Re: AAA trouble....

From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Tue Feb 24 2009 - 07:48:58 ARST

• Next message: Thameem Maranveetil Parambath: "Case: Which ospf is better? Broadcast or Multicast"
• Previous message: Nauman Habib: "Re: Does virtual Link requires Authentication?"
• Maybe in reply to: Modular: "AAA trouble...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ya, It is just with local database, not Radius nor TACACS,

Saludos
  ----- Original Message -----
  From: NET HE
  To: jandiorio@gmail.com ; ezorrilla@tsf.com.pe
  Cc: modulartx@gmail.com ; ccielab@groupstudy.com
  Sent: Monday, February 23, 2009 9:56 PM
  Subject: RE: AAA trouble....

  Maybe it's just the logic between local and line.

  I tried using a Radius server today, and it didn't follow this logic. When I
entered a username which hadn't been set in Radius-server, the authencation
failed and radius-server reported "unknown username, user (abc) authentication
failed"

  I used WinRadius.

  Best Regards,
  Net (Xin) He

> Date: Sun, 22 Feb 2009 19:18:48 -0500
> Subject: Re: AAA trouble....
> From: jandiorio@gmail.com
> To: ezorrilla@tsf.com.pe
> CC: modulartx@gmail.com; ccielab@groupstudy.com
>
> a failure occurs when an incorrect usernam / password are provided.
> if the user does not exist it is not an auth failure but an error.
>
>
>
> On 2/22/09, Edouard Zorrilla <ezorrilla@tsf.com.pe> wrote:
> > Hi there,
> >
> > Performing a debugging for a user allowed inside the router with the
> > username command:
> >
> >
*****************************************************************************
********
> > Rack1R1#
> > *Feb 22 22:22:51.693: AAA/LOCAL: exec
> > *Feb 22 22:22:51.693: AAA/BIND(0000000D): Bind i/f
> > *Feb 22 22:22:51.697: AAA/LOCAL: new_ascii_login: tty 46A99DE8 idb 0
> > *Feb 22 22:22:51.697: AAA/AUTHEN/LOGIN (0000000D): Pick method list
'VTY'
> > *Feb 22 22:22:51.697: AAA/LOCAL/LOGIN(0000000D): get user
> > Rack1R1#
> > *Feb 22 22:23:01.769: AAA/LOCAL/LOGIN(0000000D): get password
> > Rack1R1#
> > *Feb 22 22:23:08.609: AAA/LOCAL/LOGIN(0000000D): check
username/password
> > Rack1R1#
> >
*****************************************************************************
********
> >
> >
> > For a failed username and entering the line password:
> >
> >
> >
*****************************************************************************
********
> > Rack1R1#
> > *Feb 22 22:23:18.189: AAA/LOCAL: exec
> > *Feb 22 22:23:18.193: AAA/BIND(0000000E): Bind i/f
> > *Feb 22 22:23:18.193: AAA/LOCAL: new_ascii_login: tty 46A99DE8 idb 0
> > *Feb 22 22:23:18.193: AAA/AUTHEN/LOGIN (0000000E): Pick method list
'VTY'
> > *Feb 22 22:23:18.193: AAA/LOCAL/LOGIN(0000000E): get user
> > Rack1R1#
> > *Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): user www not found
> > *Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): get password
> > *Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): failover
> > *Feb 22 22:23:24.885: AAA/AUTHEN/LINE(0000000E): GET_PASSWORD
> > Rack1R1#
> > *Feb 22 22:23:31.765: AAA/AUTHEN/LINE(0000000E): PASS
> >
*****************************************************************************
********
> >
> > So, there is message that says "failover": *Feb 22 22:23:24.885:
> > AAA/LOCAL/LOGIN(0000000E): failover
> >
> > It seems that that makes the router change from local to line
> > authentication. I understand that it shouldn't but as a matter of fact,
it
> > does.
> >
> > So what does this "failover" message means ? Does it mean switching
from
> > local to line since it does not get the username ?. I understood as Mod
said
> > this is failed issue not a error issue so it should not switch from
local to
> > line.
> >
> > Any one ?
> >
> > Regards
> >
> > ----- Original Message -----
> > From: "Modular" <modulartx@gmail.com>
> > To: "Cisco certification" <ccielab@groupstudy.com>
> > Sent: Friday, February 20, 2009 11:19 PM
> > Subject: AAA trouble....
> >
> >
> >> I'm confused about a AAA configuration in the practice lab that I'm
> >> working
> >> on. The requirement is that someone should be able to log in using the
> >> username of cisco and password. For any other user, they should be able
to
> >> login using the password CCIE.
> >>
> >>
> >>
> >> The proctor guide has the following:
> >>
> >>
> >>
> >> aaa new-model
> >>
> >>
> >>
> >> aaa authentication login VTY local line
> >>
> >>
> >>
> >> line vty 0 4
> >>
> >> login authentication VTY
> >>
> >> password CCIE
> >>
> >>
> >>
> >>
> >>
> >> So . I thought that the way using multiple "methods" was supposed to
work
> >> was that if the first method listed was tried and an "error" is
received,
> >> (not a fail, but an error), then the second method would be used.
> >>
> >>
> >>
> >> I set it up and it does work. If I use the username cisco I can only
use
> >> the
> >> password cisco to gain access. But, if I use any other username I can
> >> access
> >> the router using the password of CCIE. How is this working? Is the
router
> >> returning an "error" because the username I use is not set up on the
> >> router?
> >> If you're using RADIUS and the username you try is not configured on
the
> >> RADIUS server does the RADIUS server return an "error" or a "fail"??
> >>
> >>
> >>
> >> Thanks,
> >>
> >> Mod
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >>

• Next message: Thameem Maranveetil Parambath: "Case: Which ospf is better? Broadcast or Multicast"
• Previous message: Nauman Habib: "Re: Does virtual Link requires Authentication?"
• Maybe in reply to: Modular: "AAA trouble...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST