Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Annoying 'fake' aaa authentication failure

Hi

Got some new 3750x running c3750e-universalk9-mz.150-2.SE5.bin. They have identical aaa configs to other switches running 15 code (4948e) doing LOCAL device user authentication for VTY SSH access.

Relevant bits are:

username xxx privilege NN secret yyy

aaa new-model
aaa authentication login VTY local
aaa authorization config-commands
aaa authorization exec VTY local
aaa authorization commands 15 VTY local
aaa session-id common

line vty 0 4
 session-timeout 10
 access-class 23 in
 authorization commands 15 VTY
 authorization exec VTY
 login authentication VTY
 transport input ssh

For some reason, on SSH to the device, the login banner comes up but the password: prompt takes a few seconds. At the same time some authfail logs are seen even through haven't yet had a chance to login/enter the password. Once entering the correct password, authentication is always (correctly) successfully

This does not occur on the older code (12.2) or on the 4948e with 15.0 code.

It is annoying as we collect audit syslogs and every login where local is used generates one or more fails before a success.

Is there something obscure in 15.0+ code that changes LOCAL aaa behaviour ?

7 REPLIES

Hi,If you tried to access the

Hi,

If you tried to access the switch with the console, do you have the issue?

Regards.

Hello.Could you try to enable

Hello.

Could you try to enable "transport input telnet" and logon via telnet application. Do you observe the same behavior/issue?

Could you provide any logs for failed attempt?

New Member

Telnet works differently

Telnet works differently anyway in that you login with a username/password. With ssh, I am passing the username.

I did enable telnet anyway and this works without failure

Log I get is a straightforward fail. The issue must be to do with the ssh handshake and passing of username and the behaviour has changed on some code bases. I've noticed the ASR1000 with 15.0 do the same. It is annoying due to filling up audit logs with 'rubbish'

May 13 09:58:52.926: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 09:58:52 UTC Tue May 13 2014

New Member

Answered my own question with

Answered my own question with ssh client verbose mode

Cisco seems to have changed the ssh server functionality in some versions of IOS on some platforms. The failures come from it expecting public/private key RSA/DSA methods which fail and then the last try is keyboard interactive which is what is wanted anyway and that works.

Some code versions allow the turning OFF of methods as below but not the code I have on a 3750X

no ip ssh server authenticate user publickey
New Member

And the workaround is to add

And the workaround is to add more parameters to the ssh client login

ssh -o PreferredAuthentications=keyboard-interactive -o PubkeyAuthentication=no username@ip_address

 

Hello.I would suspect SSH

Hello.

I would suspect SSH client you are using. Have you tried any other client (like Cisco built-in CLI or SecureCRT)?

New Member

Unfortunately no choice as I

Unfortunately no choice as I have to use a particular Ubuntu jump-off in the environment. But the workaround works for both 'old' code and 'new' code, so I will just upgrade our methods to the workaround way with the extra client parameters.

It's frustrating that Cisco seem to have put the extra 'methods' into the IOS ssh server but no means to disable.

222
Views
0
Helpful
7
Replies