Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1341
Views
0
Helpful
2
Replies

Very Simple AAA Question for AAA gurus

ovt
Level 4
Level 4

‎01-20-2004 08:47 AM - edited ‎03-10-2019 07:38 AM

Hi!

Does anybody know why authentication always succeeds if I login to a router as "any_nonexistent_user" with the following config:

aaa new-model

aaa authentication login test local none

line vty 0 4

login authentication test

and doesn't succeed with the following config:

aaa new-model

aaa authentication login test group tacacs+ none

line vty 0 4

login authentication test

The user "any_nonexistent_user" really doesn't exist :) in the local database.

Does this behaviour contradict the documentation: "The additional methods of authentication are used only if the previous method returns an error, not if it fails".

Regards,

Oleg Tipisov,

REDCENTER,

Moscow

Labels:
0 Helpful
2 Replies 2

d.parks
Level 1
Level 1

‎01-20-2004 09:30 AM

I have witnessed this same behavior. It appears that the "local" auth type is an exception to the rule. If the user does not exist in the local list, then the next method is tried. This is not the case with tacacs or radius.

0 Helpful

jay.silveus
Level 1
Level 1

‎02-10-2004 11:35 AM

If you look at this web site:http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800c6c62.html#1017794

and read this sample info:

The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication login MIS-access group tacacs+ enable none

You will see that using the work 'none' will authenticate a user without requiring authentication

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents