Local authentication failure

Unanswered Question
Mar 31st, 2010
User Badges:

Hi,

We use ACS for authenticating equipments but lately when loose conectivity with server, equipments do not allow us to enter "enable" mode (even at console) only at first level, so could somebody give some light on where am I missing something?


Here is the AAA config template:



enable secret 5 XXXXXX!
username XXXXprivilege 15 secret 5 XXXXXX


aaa group server tacacs+ AuthenticationTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa group server tacacs+ AccountingTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa authentication password-prompt "Password local: "
aaa authentication username-prompt "Username local: "
aaa authentication login default group AuthenticationTacacs local
aaa authentication login username_tacacs group tacacs+ local
aaa authentication enable default group AuthenticationTacacs enable
aaa authorization config-commands
aaa authorization exec default group AuthenticationTacacs local
aaa authorization commands 15 default group AuthenticationTacacs local
aaa accounting commands 15 default stop-only group AccountingTacacs
aaa accounting system default stop-only group AccountingTacacs
!
!
!
aaa session-id common


ip tacacs source-interface Vlan2


tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key 7 XXXXXXXX


line con 0
exec-timeout 20 0
logging synchronous
full-help
escape-character 27
line vty 0 4
exec-timeout 20 0
password 7 00071A150754
logging synchronous
length 0
full-help
escape-character 27
line vty 5 15
exec-timeout 20 0
password 7 1511021F0725
logging synchronous
full-help
escape-character 27


Thanks,

Luiz

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rodrigo Gurriti Thu, 04/01/2010 - 12:56
User Badges:

Luiz,


Dentro do seu "line console 0" digite aaa authentication "GROUP" ou "default"

Da mesma forma no seu telnet ou ssh vty

Outra coisa, nao esqueca que se voce botar um espaco no final da sua senha ela tera um espaco, ex: "passWord "



Inside your "line console 0" type aaa authentication "GROUP" or"default"

The same way in your telnet or ssht vty

Don't forget that if you put a space on the end of you password it needs to be typed as the ex: "passWord "



BTW you have redundant line for login, i'd do the following way

Voce tem uma linha redudante para o login, eu faria desta forma abaixo


aaa authentication password-prompt "Password local: "
aaa  authentication username-prompt "Username local: "


aaa authentication login default group AuthenticationTacacs local
aaa authentication enable default group AuthenticationTacacs enable
aaa authorization  config-commands
aaa authorization exec default group AuthenticationTacacs local
aaa authorization commands 15 default group AuthenticationTacacs local
aaa accounting commands 15 default stop-only group AccountingTacacs
aaa accounting system default stop-only group AccountingTacacs



Outra maneira, ela somente ira autenticar no console, pois o grupp nao e maneira "default" de autenticacao do equipamento logo vc precisa aplicar em algum lugar

Here is an other way, its authentication only for the console whitch isnt the default way to authenticate and you need to apply some where


aaa authentication login CONSOLE local

line console 0

aaa authentication CONSOLE

Ganesh Hariharan Fri, 04/02/2010 - 09:13
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016


Hi,

We use ACS for authenticating equipments but lately when loose conectivity with server, equipments do not allow us to enter "enable" mode (even at console) only at first level, so could somebody give some light on where am I missing something?


Here is the AAA config template:



enable secret 5 XXXXXX!
username XXXXprivilege 15 secret 5 XXXXXX


aaa group server tacacs+ AuthenticationTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa group server tacacs+ AccountingTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa authentication password-prompt "Password local: "
aaa authentication username-prompt "Username local: "
aaa authentication login default group AuthenticationTacacs local
aaa authentication login username_tacacs group tacacs+ local
aaa authentication enable default group AuthenticationTacacs enable
aaa authorization config-commands
aaa authorization exec default group AuthenticationTacacs local
aaa authorization commands 15 default group AuthenticationTacacs local
aaa accounting commands 15 default stop-only group AccountingTacacs
aaa accounting system default stop-only group AccountingTacacs
!
!
!
aaa session-id common


ip tacacs source-interface Vlan2


tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key 7 XXXXXXXX


line con 0
exec-timeout 20 0
logging synchronous
full-help
escape-character 27
line vty 0 4
exec-timeout 20 0
password 7 00071A150754
logging synchronous
length 0
full-help
escape-character 27
line vty 5 15
exec-timeout 20 0
password 7 1511021F0725
logging synchronous
full-help
escape-character 27


Thanks,

Luiz


Hi Luiz,


Configuration for authentication need to  be done under line con as suggested and check out the below link for configuratio on AAA server configuration.


http://www9.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093c81.shtml


Hope to help !!


Ganesh.H

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Richard Burts Wed, 04/07/2010 - 14:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The suggestions about configuring authentication on the console might make more sense if the problem were not getting into user mode. But if I understand the original post from Luiz he says that they can get into user mode but can not get into enable mode. If my understanding is not correct then I hope that Luiz will correct me.


I wonder if the problem might be that you are not using the right enable secret when you attempt to get into enable mode. I would suggest that you configure the router with a new, and very simple enable secret. Then the next time that you can not communicate with the server try using the simple enable secret and see if that works.


HTH


Rick

luiz.alexandre.paiva Thu, 04/08/2010 - 11:42
User Badges:

Hi, first of all thanks for the answers and wehave two situations

:

When loose connectivity to AAA servers at console we can't access, shows user and password screen but doesn't authenticate, and when telnet to the equipment reach the user level, but not at enable level.


We tryed enable secret as "cisco", enable password as the same but still doesn't work.

Tryed to use "username user privilege 15 secret {XXXXXXX}" and goes only at user level.


As far as I understood this is a matter of better configuring console and line vty ports, but my problem now is that regarding IOS versions because at some equipments it doesn't support the exact commands as I need.

Actions

This Discussion

Related Content