debug tacacs

debug tacacs authentication

Regards

Farrukh

Hi Farrukh,

Here is the tacacs-server setting:

tacacs-server host 10.130.209.23

tacacs-server host 10.130.209.24

tacacs-server directed-request

tacacs-server key xxx

Result is the same even I have remove those two commands.

I ahve attached the debug result obtain from the switch without those two commands.

And below is the scenario on the login when the debug is turn on:

Username: ivan

Password:

Password:

% Authentication failed

User Access Verification

Username: TanCH

Password:

Password:

% Authentication failed

User Access Verification

Username: siah

Password:

Password:

% Authentication failed

=---------------------------------------------------------------=

All Access to this system will be LOGGED.

All UNAUTHORISED access is PROHIBITED and will be dealt with seriously.

=---------------------------------------------------------------=

User Access Verification

Username: ivancheng

Password:

SWB1111>exit

What you are seeing is normal, your earlier description was a little different than the output above.

The command you removed was setting the number of authentication attempts to four (the default is three). So basically after three attempts you got the banner prompt.

Irrespective of the user being valid/invalid on ACS, if you put a 'blank' password, the ACS server asks you to re-enter a correct 'non-blank' password. A simple verification of this is, in the 'second' password prompt, try to put your 'enable' password, it will not work....had the switch falling back to the 'enable' password you would be able to login.

For example I did a similar thing on one of our routers (AAA enabled):

User Access Verification

Username: abcd

Password:

Change password sequence

Password:

So don't worry about this. Hope this helps.

Regards

Farrukh

I'm sorry, I should have seen your debugs more carefully, it seems there is some issue with your AAA server, can you do the following:

test aaa group tacacs+ validusername validpassword legacy

Also try to restart the AAA Server (of if its ACS the TACACS process)

Put any valid username/password in the above and paste the output.

What about other devices on the network?

Regards

Farrukh

Hi Farrukh,

Do not manage to see your this mail.

Here is result for this testing with debug as attached.

SWB11411#test aaa group tacacs+ siahwt88 siahwt88 legacy

Attempting authentication test to server-group tacacs+ using tacacs+

User was successfully authenticated.

SWB11411#test aaa group tacacs+ TanCH TanCH legacy

Attempting authentication test to server-group tacacs+ using tacacs+

No authoritative response from any server.

Hope to hear from you soon.

Thanks for your great help.

Best regards,

Siah

Hi Farrukh,

I'm able to get into the switch using the switch local password at the "Second" password prompt.

For example:

User Access Verification

Username: abcd (wrong username)

Password: (wrong or no password)

Password: XXXX (local switch password)--2nd password prompt

Sw1111> (It allow me to access to the switch using the local switch password).

Is this normal?

Thanks and regards,

Siah