Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2352
Views
10
Helpful
6
Replies

Unused AAA Configuration

ipotts
Level 1
Level 1

‎02-20-2003 01:53 AM - edited ‎03-10-2019 07:09 AM

Hello,

I have seen the following configuration used, but don't see the point of the enable method at the end, since it will never progress beyond the line password. I have tested this by having the TACACS server down, and removing the line password, but it still won't fail over to the enable password. Can you see any reason for the use of the enable password?

aaa authentication login default tacacs+ line enable

Many Thanks

Ian

Labels:
0 Helpful
6 Replies 6

tepatel
Cisco Employee
Cisco Employee

‎02-20-2003 01:02 PM

Need to see the debug for "debug aaa authentication" so that we can pin-point the issue. You will see somthing like following debug. Same worked for me. Here it is

*Mar 14 19:27:39.369: AAA/MEMORY: create_user (0x48FA8C) user='' ruser='' port='tty3' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1

*Mar 14 19:27:39.373: AAA/AUTHEN/START (3803660310): port='tty3' list='' action=LOGIN service=LOGIN

*Mar 14 19:27:39.377: AAA/AUTHEN/START (3803660310): using "default" list

*Mar 14 19:27:39.381: AAA/AUTHEN/START (3803660310): Method=tacacs+ (tacacs+)

*Mar 14 19:27:39.381: TAC+: send AUTHEN/START packet ver=192 id=3803660310

*Mar 14 19:27:44.393: AAA/AUTHEN (3803660310): status = ERROR

*Mar 14 19:27:44.397: AAA/AUTHEN/START (3803660310): Method=LINE

*Mar 14 19:27:44.401: AAA/AUTHEN (3803660310): can't find any passwords

*Mar 14 19:27:44.401: AAA/AUTHEN (3803660310): status = ERROR

*Mar 14 19:27:44.405: AAA/AUTHEN/START (3803660310): Method=ENABLE

*Mar 14 19:27:44.405: AAA/AUTHEN (3803660310): status = GETPASS

*Mar 14 19:27:51.485: AAA/AUTHEN/CONT (3803660310): continue_login (user='(undef)')

*Mar 14 19:27:51.489: AAA/AUTHEN (3803660310): status = GETPASS

*Mar 14 19:27:51.493: AAA/AUTHEN/CONT (3803660310): Method=ENABLE

*Mar 14 19:27:51.493: AAA/AUTHEN (3803660310): status = PASS

ipotts
Level 1
Level 1
In response to tepatel

‎02-21-2003 01:12 AM

Hello,

Thank you for your excellent reply. I am still having trouble, as shown below, my test never tries the enable method. Would you please tell me what software version you used, and please send me your full configuration.

Thanks again.

TEST-3640#sh ver

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3640-I-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Fri 03-Jan-03 15:10 by ccai

Image text-base: 0x60008930, data-base: 0x60C1A000

TEST-3640#sh run | incl aaa

aaa new-model

aaa authentication login default group tacacs+ line enable

aaa session-id common

TEST-3640#sh run | be line vty

line vty 0 4

!

!

end

##########CONFIGURE AN ENABLE PASS AND LINE PASS ON VTY AND AAA AUTHEN###########

TEST-3640(config)#enable pass enable

TEST-3640(config)#line vty 0 4

TEST-3640(config-line)#pass line

TEST-3640(config-line)#^Z

TEST-3640#

*Mar 9 21:21:52.543 UTC: %SYS-5-CONFIG_I: Configured from console by console

TEST-3640#conf t

Enter configuration commands, one per line. End with CNTL/Z.

TEST-3640(config)#aaa new-model

TEST-3640(config)#aaa authen login default group tac line enable

TEST-3640(config)#^Z

TEST-3640#debug aaa authen

AAA Authentication debugging is on

#######LOGIN WITH line password and debug shows it worked################

TEST-3640#

*Mar 9 21:22:40.291 UTC: AAA/AUTHEN/LOGIN (00000014): Pick method list 'default'

*Mar 9 21:22:40.291 UTC: AAA/AUTHEN/LINE(00000014): GET_PASSWORD

*Mar 9 21:22:44.119 UTC: AAA/AUTHEN/LINE(00000014): PASS

#########REMOVE LINE PASSWORD AND FAILS#####################

TEST-3640#conf t

Enter configuration commands, one per line. End with CNTL/Z.

TEST-3640(config)#line vty 0 4

TEST-3640(config-line)#no pass line

TEST-3640(config-line)#^Z

TEST-3640#

*Mar 9 21:23:02.695 UTC: %SYS-5-CONFIG_I: Configured from console by console

*Mar 9 21:23:06.907 UTC: AAA/AUTHEN/LOGIN (00000015): Pick method list 'default'

*Mar 9 21:23:06.911 UTC: AAA/AUTHEN/LINE(00000015): GET_PASSWORD

*Mar 9 21:23:16.683 UTC: AAA/AUTHEN/LINE(00000015): FAIL password incorrect

*Mar 9 21:23:18.683 UTC: AAA/AUTHEN/LOGIN (00000015): Pick method list 'default'

*Mar 9 21:23:18.683 UTC: AAA/AUTHEN/LINE(00000015): GET_PASSWORD

0 Helpful

tepatel
Cisco Employee
Cisco Employee
In response to ipotts

‎02-21-2003 12:10 PM

My debug was on 12.1(18) with following config.

aaa new-model

aaa authen login default group tac line enable

I will test it with your version and let you know.

0 Helpful

tepatel
Cisco Employee
Cisco Employee
In response to tepatel

‎02-21-2003 02:10 PM

You are right..It doesen't work in .T releases. I have just tested it in 12.2(13)T and T1 and its broken. Authentication stops at "line"

To fix the issue use mainline versions like 12.2(13). I have tested it in mainline versions and it works. I am filing a bug and will let you know the bug number to follow.

0 Helpful

tepatel
Cisco Employee
Cisco Employee
In response to tepatel

‎02-21-2003 02:47 PM

I have submitted CSCea26322 for this issue. To fix this issue, use mainline versions

ipotts
Level 1
Level 1
In response to tepatel

‎02-24-2003 12:30 AM

Hello,

Thank you very much for your hard work. You have provided better service than what I get from the TAC!!!

Well done,

Ian

0 Helpful
Customers Also Viewed These Support Documents