Re: AAA trouble....

From: Jeff Andiorio (jandiorio@gmail.com)
Date: Sun Feb 22 2009 - 22:18:48 ARST

• Next message: Peter Kurdziel: "Re: [NON Tech] Need Plan/Guidance/Motivation"
• Previous message: ALL From_NJ: "Re: wccp"
• Maybe in reply to: Modular: "AAA trouble...."
• Next in thread: Sadiq Yakasai: "Re: AAA trouble...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

a failure occurs when an incorrect usernam / password are provided.
if the user does not exist it is not an auth failure but an error.

On 2/22/09, Edouard Zorrilla <ezorrilla@tsf.com.pe> wrote:
> Hi there,
>
> Performing a debugging for a user allowed inside the router with the
> username command:
>
> *************************************************************************************
> Rack1R1#
> *Feb 22 22:22:51.693: AAA/LOCAL: exec
> *Feb 22 22:22:51.693: AAA/BIND(0000000D): Bind i/f
> *Feb 22 22:22:51.697: AAA/LOCAL: new_ascii_login: tty 46A99DE8 idb 0
> *Feb 22 22:22:51.697: AAA/AUTHEN/LOGIN (0000000D): Pick method list 'VTY'
> *Feb 22 22:22:51.697: AAA/LOCAL/LOGIN(0000000D): get user
> Rack1R1#
> *Feb 22 22:23:01.769: AAA/LOCAL/LOGIN(0000000D): get password
> Rack1R1#
> *Feb 22 22:23:08.609: AAA/LOCAL/LOGIN(0000000D): check username/password
> Rack1R1#
> *************************************************************************************
>
>
> For a failed username and entering the line password:
>
>
> *************************************************************************************
> Rack1R1#
> *Feb 22 22:23:18.189: AAA/LOCAL: exec
> *Feb 22 22:23:18.193: AAA/BIND(0000000E): Bind i/f
> *Feb 22 22:23:18.193: AAA/LOCAL: new_ascii_login: tty 46A99DE8 idb 0
> *Feb 22 22:23:18.193: AAA/AUTHEN/LOGIN (0000000E): Pick method list 'VTY'
> *Feb 22 22:23:18.193: AAA/LOCAL/LOGIN(0000000E): get user
> Rack1R1#
> *Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): user www not found
> *Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): get password
> *Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): failover
> *Feb 22 22:23:24.885: AAA/AUTHEN/LINE(0000000E): GET_PASSWORD
> Rack1R1#
> *Feb 22 22:23:31.765: AAA/AUTHEN/LINE(0000000E): PASS
> *************************************************************************************
>
> So, there is message that says "failover": *Feb 22 22:23:24.885:
> AAA/LOCAL/LOGIN(0000000E): failover
>
> It seems that that makes the router change from local to line
> authentication. I understand that it shouldn't but as a matter of fact, it
> does.
>
> So what does this "failover" message means ? Does it mean switching from
> local to line since it does not get the username ?. I understood as Mod said
> this is failed issue not a error issue so it should not switch from local to
> line.
>
> Any one ?
>
> Regards
>
> ----- Original Message -----
> From: "Modular" <modulartx@gmail.com>
> To: "Cisco certification" <ccielab@groupstudy.com>
> Sent: Friday, February 20, 2009 11:19 PM
> Subject: AAA trouble....
>
>
>> I'm confused about a AAA configuration in the practice lab that I'm
>> working
>> on. The requirement is that someone should be able to log in using the
>> username of cisco and password. For any other user, they should be able to
>> login using the password CCIE.
>>
>>
>>
>> The proctor guide has the following:
>>
>>
>>
>> aaa new-model
>>
>>
>>
>> aaa authentication login VTY local line
>>
>>
>>
>> line vty 0 4
>>
>> login authentication VTY
>>
>> password CCIE
>>
>>
>>
>>
>>
>> So . I thought that the way using multiple "methods" was supposed to work
>> was that if the first method listed was tried and an "error" is received,
>> (not a fail, but an error), then the second method would be used.
>>
>>
>>
>> I set it up and it does work. If I use the username cisco I can only use
>> the
>> password cisco to gain access. But, if I use any other username I can
>> access
>> the router using the password of CCIE. How is this working? Is the router
>> returning an "error" because the username I use is not set up on the
>> router?
>> If you're using RADIUS and the username you try is not configured on the
>> RADIUS server does the RADIUS server return an "error" or a "fail"??
>>
>>
>>
>> Thanks,
>>
>> Mod
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Peter Kurdziel: "Re: [NON Tech] Need Plan/Guidance/Motivation"
• Previous message: ALL From_NJ: "Re: wccp"
• Maybe in reply to: Modular: "AAA trouble...."
• Next in thread: Sadiq Yakasai: "Re: AAA trouble...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST