Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AAA authentication login

Hi,

in Cisco IOS Security Command Reference (link here), page 66 it says:

The following example shows how to create an AAA authentication list called MIS-access. This authentication
first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to
use the enable password. If this attempt also returns an error (because no enable password is configured on
the server), the user is allowed access with no authentication.

aaa authentication login MIS-access group tacacs+ enable none

I tried that on my lab. I disabled TACACS+ server and deleted the "enable password". I found that the process checks the login request against the "enable" method, and when it finds no "enable password" set, the router shows a "Password:" prompt 3 times then disconnects.

Here's an output:

R1#10.0.0.2
Trying 10.0.0.2 ... Open


User Access Verification

Password:

% Authentication failed

Password:

% Authentication failed

Password:

% Authentication failed

[Connection to 10.0.0.2 closed by foreign host]


Is there an error in this Cisco doc or am I missing something?

I've attached the config of the NAS router.

Everyone's tags (1)
5 REPLIES
Cisco Employee

Couple of things:1. How did

Couple of things:

1. How did you disable the TACACS+ server? Moreover after you disabled it what do you see when you issue "whos aaa servers" ? Post the output here

2. Did you delete both "enable password" and "enable secret" ?

3. Check "debug aaa authentication" and post the output here

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

1. I have downloaded a free

1. I have downloaded a free TACACS+ server from Tacacs.net. And yes it is stopped with "net stop tacacs.net"

2. yes. Neither "enable password" nor "enable secret" exist in the config (please check the attached config file in the original post)

3.Here is the output of "deb aaa authentication" (named method list is TACACS_group)

R2#sh run | i aaa
aaa new-model
aaa group server tacacs+ TACACS_group
aaa group server radius RADIUS_group
aaa authentication login TACACS_group group tacacs+ enable none
aaa authentication login TEST local none
aaa session-id common
R2#
R2#
R2#deb aaa authent
AAA Authentication debugging is on
R2#
R2#
Jul 14 09:03:35.507: AAA/BIND(00000030): Bind i/f
Jul 14 09:03:35.511: AAA/AUTHEN/LOGIN (00000030): Pick method list 'TACACS_group'
R2#
Jul 14 09:03:40.531: AAA/AUTHEN/ENABLE(00000030): Processing request action LOGIN
Jul 14 09:03:40.535: AAA/AUTHEN/ENABLE(00000030): Done status GET_PASSWORD
R2#

 

Here's the output from the client side:

User Access Verification

Password:
% Password:  timeout expired!
[Connection to 10.0.0.2 closed by foreign host]
R1#

 

 

Cisco Employee

Can you post the output of

Can you post the output of "show aaa servers" command after you disable the TACACS+ server?

Thank you for rating helpful posts!
New Member

 R2#sh aaa serversR2#R2# 

 

R2#sh aaa servers
R2#
R2#

 

Cisco Employee

Hmm interesting. I just

Hmm interesting. I just tested this in my lab and it works as expected. I can see two potential cause of the issue:

1. You are running into a bug. What version of code are you running?

2. Even though you are stopping the TACACS+ service on your server, the Cisco device can still talk to it and it is not marking the server as "down." You can try to either disconnecting the network device from the network or remove the TACACS server entry from the device and try again

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
108
Views
0
Helpful
5
Replies