01-20-2004 08:47 AM - edited 03-10-2019 07:38 AM
Hi!
Does anybody know why authentication always succeeds if I login to a router as "any_nonexistent_user" with the following config:
aaa new-model
aaa authentication login test local none
line vty 0 4
login authentication test
and doesn't succeed with the following config:
aaa new-model
aaa authentication login test group tacacs+ none
line vty 0 4
login authentication test
The user "any_nonexistent_user" really doesn't exist :) in the local database.
Does this behaviour contradict the documentation: "The additional methods of authentication are used only if the previous method returns an error, not if it fails".
Regards,
Oleg Tipisov,
REDCENTER,
Moscow
01-20-2004 09:30 AM
I have witnessed this same behavior. It appears that the "local" auth type is an exception to the rule. If the user does not exist in the local list, then the next method is tried. This is not the case with tacacs or radius.
02-10-2004 11:35 AM
If you look at this web site:http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800c6c62.html#1017794
and read this sample info:
The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication login MIS-access group tacacs+ enable none
You will see that using the work 'none' will authenticate a user without requiring authentication
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: