AAA authentication login

Wassim Aouadi · ‎07-13-2014

Hi,

in Cisco IOS Security Command Reference (link here), page 66 it says:

The following example shows how to create an AAA authentication list called MIS-access. This authentication
first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to
use the enable password. If this attempt also returns an error (because no enable password is configured on
the server), the user is allowed access with no authentication.
aaa authentication login MIS-access group tacacs+ enable none

I tried that on my lab. I disabled TACACS+ server and deleted the "enable password". I found that the process checks the login request against the "enable" method, and when it finds no "enable password" set, the router shows a "Password:" prompt 3 times then disconnects.

Here's an output:

R1#10.0.0.2
Trying 10.0.0.2 ... Open

User Access Verification

Password:

% Authentication failed

Password:

% Authentication failed

Password:

% Authentication failed

[Connection to 10.0.0.2 closed by foreign host]

Is there an error in this Cisco doc or am I missing something?

I've attached the config of the NAS router.

nspasov · ‎07-14-2014

Couple of things:

1. How did you disable the TACACS+ server? Moreover after you disabled it what do you see when you issue "whos aaa servers" ? Post the output here

2. Did you delete both "enable password" and "enable secret" ?

3. Check "debug aaa authentication" and post the output here

Thank you for rating helpful posts!

Wassim Aouadi · ‎07-14-2014

1. I have downloaded a free TACACS+ server from Tacacs.net. And yes it is stopped with "net stop tacacs.net"

2. yes. Neither "enable password" nor "enable secret" exist in the config (please check the attached config file in the original post)

3.Here is the output of "deb aaa authentication" (named method list is TACACS_group)

R2#sh run | i aaa
aaa new-model
aaa group server tacacs+ TACACS_group
aaa group server radius RADIUS_group
aaa authentication login TACACS_group group tacacs+ enable none
aaa authentication login TEST local none
aaa session-id common
R2#
R2#
R2#deb aaa authent
AAA Authentication debugging is on
R2#
R2#
Jul 14 09:03:35.507: AAA/BIND(00000030): Bind i/f
Jul 14 09:03:35.511: AAA/AUTHEN/LOGIN (00000030): Pick method list 'TACACS_group'
R2#
Jul 14 09:03:40.531: AAA/AUTHEN/ENABLE(00000030): Processing request action LOGIN
Jul 14 09:03:40.535: AAA/AUTHEN/ENABLE(00000030): Done status GET_PASSWORD
R2#

Here's the output from the client side:

User Access Verification

Password:
% Password: timeout expired!
[Connection to 10.0.0.2 closed by foreign host]
R1#

nspasov · ‎07-14-2014

Can you post the output of "show aaa servers" command after you disable the TACACS+ server?

Wassim Aouadi · ‎07-20-2014

R2#sh aaa servers
R2#
R2#

nspasov · ‎07-21-2014

Hmm interesting. I just tested this in my lab and it works as expected. I can see two potential cause of the issue:

1. You are running into a bug. What version of code are you running?

2. Even though you are stopping the TACACS+ service on your server, the Cisco device can still talk to it and it is not marking the server as "down." You can try to either disconnecting the network device from the network or remove the TACACS server entry from the device and try again

Thank you for rating helpful posts!