09-04-2012 01:01 AM - edited 03-10-2019 07:29 PM
Hi~
I have an authentication problem, my config is as follows:
1. When I use telnet, "% Authorization failed."
2. When I use ssh, enter the username without entering the password can authenticatoin success
3. Use ssh authentication is successful not see the record passed authentication log in ACS
Why line vty 0 4 config "login authentication console" use ssh enter the username without entering the password can authenticatoin success?
aaa new-model!
!
aaa authentication login default group tacacs+ line
aaa authentication login console none
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec console none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
tacacs-server host 172.18.1.247
tacacs-server timeout 60
tacacs-server directed-request
tacacs-server key xxxx
line con 0
authorization exec console
login authentication console
!
line vty 0 4
login authentication console
length 0
line vty 5 15
password 7 xxxx
09-04-2012 01:16 AM
With that line-config you apply the authentication list "console" to the VTYs. In the autehtication-list "console" you specify the method "none". With "none" there is no authentication and a SSH-user can access the router with any username, even if there is no username configured on the router.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-04-2012 01:56 AM
Thanks for your reply!!
But not any username authentication is successful, the only account in the acs can be authentication success.
I think very strange.
09-04-2012 02:20 AM
But not any username authentication is successful, the only account in the acs can be authentication success.
As of your config the Authentication (which is done locally) should always succeed. But the Authorization is again dependent on the ACS where it should fail.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-05-2012 09:31 AM
Hi~
I use the debug command, it seems authentication console none but the authorization to use the ACS.Is normal behavior?
5d14h: AAA/BIND(000000F4): Bind i/f
5d14h: AAA/AUTHEN/LOGIN (000000F4): Pick method list 'console'
5d14h: AAA/AUTHOR (0xF4): Pick method list 'default'
5d14h: AAA/AUTHOR/EXEC(000000F4): Authorization FAILED
5d14h: %Error 9, Failed to open the file Password:
5d14h: %Error 9, Failed to open the file Password:
5d14h: %Error 9, Failed to open the file Password:
09-05-2012 01:53 PM
I use the debug command, it seems authentication console none but the authorization to use the ACS.Is normal behavior?
That's what you have configured:
aaa authentication login console none
aaa authorization exec default group tacacs+ if-authenticated
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-06-2012 12:25 AM
If the authentication using the "aaa authentication login console none", authenorization should correspond to the "aaa authorization exec console none"
Why use "aaa authorization exec default group tacacs+ if-authenticated"??
Thanks for your reply!
09-06-2012 12:57 AM
You have not assignes the "aaa authorization exec console ..." to the VTY-line. And then the default is used. You could put the "authorization exec console" to the VTY to disable authorization.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-06-2012 01:36 AM
OK, thanks a lot!!
But,why ssh login is successful??
09-04-2012 02:30 AM
Hi ,
Notes:
-IP Domain-name is missing from the configuration
-Transport input SSH is missing under line vty 0 4
-Crypto key generate rsa is missing as well
Please post "Show ssh" after logging into the device via SSH, if the there's client doing SSH , i believe Wireshark Traces would be good on the ACS port .
HTH
09-04-2012 02:33 AM
Hi Hussam,
-IP Domain-name is missing from the configuration
-Transport input SSH is missing under line vty 0 4
-Crypto key generate rsa is missing as well
but they are all not needed in this situation. And the "crypto key generate" is never included in the running config.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-04-2012 02:54 AM
Hi Karsten ,
You are right about the Key (My Faults), But didn't get why enabling SSH is not necessary !
Even with None keyword, SSH is not enabled by default
09-04-2012 03:00 AM
well, if he was using SSH the router must have SSH enabled. And SSH gets enabled the moment the keys are generated. And for generating the keys you don't need a domain-name when you generate the keys with a label.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide