02-20-2003 01:53 AM - edited 03-10-2019 07:09 AM
Hello,
I have seen the following configuration used, but don't see the point of the enable method at the end, since it will never progress beyond the line password. I have tested this by having the TACACS server down, and removing the line password, but it still won't fail over to the enable password. Can you see any reason for the use of the enable password?
aaa authentication login default tacacs+ line enable
Many Thanks
Ian
02-20-2003 01:02 PM
Need to see the debug for "debug aaa authentication" so that we can pin-point the issue. You will see somthing like following debug. Same worked for me. Here it is
*Mar 14 19:27:39.369: AAA/MEMORY: create_user (0x48FA8C) user='' ruser='' port='tty3' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1
*Mar 14 19:27:39.373: AAA/AUTHEN/START (3803660310): port='tty3' list='' action=LOGIN service=LOGIN
*Mar 14 19:27:39.377: AAA/AUTHEN/START (3803660310): using "default" list
*Mar 14 19:27:39.381: AAA/AUTHEN/START (3803660310): Method=tacacs+ (tacacs+)
*Mar 14 19:27:39.381: TAC+: send AUTHEN/START packet ver=192 id=3803660310
*Mar 14 19:27:44.393: AAA/AUTHEN (3803660310): status = ERROR
*Mar 14 19:27:44.397: AAA/AUTHEN/START (3803660310): Method=LINE
*Mar 14 19:27:44.401: AAA/AUTHEN (3803660310): can't find any passwords
*Mar 14 19:27:44.401: AAA/AUTHEN (3803660310): status = ERROR
*Mar 14 19:27:44.405: AAA/AUTHEN/START (3803660310): Method=ENABLE
*Mar 14 19:27:44.405: AAA/AUTHEN (3803660310): status = GETPASS
*Mar 14 19:27:51.485: AAA/AUTHEN/CONT (3803660310): continue_login (user='(undef)')
*Mar 14 19:27:51.489: AAA/AUTHEN (3803660310): status = GETPASS
*Mar 14 19:27:51.493: AAA/AUTHEN/CONT (3803660310): Method=ENABLE
*Mar 14 19:27:51.493: AAA/AUTHEN (3803660310): status = PASS
02-21-2003 01:12 AM
Hello,
Thank you for your excellent reply. I am still having trouble, as shown below, my test never tries the enable method. Would you please tell me what software version you used, and please send me your full configuration.
Thanks again.
TEST-3640#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-I-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 03-Jan-03 15:10 by ccai
Image text-base: 0x60008930, data-base: 0x60C1A000
TEST-3640#sh run | incl aaa
aaa new-model
aaa authentication login default group tacacs+ line enable
aaa session-id common
TEST-3640#sh run | be line vty
line vty 0 4
!
!
end
##########CONFIGURE AN ENABLE PASS AND LINE PASS ON VTY AND AAA AUTHEN###########
TEST-3640(config)#enable pass enable
TEST-3640(config)#line vty 0 4
TEST-3640(config-line)#pass line
TEST-3640(config-line)#^Z
TEST-3640#
*Mar 9 21:21:52.543 UTC: %SYS-5-CONFIG_I: Configured from console by console
TEST-3640#conf t
Enter configuration commands, one per line. End with CNTL/Z.
TEST-3640(config)#aaa new-model
TEST-3640(config)#aaa authen login default group tac line enable
TEST-3640(config)#^Z
TEST-3640#debug aaa authen
AAA Authentication debugging is on
#######LOGIN WITH line password and debug shows it worked################
TEST-3640#
*Mar 9 21:22:40.291 UTC: AAA/AUTHEN/LOGIN (00000014): Pick method list 'default'
*Mar 9 21:22:40.291 UTC: AAA/AUTHEN/LINE(00000014): GET_PASSWORD
*Mar 9 21:22:44.119 UTC: AAA/AUTHEN/LINE(00000014): PASS
#########REMOVE LINE PASSWORD AND FAILS#####################
TEST-3640#conf t
Enter configuration commands, one per line. End with CNTL/Z.
TEST-3640(config)#line vty 0 4
TEST-3640(config-line)#no pass line
TEST-3640(config-line)#^Z
TEST-3640#
*Mar 9 21:23:02.695 UTC: %SYS-5-CONFIG_I: Configured from console by console
*Mar 9 21:23:06.907 UTC: AAA/AUTHEN/LOGIN (00000015): Pick method list 'default'
*Mar 9 21:23:06.911 UTC: AAA/AUTHEN/LINE(00000015): GET_PASSWORD
*Mar 9 21:23:16.683 UTC: AAA/AUTHEN/LINE(00000015): FAIL password incorrect
*Mar 9 21:23:18.683 UTC: AAA/AUTHEN/LOGIN (00000015): Pick method list 'default'
*Mar 9 21:23:18.683 UTC: AAA/AUTHEN/LINE(00000015): GET_PASSWORD
02-21-2003 12:10 PM
My debug was on 12.1(18) with following config.
aaa new-model
aaa authen login default group tac line enable
I will test it with your version and let you know.
02-21-2003 02:10 PM
You are right..It doesen't work in .T releases. I have just tested it in 12.2(13)T and T1 and its broken. Authentication stops at "line"
To fix the issue use mainline versions like 12.2(13). I have tested it in mainline versions and it works. I am filing a bug and will let you know the bug number to follow.
02-21-2003 02:47 PM
I have submitted CSCea26322 for this issue. To fix this issue, use mainline versions
02-24-2003 12:30 AM
Hello,
Thank you very much for your hard work. You have provided better service than what I get from the TAC!!!
Well done,
Ian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide