Re: AAA trouble....

From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Sun Feb 22 2009 - 19:55:52 ARST

Hi there,

Performing a debugging for a user allowed inside the router with the
username command:

*************************************************************************************
Rack1R1#
*Feb 22 22:22:51.693: AAA/LOCAL: exec
*Feb 22 22:22:51.693: AAA/BIND(0000000D): Bind i/f
*Feb 22 22:22:51.697: AAA/LOCAL: new_ascii_login: tty 46A99DE8 idb 0
*Feb 22 22:22:51.697: AAA/AUTHEN/LOGIN (0000000D): Pick method list 'VTY'
*Feb 22 22:22:51.697: AAA/LOCAL/LOGIN(0000000D): get user
Rack1R1#
*Feb 22 22:23:01.769: AAA/LOCAL/LOGIN(0000000D): get password
Rack1R1#
*Feb 22 22:23:08.609: AAA/LOCAL/LOGIN(0000000D): check username/password
Rack1R1#
*************************************************************************************

For a failed username and entering the line password:

*************************************************************************************
Rack1R1#
*Feb 22 22:23:18.189: AAA/LOCAL: exec
*Feb 22 22:23:18.193: AAA/BIND(0000000E): Bind i/f
*Feb 22 22:23:18.193: AAA/LOCAL: new_ascii_login: tty 46A99DE8 idb 0
*Feb 22 22:23:18.193: AAA/AUTHEN/LOGIN (0000000E): Pick method list 'VTY'
*Feb 22 22:23:18.193: AAA/LOCAL/LOGIN(0000000E): get user
Rack1R1#
*Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): user www not found
*Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): get password
*Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): failover
*Feb 22 22:23:24.885: AAA/AUTHEN/LINE(0000000E): GET_PASSWORD
Rack1R1#
*Feb 22 22:23:31.765: AAA/AUTHEN/LINE(0000000E): PASS
*************************************************************************************

So, there is message that says "failover": *Feb 22 22:23:24.885:
AAA/LOCAL/LOGIN(0000000E): failover

It seems that that makes the router change from local to line
authentication. I understand that it shouldn't but as a matter of fact, it
does.

So what does this "failover" message means ? Does it mean switching from
local to line since it does not get the username ?. I understood as Mod said
this is failed issue not a error issue so it should not switch from local to
line.

Any one ?

Regards

----- Original Message -----
From: "Modular" <modulartx@gmail.com>
To: "Cisco certification" <ccielab@groupstudy.com>
Sent: Friday, February 20, 2009 11:19 PM
Subject: AAA trouble....

> I'm confused about a AAA configuration in the practice lab that I'm
> working
> on. The requirement is that someone should be able to log in using the
> username of cisco and password. For any other user, they should be able to
> login using the password CCIE.
>
>
>
> The proctor guide has the following:
>
>
>
> aaa new-model
>
>
>
> aaa authentication login VTY local line
>
>
>
> line vty 0 4
>
> login authentication VTY
>
> password CCIE
>
>
>
>
>
> So. I thought that the way using multiple "methods" was supposed to work
> was that if the first method listed was tried and an "error" is received,
> (not a fail, but an error), then the second method would be used.
>
>
>
> I set it up and it does work. If I use the username cisco I can only use
> the
> password cisco to gain access. But, if I use any other username I can
> access
> the router using the password of CCIE. How is this working? Is the router
> returning an "error" because the username I use is not set up on the
> router?
> If you're using RADIUS and the username you try is not configured on the
> RADIUS server does the RADIUS server return an "error" or a "fail"??
>
>
>
> Thanks,
>
> Mod
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST