topic AAA & SSH question in Network Access Control

AAA & SSH question

Wei-Hsiang Liao — Mon, 11 Mar 2019 02:29:34 GMT

Hi~

I have an authentication problem, my config is as follows:

1. When I use telnet, "% Authorization failed."

2. When I use ssh, enter the username without entering the password can authenticatoin success

3. Use ssh authentication is successful not see the record passed authentication log in ACS

Why line vty 0 4 config "login authentication console" use ssh enter the username without entering the password can authenticatoin success?

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication login console none

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec console none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

tacacs-server host 172.18.1.247

tacacs-server timeout 60

tacacs-server directed-request

tacacs-server key xxxx

line con 0

authorization exec console

line vty 0 4

length 0

line vty 5 15

password 7 xxxx

AAA & SSH question

Karsten Iwen — Tue, 04 Sep 2012 08:16:59 GMT

With that line-config you apply the authentication list "console" to the VTYs. In the autehtication-list "console" you specify the method "none". With "none" there is no authentication and a SSH-user can access the router with any username, even if there is no username configured on the router.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

AAA & SSH question

Wei-Hsiang Liao — Tue, 04 Sep 2012 08:56:15 GMT

Thanks for your reply!!

But not any username authentication is successful, the only account in the acs can be authentication success.

I think very strange.

AAA & SSH question

Karsten Iwen — Tue, 04 Sep 2012 09:20:13 GMT

But not any username authentication is successful, the only account in the acs can be authentication success.

As of your config the Authentication (which is done locally) should always succeed. But the Authorization is again dependent on the ACS where it should fail.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

AAA & SSH question

hkhrais — Tue, 04 Sep 2012 09:30:50 GMT

Hi ,

Notes:

-IP Domain-name is missing from the configuration

-Transport input SSH is missing under line vty 0 4

-Crypto key generate rsa is missing as well

Please post "Show ssh" after logging into the device via SSH, if the there's client doing SSH , i believe Wireshark Traces would be good on the ACS port .

HTH

AAA & SSH question

Karsten Iwen — Tue, 04 Sep 2012 09:33:59 GMT

Hi Hussam,

-IP Domain-name is missing from the configuration

-Transport input SSH is missing under line vty 0 4

-Crypto key generate rsa is missing as well

but they are all not needed in this situation. And the "crypto key generate" is never included in the running config.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

AAA & SSH question

hkhrais — Tue, 04 Sep 2012 09:54:44 GMT

Hi Karsten ,

You are right about the Key (My Faults), But didn't get why enabling SSH is not necessary !

Even with None keyword, SSH is not enabled by default

AAA & SSH question

Karsten Iwen — Tue, 04 Sep 2012 10:00:48 GMT

well, if he was using SSH the router must have SSH enabled. And SSH gets enabled the moment the keys are generated. And for generating the keys you don't need a domain-name when you generate the keys with a label.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

AAA & SSH question

Wei-Hsiang Liao — Wed, 05 Sep 2012 16:31:06 GMT

Hi~

I use the debug command, it seems authentication console none but the authorization to use the ACS.Is normal behavior?

5d14h: AAA/BIND(000000F4): Bind i/f

5d14h: AAA/AUTHEN/LOGIN (000000F4): Pick method list 'console'

5d14h: AAA/AUTHOR (0xF4): Pick method list 'default'

5d14h: AAA/AUTHOR/EXEC(000000F4): Authorization FAILED

5d14h: %Error 9, Failed to open the file Password:

Re: AAA & SSH question

Karsten Iwen — Wed, 05 Sep 2012 20:53:06 GMT

I use the debug command, it seems authentication console none but the authorization to use the ACS.Is normal behavior?

That's what you have configured:

aaa authentication login console none

aaa authorization exec default group tacacs+ if-authenticated

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

AAA & SSH question

Wei-Hsiang Liao — Thu, 06 Sep 2012 07:25:04 GMT

If the authentication using the "aaa authentication login console none", authenorization should correspond to the "aaa authorization exec console none"

Why use "aaa authorization exec default group tacacs+ if-authenticated"??

Thanks for your reply!

AAA & SSH question

Karsten Iwen — Thu, 06 Sep 2012 07:57:09 GMT

You have not assignes the "aaa authorization exec console ..." to the VTY-line. And then the default is used. You could put the "authorization exec console" to the VTY to disable authorization.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

AAA & SSH question

Wei-Hsiang Liao — Thu, 06 Sep 2012 08:36:26 GMT

OK, thanks a lot!!

But,why ssh login is successful??