Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ovt Bronze
Bronze

Very Simple AAA Question for AAA gurus

Hi!

Does anybody know why authentication always succeeds if I login to a router as "any_nonexistent_user" with the following config:

aaa new-model

aaa authentication login test local none

line vty 0 4

login authentication test

and doesn't succeed with the following config:

aaa new-model

aaa authentication login test group tacacs+ none

line vty 0 4

login authentication test

The user "any_nonexistent_user" really doesn't exist :) in the local database.

Does this behaviour contradict the documentation: "The additional methods of authentication are used only if the previous method returns an error, not if it fails".

Regards,

Oleg Tipisov,

REDCENTER,

Moscow

2 REPLIES
Bronze

Re: Very Simple AAA Question for AAA gurus

I have witnessed this same behavior. It appears that the "local" auth type is an exception to the rule. If the user does not exist in the local list, then the next method is tried. This is not the case with tacacs or radius.

New Member

Re: Very Simple AAA Question for AAA gurus

If you look at this web site:http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800c6c62.html#1017794

and read this sample info:

The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication login MIS-access group tacacs+ enable none

You will see that using the work 'none' will authenticate a user without requiring authentication

115
Views
0
Helpful
2
Replies