cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10605
Views
0
Helpful
5
Replies

no %SEC_LOGIN-4-LOGIN_FAILED: message in logs Help PLEES!!!

SludnevTN_2
Level 1
Level 1

HIM#show version

Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(21), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Thu 10-Jul-08 08:30 by prod_rel_team

ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)

HIM uptime is 1 week, 5 days, 11 hours, 26 minutes

System returned to ROM by power-on

System restarted at 10:17:14 MSK Tue Dec 23 2008

System image file is "flash:c3845-advipservicesk9-mz.124-21.bin"

This is very strange i DO have SEC_LOGIN-5-LOGIN_SUCCESS:

but I do not have a %SEC_LOGIN-4-LOGIN_FAILED, sure w i was given to ios inccorect passords. And I gave her this commans:

login on-failure log

login on-success log

on another 2811 with another IOS everthing works perfectly.

5 Replies 5

sachinraja
Level 9
Level 9

Hey Tim

did you do a show login and see if the failed logins are enabled ?

Router# show login

A default login delay of 1 seconds is applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP traps.

All failed login is logged and generate SNMP traps.

I browsed through the release notes of 12.4(21) but i dont see any bugs related to failed login.. I think you have found a new bug, and in-line with a $1000 reward from Cisco :)

This is straight forward.. once you have the login enabled, to console/syslog server, and your login on for failure attempts, it should report it, unless there is a software bug ! Do you have any other router with the same IOS, where this can be tried ?

Raj

Yes I have checked "show login" and everything was ok.

I have solved this problem.

I gave additional commands:

login block-for 300 attempts 3 within 10

login delay 3

And i began to receive %SEC_LOGIN-4-LOGIN_FAILED messages.

SO:

3845 - syslog messages for failed logins are coming only if you gave additional commands (see above)

2811 - failed and successful logins are sysloged just with with commands:

login on-failure log

login on-success log

!!!$1000 reward from Cisco :) - HOW? My salary is to little with this "crisis"

Call me +7 914-0016-914

ahh . sludnev.. good that you made it working.. no rewards now, since it is not a bug :) am sure if u were working in cisco testing division, and found such intersting bugs, they would give you a month's salary as bonus :) ha ha

Good info anyway.. someone else who has similar problems can refer to this post :) Thanks and have a great new year...

Raj

same issue here.. I haven't started to troubleshoot it yet but I am receiving failed login messages after successfully logging in.

running 15.1(m4), 15.1(m5) and 15.1(m6).

I can confirm the only command I have enabled in common with SludnevTN is "login on-failure log".

did some debugs / tests and found the following:

- it is due to the SSH client configured to attempt key authentication first which the router is not set up for, therefore fails and falls back to keyboard interactive authentication.

- tested with Putty on Win7 where "Attempt authentication using Pageant" was checked off, I actually use Pageant for other ssh logins. This generated the following error on the router:

Apr  4 08:25:06.127: SSH2 1: expecting SSH2_MSG_KEX_DH_GEX_INIT

Apr  4 08:25:06.139: SSH2 1: SSH2_MSG_KEXDH_INIT received

Apr  4 08:25:06.339: SSH2: kex_derive_keys complete

Apr  4 08:25:06.339: SSH2 1: SSH2_MSG_NEWKEYS sent

Apr  4 08:25:06.339: SSH2 1: waiting for SSH2_MSG_NEWKEYS

Apr  4 08:25:06.367: SSH2 1: SSH2_MSG_NEWKEYS received

Apr  4 08:25:06.611: SSH2 1: Using method = none

Apr  4 08:25:06.643: SSH2 1: Using method = publickey

Apr  4 08:25:06.643: AAA/BIND(000000EB): Bind i/f

Apr  4 08:25:06.643: SSH2 1: Pubkey Authentication failed for user XXXXXXX

Apr  4 08:25:06.643: SSH1: password authentication failed for XXXXXXX

Apr  4 08:25:08.643: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:XXXXXXX] [Source: 10.X.X.X] [localport: 22] [Reason: Login Authentication Failed] at 08:25:08 MDT Thu Apr 4 2013

Apr  4 08:25:08.667: SSH2 1: Using method = keyboard-interactive

Apr  4 08:25:08.667: AAA/AUTHEN/LOGIN (000000EB): Pick method list 'default'

Apr  4 08:25:08.723: SSH2 1: authentication successful for XXXXXXX

- Went back into Putty, unchecked Pageant and logged into the router and this time:

Apr  4 08:25:08.667: SSH2 1: Using method = keyboard-interactive

Apr  4 08:25:08.667: AAA/AUTHEN/LOGIN (000000EB): Pick method list 'default'

Apr  4 08:25:08.723: SSH2 1: authentication successful for XXXXXXX

If using Putty: uncheck use Pageant for all router / switch connections

If using Linux: add the following to your ssh command line parameters:

-o PreferredAuthentications=keyboard-interactive -o PubkeyAuthentication=no

or edit /etc/ssh/ssh_config and add the following lines:

PreferredAuthentications keyboard-interactive

PubkeyAuthentication no

If you choose to edit the /etc/ssh/ssh_config file on linux though, you won't be able to use key authentication to any other hosts (unless you override with command line parameters). Just a heads up.

Rich

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: