AAA & SSH question

Wei-Hsiang Liao · ‎09-04-2012

Hi~

I have an authentication problem, my config is as follows:

1. When I use telnet, "% Authorization failed."

2. When I use ssh, enter the username without entering the password can authenticatoin success

3. Use ssh authentication is successful not see the record passed authentication log in ACS

Why line vty 0 4 config "login authentication console" use ssh enter the username without entering the password can authenticatoin success?

aaa new-model

!

aaa authentication login default group tacacs+ line

aaa authentication login console none

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec console none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

tacacs-server host 172.18.1.247

tacacs-server timeout 60

tacacs-server directed-request

tacacs-server key xxxx

line con 0

authorization exec console

login authentication console

!

line vty 0 4

login authentication console

length 0

line vty 5 15

password 7 xxxx

Karsten Iwen · ‎09-04-2012

With that line-config you apply the authentication list "console" to the VTYs. In the autehtication-list "console" you specify the method "none". With "none" there is no authentication and a SSH-user can access the router with any username, even if there is no username configured on the router.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Wei-Hsiang Liao · ‎09-04-2012

Thanks for your reply!!

But not any username authentication is successful, the only account in the acs can be authentication success.

I think very strange.

Karsten Iwen · ‎09-04-2012

But not any username authentication is successful, the only account in the acs can be authentication success.

As of your config the Authentication (which is done locally) should always succeed. But the Authorization is again dependent on the ACS where it should fail.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Wei-Hsiang Liao · ‎09-05-2012

Hi~

I use the debug command, it seems authentication console none but the authorization to use the ACS.Is normal behavior?

5d14h: AAA/BIND(000000F4): Bind i/f

5d14h: AAA/AUTHEN/LOGIN (000000F4): Pick method list 'console'

5d14h: AAA/AUTHOR (0xF4): Pick method list 'default'

5d14h: AAA/AUTHOR/EXEC(000000F4): Authorization FAILED

5d14h: %Error 9, Failed to open the file Password:

Karsten Iwen · ‎09-05-2012

I use the debug command, it seems authentication console none but the authorization to use the ACS.Is normal behavior?

That's what you have configured:

aaa authentication login console none

aaa authorization exec default group tacacs+ if-authenticated

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Wei-Hsiang Liao · ‎09-06-2012

If the authentication using the "aaa authentication login console none", authenorization should correspond to the "aaa authorization exec console none"

Why use "aaa authorization exec default group tacacs+ if-authenticated"??

Thanks for your reply!

Karsten Iwen · ‎09-06-2012

You have not assignes the "aaa authorization exec console ..." to the VTY-line. And then the default is used. You could put the "authorization exec console" to the VTY to disable authorization.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Wei-Hsiang Liao · ‎09-06-2012

OK, thanks a lot!!

But,why ssh login is successful??

hkhrais · ‎09-04-2012

Hi ,

Notes:

-IP Domain-name is missing from the configuration

-Transport input SSH is missing under line vty 0 4

-Crypto key generate rsa is missing as well

Please post "Show ssh" after logging into the device via SSH, if the there's client doing SSH , i believe Wireshark Traces would be good on the ACS port .

HTH

Karsten Iwen · ‎09-04-2012

Hi Hussam,

-IP Domain-name is missing from the configuration

-Transport input SSH is missing under line vty 0 4

-Crypto key generate rsa is missing as well

but they are all not needed in this situation. And the "crypto key generate" is never included in the running config.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

hkhrais · ‎09-04-2012

Hi Karsten ,

You are right about the Key (My Faults), But didn't get why enabling SSH is not necessary !

Even with None keyword, SSH is not enabled by default

Karsten Iwen · ‎09-04-2012

well, if he was using SSH the router must have SSH enabled. And SSH gets enabled the moment the keys are generated. And for generating the keys you don't need a domain-name when you generate the keys with a label.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni