RE: AAA misbehavior from Fellenbaum, John D on 2010-02-02 (Ccielab archives /201002)

From: Fellenbaum, John D <john.d.fellenbaum_at_lmco.com>
Date: Tue, 02 Feb 2010 08:12:20 -0500

Amin,

I concur with Joseph. It looks like the authentication is falling through to none (i.e. - tacacs server returns an error, then local database returns an error and then none - provides no authentication). Then it allows you in at privilege level 15. To see the behavior - "debug aaa authentication" and post the results.

HTH,

John

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of CCIE
Sent: Tuesday, February 02, 2010 7:00 AM
To: 'Joseph L. Brunner'; 'groupstudy'
Subject: RE: AAA misbehavior

Meaningful explanation, but the ACS is reachable and I can ping it from the router, would other causes could make the ACS don't to respond.

-----Original Message-----
From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
Sent: Monday, February 01, 2010 10:04 AM
To: CCIE; 'groupstudy'
Subject: RE: AAA misbehavior

No that's not Misbehavior.

You must have an unreachable tacacs+ server, second method is local (and you have no local usernames) and then the only option left is NONE So your fallback method is none

Why not?

aaa authentication login ACS group tacacs+ local line

and then

username root privilege 15 secret C1sco#$@

line vty 0 4
password s0m3good1

Now, AAA will have a local username and line password to fall back to if the AAA server fails

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of CCIE
Sent: Monday, February 01, 2010 2:55 AM
To: 'groupstudy'
Subject: AAA misbehavior

Hi experts,

Strange AAA behaviors, I have the bellow configuration, and the AAA ACS is running, whenever I tried to access this router it ask for username if I enter anything (not valid username on the AAA) then enter it immediately take me to the privilege access, please any advice because that's make me crazy

aaa new-model

aaa authentication login ACS group tacacs+ local none

tacacs-server host 10.0.71.18 key Cisco

line vty 0 15

privilege level 15.

Regards,

Amin

Blogs and organic groups at http://www.ccie.net
Received on Tue Feb 02 2010 - 08:12:20 ART

This archive was generated by hypermail 2.2.0 : Mon Mar 01 2010 - 06:28:35 ART