no %SEC_LOGIN-4-LOGIN_FAILED: message in logs Help PLEES!!!

SludnevTN_2 · ‎01-04-2009

HIM#show version

Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(21), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Thu 10-Jul-08 08:30 by prod_rel_team

ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)

HIM uptime is 1 week, 5 days, 11 hours, 26 minutes

System returned to ROM by power-on

System restarted at 10:17:14 MSK Tue Dec 23 2008

System image file is "flash:c3845-advipservicesk9-mz.124-21.bin"

This is very strange i DO have SEC_LOGIN-5-LOGIN_SUCCESS:

but I do not have a %SEC_LOGIN-4-LOGIN_FAILED, sure w i was given to ios inccorect passords. And I gave her this commans:

login on-failure log

login on-success log

on another 2811 with another IOS everthing works perfectly.

sachinraja · ‎01-06-2009

Hey Tim

did you do a show login and see if the failed logins are enabled ?

Router# show login

A default login delay of 1 seconds is applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP traps.

All failed login is logged and generate SNMP traps.

I browsed through the release notes of 12.4(21) but i dont see any bugs related to failed login.. I think you have found a new bug, and in-line with a $1000 reward from Cisco :)

This is straight forward.. once you have the login enabled, to console/syslog server, and your login on for failure attempts, it should report it, unless there is a software bug ! Do you have any other router with the same IOS, where this can be tried ?

Raj

SludnevTN_2 · ‎01-07-2009

Yes I have checked "show login" and everything was ok.

I have solved this problem.

I gave additional commands:

login block-for 300 attempts 3 within 10

login delay 3

And i began to receive %SEC_LOGIN-4-LOGIN_FAILED messages.

SO:

3845 - syslog messages for failed logins are coming only if you gave additional commands (see above)

2811 - failed and successful logins are sysloged just with with commands:

login on-failure log

login on-success log

!!!$1000 reward from Cisco :) - HOW? My salary is to little with this "crisis"

Call me +7 914-0016-914

sachinraja · ‎01-07-2009

ahh . sludnev.. good that you made it working.. no rewards now, since it is not a bug :) am sure if u were working in cisco testing division, and found such intersting bugs, they would give you a month's salary as bonus :) ha ha

Good info anyway.. someone else who has similar problems can refer to this post :) Thanks and have a great new year...

Raj

richardbergen · ‎04-04-2013

same issue here.. I haven't started to troubleshoot it yet but I am receiving failed login messages after successfully logging in.

running 15.1(m4), 15.1(m5) and 15.1(m6).

I can confirm the only command I have enabled in common with SludnevTN is "login on-failure log".

richardbergen · ‎04-04-2013

did some debugs / tests and found the following:

- it is due to the SSH client configured to attempt key authentication first which the router is not set up for, therefore fails and falls back to keyboard interactive authentication.

- tested with Putty on Win7 where "Attempt authentication using Pageant" was checked off, I actually use Pageant for other ssh logins. This generated the following error on the router:

Apr 4 08:25:06.127: SSH2 1: expecting SSH2_MSG_KEX_DH_GEX_INIT

Apr 4 08:25:06.139: SSH2 1: SSH2_MSG_KEXDH_INIT received

Apr 4 08:25:06.339: SSH2: kex_derive_keys complete

Apr 4 08:25:06.339: SSH2 1: SSH2_MSG_NEWKEYS sent

Apr 4 08:25:06.339: SSH2 1: waiting for SSH2_MSG_NEWKEYS

Apr 4 08:25:06.367: SSH2 1: SSH2_MSG_NEWKEYS received

Apr 4 08:25:06.611: SSH2 1: Using method = none

Apr 4 08:25:06.643: SSH2 1: Using method = publickey

Apr 4 08:25:06.643: AAA/BIND(000000EB): Bind i/f

Apr 4 08:25:06.643: SSH2 1: Pubkey Authentication failed for user XXXXXXX

Apr 4 08:25:06.643: SSH1: password authentication failed for XXXXXXX

Apr 4 08:25:08.643: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:XXXXXXX] [Source: 10.X.X.X] [localport: 22] [Reason: Login Authentication Failed] at 08:25:08 MDT Thu Apr 4 2013

Apr 4 08:25:08.667: SSH2 1: Using method = keyboard-interactive

Apr 4 08:25:08.667: AAA/AUTHEN/LOGIN (000000EB): Pick method list 'default'

Apr 4 08:25:08.723: SSH2 1: authentication successful for XXXXXXX

- Went back into Putty, unchecked Pageant and logged into the router and this time:

Apr 4 08:25:08.667: SSH2 1: Using method = keyboard-interactive

Apr 4 08:25:08.667: AAA/AUTHEN/LOGIN (000000EB): Pick method list 'default'

Apr 4 08:25:08.723: SSH2 1: authentication successful for XXXXXXX

If using Putty: uncheck use Pageant for all router / switch connections

If using Linux: add the following to your ssh command line parameters:

-o PreferredAuthentications=keyboard-interactive -o PubkeyAuthentication=no

or edit /etc/ssh/ssh_config and add the following lines:

PreferredAuthentications keyboard-interactive

PubkeyAuthentication no

If you choose to edit the /etc/ssh/ssh_config file on linux though, you won't be able to use key authentication to any other hosts (unless you override with command line parameters). Just a heads up.

Rich