AAA authentication strange !!

Unanswered Question
Apr 15th, 2009

hi all, i am facing this very strange issue. I have configured this on my router

aaa new-model

username cisco password cisco123

I havent defined any aaa authentication and my line vty config is also empty. Now when i telnet to this router, i am asked for username/password !!! when i enter them i am authenticated !!!, why this happened ? if i havent configured any authentication method i know default list should be applied but when i havent created one will it still be applied ?

Kindly guide me

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Wed, 04/15/2009 - 09:44

Do you get authenticated using local account or tacacs account?

May be aaa authentication was configured previously. If I have aaa authentication configured on my router and I do "no aaa new-model", aaa would be disabled.

Again after some time if I issue "aaa new-model" all the previous commands will show up.

Please issue command

#show run | inc aaa

AND you will see

aaa authentication login default group tac local

Let me know if that is not a case.

Regards,

~JG

Do rate helpful posts

illusion_rox Wed, 04/15/2009 - 19:51

Dear Sir, i also had this doubt so i simply reloaded the router to its default config. Now this is the configuration on R1. Now

R1#sh run | in aaa

aaa new-model

aaa session-id common

R1#

R1#sh run | be line vty 0 4

line vty 0 4

!

!

end

Now when from R2 i am doing

R2#telnet 11...1

Trying 11.0.0.1 ... Open

User Access Verification

Username: cisco

Password:

R1>

On R1 i ran debug aaa authentication, so i get this result

R1#

*Mar 1 00:03:36.579: AAA/BIND(00000006): Bind i/f

*Mar 1 00:03:36.587: AAA/AUTHEN/LOGIN (00000006): Pick method list 'Permanent Local'

R1#

I am confused since i havent defined any default method list then how come its authenticating it.

Kindly guide me

illusion_rox Thu, 04/16/2009 - 00:49

Hi all, i have found this while looking at the command reference of aaa.

aaa authentication login

Defaults

If the default list is not set, only the local user database is checked. This has the same effect as the following command:

aaa authentication login default local

This quite clears my query (though i am still confused about the permanent method lists concept :( ). But further in this explanation a statement confused me

"If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods."

I think both above statements are contracdting !! one says local username/password will be used if no default list is defined and then it says if i havent defined any method list on line then it should deny !! I m really confused can some one please guide me.

Richard Burts Thu, 04/16/2009 - 08:23

Ovais

My experience with this is quite clear that as soon as you configure aaa new-model that the default for authentication for the console and the vty is to use the local username/password for authentication.

I agree that the two statements seem contradictory. I wonder if the second statement is describing some particular situation? Can you provide some context for the second statement, or perhaps a link to the second statement?

HTH

Rick

illusion_rox Thu, 04/16/2009 - 10:20

Dear Sir, thanks for taking a look at my issue. Sir below is the link from where i pasted the statements

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html#wp1059426

Actually sir i am confused about the debug, they refer to something called permanent method lists but i am not able to find anything regarding them anywhere !!. If you issue this command

sh aaa method-lists authentication

you will see lists called permanent, what are they ? its this list that i am getting authenticated !!

Kindly guide me in this pls

Richard Burts Thu, 04/16/2009 - 11:24

Ovais

Thank you for posting the link. I have looked at it but share your question about the second statement. I believe that this statement is incorrect. Perhaps in some older release it might have been accurate. But clearly in current code (and code for quite a while in my experience) there is a default behavior that is to use the local user data base for authentication if there is no other method configured.

I do not have a particularly good explanation about the permanent lists. When I look at them they seem to define the basic authentication mechanisms, which are permanently enabled and include Local, Enable, and None. But then I am puzzled that there is not one for Line, which I would expect if they were the basic authentication mechanisms. So I do not have a good explanation for this.

HTH

Rick

illusion_rox Thu, 04/16/2009 - 19:11

Dear Sir, i am quite a fan of netcraftsmen and Peter J Wilch and you. It was really an honor you looked at my issue. There is one thing i want to ask that why cisco hide such details ? i have felt that most of the very indepth technical facts comes from those who have worked in cisco. Why is that ? like that example of my query, if cisco has provided something why dont document it as well ? i hope you are getting my confusion what is the policy behind this hide n seek game :-)

Richard Burts Fri, 04/17/2009 - 09:29

Ovais

Thank you for the nice things you say about Chesapeake NetCraftsmen. It is an excellent company and I am proud to be part of it.

I do not believe that there is any "policy" at Cisco about hiding such details. I believe that the issue is that the IOS is so full of features that it becomes difficult to document them.

HTH

Rick

illusion_rox Fri, 04/17/2009 - 10:48

Dear Sir, i am not stressing my point but during my preparation for CCIE, at first i thought in IGPs distribute lists cant contains extended access-lists, but later on one blog they described how extended access-list could be used to define the network plus the gateway. This feature is not documented anywhere though its a very useful feature. Plus you know there are certain commands called hidden commands, so i thought may be cisco wants to keep certains technical details only to its own engineers not leaking it to public.

Kindly dont mind this offtopic query.

Actions

This Discussion