topic Local authentication failure in Network Access Control

Local authentication failure

luiz.alexandre.paiva — Mon, 11 Mar 2019 00:02:30 GMT

Hi,

We use ACS for authenticating equipments but lately when loose conectivity with server, equipments do not allow us to enter "enable" mode (even at console) only at first level, so could somebody give some light on where am I missing something?

Here is the AAA config template:

enable secret 5 XXXXXX!
username XXXXprivilege 15 secret 5 XXXXXX

aaa group server tacacs+ AuthenticationTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa group server tacacs+ AccountingTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa authentication password-prompt "Password local: "
aaa authentication username-prompt "Username local: "
aaa authentication login default group AuthenticationTacacs local
aaa authentication login username_tacacs group tacacs+ local
aaa authentication enable default group AuthenticationTacacs enable
aaa authorization config-commands
aaa authorization exec default group AuthenticationTacacs local
aaa authorization commands 15 default group AuthenticationTacacs local
aaa accounting commands 15 default stop-only group AccountingTacacs
aaa accounting system default stop-only group AccountingTacacs
!
!
!
aaa session-id common

ip tacacs source-interface Vlan2

tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key 7 XXXXXXXX

line con 0
exec-timeout 20 0
logging synchronous
full-help
escape-character 27
line vty 0 4
exec-timeout 20 0
password 7 00071A150754
logging synchronous
length 0
full-help
escape-character 27
line vty 5 15
exec-timeout 20 0
password 7 1511021F0725
logging synchronous
full-help
escape-character 27

Thanks,

Luiz

Re: Local authentication failure

Rodrigo Gurriti — Thu, 01 Apr 2010 19:56:46 GMT

Luiz,

Dentro do seu "line console 0" digite aaa authentication "GROUP" ou "default"

Da mesma forma no seu telnet ou ssh vty

Outra coisa, nao esqueca que se voce botar um espaco no final da sua senha ela tera um espaco, ex: "passWord "

Inside your "line console 0" type aaa authentication "GROUP" or"default"

The same way in your telnet or ssht vty

Don't forget that if you put a space on the end of you password it needs to be typed as the ex: "passWord "

BTW you have redundant line for login, i'd do the following way

Voce tem uma linha redudante para o login, eu faria desta forma abaixo

aaa authentication password-prompt "Password local: "
aaa authentication username-prompt "Username local: "

aaa authentication login default group AuthenticationTacacs local
aaa authentication enable default group AuthenticationTacacs enable
aaa authorization config-commands
aaa authorization exec default group AuthenticationTacacs local
aaa authorization commands 15 default group AuthenticationTacacs local
aaa accounting commands 15 default stop-only group AccountingTacacs
aaa accounting system default stop-only group AccountingTacacs

Outra maneira, ela somente ira autenticar no console, pois o grupp nao e maneira "default" de autenticacao do equipamento logo vc precisa aplicar em algum lugar

Here is an other way, its authentication only for the console whitch isnt the default way to authenticate and you need to apply some where

aaa authentication login CONSOLE local

line console 0

aaa authentication CONSOLE

Re: Local authentication failure

Ganesh Hariharan — Fri, 02 Apr 2010 16:13:58 GMT

Hi,

Here is the AAA config template:

enable secret 5 XXXXXX!
username XXXXprivilege 15 secret 5 XXXXXX

ip tacacs source-interface Vlan2

tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key 7 XXXXXXXX

Thanks,

Luiz

Hi Luiz,

Configuration for authentication need to be done under line con as suggested and check out the below link for configuratio on AAA server configuration.

http://www9.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093c81.shtml

Hope to help !!

Ganesh.H

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Re: Local authentication failure

Richard Burts — Wed, 07 Apr 2010 21:33:59 GMT

The suggestions about configuring authentication on the console might make more sense if the problem were not getting into user mode. But if I understand the original post from Luiz he says that they can get into user mode but can not get into enable mode. If my understanding is not correct then I hope that Luiz will correct me.

I wonder if the problem might be that you are not using the right enable secret when you attempt to get into enable mode. I would suggest that you configure the router with a new, and very simple enable secret. Then the next time that you can not communicate with the server try using the simple enable secret and see if that works.

HTH

Rick

Re: Local authentication failure

luiz.alexandre.paiva — Thu, 08 Apr 2010 18:42:33 GMT

Hi, first of all thanks for the answers and wehave two situations

When loose connectivity to AAA servers at console we can't access, shows user and password screen but doesn't authenticate, and when telnet to the equipment reach the user level, but not at enable level.

We tryed enable secret as "cisco", enable password as the same but still doesn't work.

Tryed to use "username user privilege 15 secret {XXXXXXX}" and goes only at user level.

As far as I understood this is a matter of better configuring console and line vty ports, but my problem now is that regarding IOS versions because at some equipments it doesn't support the exact commands as I need.