03-26-2007 11:20 AM - edited 03-10-2019 03:03 PM
I have aaa working on a switch in my network.
The prolem I have is when a user fails the password authentication with a known ldap user, it prompts them for the enable password. If that user enters the enable password, they are then logged into the switch.
I would like for the enable password prompt to only come up if the AAA server is unavailable. Oddly enough, if I was to type in a user that doesn't exist in our LDAP tree, and type a bogus password, the enable password prompt never comes up.
User Joe(In ldap tree)
username: joe
password: <mis types password>
enable password: <---they can now enter the enable password here
User Jimmy (not in ldap tree)
username: jimmy
password: <---anything cuz jimmy isn't in tree
username: <--prompts for username again
Regardless if they are in the tree or not, I want it to prompt for the username and force them to log in through ldap.
Any suggestions? Thanks in advance.
03-26-2007 01:17 PM
Hi,
Looks like there is a failover on "Fail" instead of failover on "Error". Never seen it happen before.
What Radius/Tacacs Server are you using ?
Can you show the aaa config from the device and maybe debugs.
Regards,
Vivek
03-27-2007 06:33 AM
TACACS Server: Cisco Secure ACS 4.1
Config fragment (scrubbed):
aaa new-model
aaa group server tacacs+ siteTACACS
server x.x.x.x
!
aaa authentication banner ^C
Unauthorized use strictly prohibited.
Please login with your LDAP credentials
^C
aaa authentication fail-message ^C
I.m sorry, your login credentials failed. Please try again.
^C
aaa authentication password-prompt Enable-Password:
aaa authentication login default enable
aaa authentication login siteMethodList group tacacs+ enable
aaa accounting exec siteAccountingList start-stop group tacacs+
aaa accounting commands 15 siteAccountingList start-stop group tacacs+
aaa session-id common
line vty 0 4
access-class 50 in
exec-timeout 120 0
password 7 xxxxxxx
accounting commands 15 siteAccountingList
accounting exec siteAccountingList
logging synchronous
login authentication siteMethodList
03-27-2007 08:28 AM
Hi,
Can you tell me what happens if a wrong password is entered after changing :-
aaa authentication login default enable
to
aaa authentication login default none
I don't think ACS would send an error on failed authentication. Looks more like an IOS problem.
Regards,
Vivek
03-27-2007 09:21 AM
Thanks for the reply.
I placed the aaa authen login default none command in, but the behavior is still the same.
03-27-2007 09:28 AM
Along the same sort of thinking I tried:
aaa authentication login siteMethodList group tacacs+ none
When I entered the wrong password.... it automatically let me in...
Not exactly the security I'd be looking for. My understanding is that if the first method returns a fail, it won't try the second one. Is there flag or hook somewhere I have to set to enforce that type of behavior?
04-01-2007 05:41 AM
Hi dbobeldyk,
I am facing the problem in loging through TACACS LDAP ID,but i can able to login through Local login.
configuration present in my router is:
aaa new-model
!
aaa authentication login Masis group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec Masis group tacacs+ local
aaa authorization commands 10 Masis group tacacs+ local
aaa authorization commands 15 Masis group tacacs+ local
aaa accounting exec Masis start-stop group tacacs+
aaa accounting commands 1 Masis start-stop group tacacs+
aaa accounting commands 15 Masis start-stop group tacacs+
!
!
tacacs-server host 172.*.*.* key ****
!
line vty 0 4
exec-timeout 5 0
authorization commands 15 Masis
authorization commands 1 Masis
authorization exec Masis
accounting connection Masis
accounting commands 1 Masis
accounting commands 15 Masis
accounting exec Masis
login authentication Masis
!
!
line vty 5 15
exec-timeout 5 0
authorization commands 15 Masis
authorization commands 1 Masis
authorization exec Masis
accounting connection Masis
accounting commands 1 Masis
accounting commands 15 Masis
accounting exec Masis
login authentication Masis
What may be the problem and how to trouble shoot it..
Please give the solution for my problem.
Thanks in advance.
04-01-2007 11:43 AM
If I am understanding corretly the authentication through tacacs is not working but the authentication local is working. If authentication through tacacs is not working there are several things that it could be. I suggest that you check on these things:
- verify that the configured address for the tacacs server is correct.
- do you have IP connectivity to the tacacs server? Do an extended ping specifying the server address as the destination and specifying the source of the ping. If you have more than one interface that could be used to get to the tacacs server it is helpful to use ip tacacs source-address to specify which interface address to use (this can be important since the tacacs server can only be configured to recognize one address from this router). You want to be sure that you have a route and a valid path to the server and that the server has a route and a valid path back to you.
- if you do have IP connectivity, then look for the possibility that an access list somewhere is not permitting the tacacs request or response to go through.
- Verify that the key that you configured on the router is the same as the key you configured on the server.
- check the logs on the server. is it seeing the request from the router? if it is seeing the request and not authenticating then look in the failed attempts report and see why the server is not authenticating.
HTH
Rick
04-05-2007 07:43 AM
It seems that the ACS is returning an ERROR. I think it should be returning a FAIL perhaps?
debug log shown here:
MAN-209-TestSwitch#
Apr 5 10:25:33.413: AAA/AUTHEN/CONT (408942267): continue_login (user='bobeldde')
Apr 5 10:25:33.417: AAA/AUTHEN (408942267): status = GETPASS
Apr 5 10:25:33.417: AAA/AUTHEN (408942267): Method=tacacs+ (tacacs+)
Apr 5 10:25:33.417: TAC+: send AUTHEN/CONT packet id=408942267
Apr 5 10:25:33.417: TAC+: periodic timer started
Apr 5 10:25:33.417: TAC+: x.x.x.x req=80BC03B8 Qd id=408942267 ver=192 handle=0x80D7447C (ESTAB) expire=5 AUTHEN/CONT queued
Apr 5 10:25:33.417: TAC+: x.x.x.x (408942267) AUTHEN/CONT queued
Apr 5 10:25:33.517: TAC+: x.x.x.x ESTAB id=408942267 wrote 19 of 19 bytes
MAN-209-TestSwitch#
Apr 5 10:25:33.517: TAC+: x.x.x.x req=80BC03B8 Qd id=408942267 ver=192 handle=0x80D7447C (ESTAB) expire=4 AUTHEN/CONT sent
MAN-209-TestSwitch#
Apr 5 10:25:38.417: TAC+: x.x.x.x (408942267) AUTHEN/CONT -- TIMED OUT
Apr 5 10:25:38.417: TAC+: req=80BC03B8 Tx id=408942267 ver=192 handle=0x80D7447C (ESTAB) expire=0 AUTHEN/CONT processed
Apr 5 10:25:38.417: TAC+: (408942267) AUTHEN/CONT processed
Apr 5 10:25:38.417: TAC+: periodic timer stopped (queue empty)
Apr 5 10:25:38.417: TAC+: Error sending continue packet.
Apr 5 10:25:38.417: TAC+: Closing TCP/IP 0x80D7447C connection to x.x.x.x/49
Apr 5 10:25:38.421: AAA/AUTHEN (408942267): status = ERROR
Apr 5 10:25:38.421: AAA/AUTHEN/START (209030656): port='tty2' list='' action=LOGIN service=LOGIN
04-12-2007 08:55 AM
tacacs-server timeout 30
The above command solved my problem. It appears that there is a default of 5 seconds for the acs server to respond. The ldap query (and fail) was taking longer than the default 5 seconds. I up'ed the timeout to 30 seconds which allowed for enough time to return a FAIL, aso opposed to the ERROR it was returning.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide