From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Mon Feb 23 2009 - 08:18:41 ARST
Thinking about this closely, would there be any situation when the local
database would be unavailable and a failover would happen?
Seems to be working logically correct I would say. Between, what exactly
does the documentation say?
I know when you are using a radius group to do something similar, and if an
access-reject comes back from the radius server, then the authentication
just fails, period. However, when its not available, then we failover to the
second method.
Sadiq
On Mon, Feb 23, 2009 at 12:18 AM, Jeff Andiorio <jandiorio@gmail.com> wrote:
> a failure occurs when an incorrect usernam / password are provided.
> if the user does not exist it is not an auth failure but an error.
>
>
>
> On 2/22/09, Edouard Zorrilla <ezorrilla@tsf.com.pe> wrote:
> > Hi there,
> >
> > Performing a debugging for a user allowed inside the router with the
> > username command:
> >
> >
> *************************************************************************************
> > Rack1R1#
> > *Feb 22 22:22:51.693: AAA/LOCAL: exec
> > *Feb 22 22:22:51.693: AAA/BIND(0000000D): Bind i/f
> > *Feb 22 22:22:51.697: AAA/LOCAL: new_ascii_login: tty 46A99DE8 idb 0
> > *Feb 22 22:22:51.697: AAA/AUTHEN/LOGIN (0000000D): Pick method list 'VTY'
> > *Feb 22 22:22:51.697: AAA/LOCAL/LOGIN(0000000D): get user
> > Rack1R1#
> > *Feb 22 22:23:01.769: AAA/LOCAL/LOGIN(0000000D): get password
> > Rack1R1#
> > *Feb 22 22:23:08.609: AAA/LOCAL/LOGIN(0000000D): check username/password
> > Rack1R1#
> >
> *************************************************************************************
> >
> >
> > For a failed username and entering the line password:
> >
> >
> >
> *************************************************************************************
> > Rack1R1#
> > *Feb 22 22:23:18.189: AAA/LOCAL: exec
> > *Feb 22 22:23:18.193: AAA/BIND(0000000E): Bind i/f
> > *Feb 22 22:23:18.193: AAA/LOCAL: new_ascii_login: tty 46A99DE8 idb 0
> > *Feb 22 22:23:18.193: AAA/AUTHEN/LOGIN (0000000E): Pick method list 'VTY'
> > *Feb 22 22:23:18.193: AAA/LOCAL/LOGIN(0000000E): get user
> > Rack1R1#
> > *Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): user www not found
> > *Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): get password
> > *Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): failover
> > *Feb 22 22:23:24.885: AAA/AUTHEN/LINE(0000000E): GET_PASSWORD
> > Rack1R1#
> > *Feb 22 22:23:31.765: AAA/AUTHEN/LINE(0000000E): PASS
> >
> *************************************************************************************
> >
> > So, there is message that says "failover": *Feb 22 22:23:24.885:
> > AAA/LOCAL/LOGIN(0000000E): failover
> >
> > It seems that that makes the router change from local to line
> > authentication. I understand that it shouldn't but as a matter of fact,
> it
> > does.
> >
> > So what does this "failover" message means ? Does it mean switching from
> > local to line since it does not get the username ?. I understood as Mod
> said
> > this is failed issue not a error issue so it should not switch from local
> to
> > line.
> >
> > Any one ?
> >
> > Regards
> >
> > ----- Original Message -----
> > From: "Modular" <modulartx@gmail.com>
> > To: "Cisco certification" <ccielab@groupstudy.com>
> > Sent: Friday, February 20, 2009 11:19 PM
> > Subject: AAA trouble....
> >
> >
> >> I'm confused about a AAA configuration in the practice lab that I'm
> >> working
> >> on. The requirement is that someone should be able to log in using the
> >> username of cisco and password. For any other user, they should be able
> to
> >> login using the password CCIE.
> >>
> >>
> >>
> >> The proctor guide has the following:
> >>
> >>
> >>
> >> aaa new-model
> >>
> >>
> >>
> >> aaa authentication login VTY local line
> >>
> >>
> >>
> >> line vty 0 4
> >>
> >> login authentication VTY
> >>
> >> password CCIE
> >>
> >>
> >>
> >>
> >>
> >> So . I thought that the way using multiple "methods" was supposed to
> work
> >> was that if the first method listed was tried and an "error" is
> received,
> >> (not a fail, but an error), then the second method would be used.
> >>
> >>
> >>
> >> I set it up and it does work. If I use the username cisco I can only use
> >> the
> >> password cisco to gain access. But, if I use any other username I can
> >> access
> >> the router using the password of CCIE. How is this working? Is the
> router
> >> returning an "error" because the username I use is not set up on the
> >> router?
> >> If you're using RADIUS and the username you try is not configured on the
> >> RADIUS server does the RADIUS server return an "error" or a "fail"??
> >>
> >>
> >>
> >> Thanks,
> >>
> >> Mod
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- CCIE #19963Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST