topic Re: Local Account Authentication - Concern in Network Access Control

Local Account Authentication - Concern

Amin Shaikh — Sun, 10 Mar 2019 23:02:51 GMT

Hi,

I want Routers to be authenticated via ACS Box and if ACS Box is unavailable then only local accounts created on Router should authenticate...

My setup allows Router local account authenticaion even if ACS Box is available...

Please help to resolve this...

My config :

aaa new-model

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

username alj password 7 0000111188888

tacacs-server host 192.168.1.100

tacacs-server directed-request

tacacs-server key 7 0000111199999999

ip tacacs source-interface GigabitEthernet0/0

Re: Local Account Authentication - Concern

chaitu_kranthi — Wed, 20 Aug 2008 21:32:29 GMT

Can you cross check that your tacacs-server also having the same tacacs-server key.

May be it is creating the problem

Re: Local Account Authentication - Concern

Amin Shaikh — Thu, 21 Aug 2008 06:46:02 GMT

Its using the same Key.....

I get authenticated via ACS and Local Accounts.. but I want local account should only be authenticated if ACS server is down.

Re: Local Account Authentication - Concern

dhananjoy chowdhury — Thu, 21 Aug 2008 15:19:51 GMT

Can you share the config under "line vty"

Re: Local Account Authentication - Concern

Amin Shaikh — Thu, 21 Aug 2008 19:08:59 GMT

line vty 5 15

transport input telnet ssh

Re: Local Account Authentication - Concern

Premdeep Banga — Thu, 21 Aug 2008 19:23:47 GMT

debug aaa authentication

debug tacacs authentication

term mon

This would let you know if it is even letting you in using Local account, even if Tacacs server is UP.

I doubt that case, and I recommend running these debugs. As you commands are perfect for what you want to achieve, unless there is some bug in the code or unless we are missing something.

Regards,

Prem

Re: Local Account Authentication - Concern

Richard Burts — Thu, 21 Aug 2008 20:05:19 GMT

Amin

I would like to understand better this statement of yours:

I get authenticated via ACS and Local Accounts.

How do you tell that you are authenticated via ACS and Local Accounts. Do you have a user ID that is in ACS but not local and another user ID that is local but not in ACS?

Or if you have a user ID that is in ACS and also locally configured, but has a different password in the local definition from ACS, then do both passwords work?

Understanding this may help us find a solution to your problem.

[edit] and I agree that the output of the debug aaa authentication and debug tacacs authentication would be quite helpful.

HTH

Rick

Re: Local Account Authentication - Concern

Amin Shaikh — Fri, 22 Aug 2008 11:20:53 GMT

Yes,

I have a user ID that is in ACS but not local and another user ID that is local but not in ACS.

And both of them work when ACS BOX is reachable by the router.

===========================================

<< Let me rephrase my question >>

As an Admin Local Account created on Router should only be authenticated when ACS BOx is unreachable.

=============================================

Re: Local Account Authentication - Concern

Premdeep Banga — Fri, 22 Aug 2008 11:26:59 GMT

debugs please 🙂

For the account that is local on device and ACS box should be reachable at that moment.

Regards,

Prem

Re: Local Account Authentication - Concern

Amin Shaikh — Fri, 22 Aug 2008 12:00:10 GMT

329399: *Jun 23 09:28:05.375 PAK: %FAN-3-FAN_FAILED: Fan 1 had a rotation error reported.

329400: *Jun 23 09:28:16.767 PAK: AAA/BIND(00000082): Bind i/f

329401: *Jun 23 09:28:16.767 PAK: AAA/AUTHEN/LOGIN (00000082): Pick method list 'default'

329402: *Jun 23 09:28:16.767 PAK: TPLUS: Queuing AAA Authentication request 130 for processing

329403: *Jun 23 09:28:16.767 PAK: TPLUS: processing authentication start request id 130

329404: *Jun 23 09:28:16.767 PAK: TPLUS: Authentication start packet created for 130(paknt)

329405: *Jun 23 09:28:16.767 PAK: TPLUS: Using server 192.168.1.100

329406: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/NB_WAIT/641C1728: Started 5 sec timeout

329407: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/NB_WAIT: socket event 2

329408: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/NB_WAIT: wrote entire 43 bytes request

329409: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: socket event 1

329410: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: Would block while reading

329411: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: socket event 1

329412: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: read entire 12 header bytes (expect 16 bytes data)

329413: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: socket event 1

329414: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: read entire 28 bytes response

329415: *Jun 23 09:28:16.771 PAK: TPLUS(00000082)/1/641C1728: Processing the reply packet

329416: *Jun 23 09:28:16.771 PAK: TPLUS: Received authen response status GET_PASSWORD (8)

329417: *Jun 23 09:28:26.179 PAK: TPLUS: Queuing AAA Authentication request 130 for processing

329418: *Jun 23 09:28:26.179 PAK: TPLUS: processing authentication continue request id 130

329419: *Jun 23 09:28:26.179 PAK: TPLUS: Authentication continue packet generated for 130

329420: *Jun 23 09:28:26.179 PAK: TPLUS(00000082)/1/WRITE/641C166C: Started 5 sec timeout

329421: *Jun 23 09:28:26.179 PAK: TPLUS(00000082)/1/WRITE: wrote entire 27 bytes request

329422: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/READ/641C166C: timed out

329423: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/READ/641C166C: timed out, clean up

329424: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/641C166C: Processing the reply packet

329425: *Jun 23 09:28:32.467 PAK: AAA: parse name=tty163 idb type=-1 tty=-1

329426: *Jun 23 09:28:32.467 PAK: AAA: name=tty163 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=163 channel=0

329427: *Jun 23 09:28:32.467 PAK: AAA/MEMORY: create_user (0x6461EB48) user='paknt' ruser='NULL' ds0=0 port='tty163' rem_addr='192.168.1.199' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

329428: *Jun 23 09:28:32.467 PAK: AAA/AUTHEN/START (238219777): port='tty163' list='' action=LOGIN service=ENABLE

329429: *Jun 23 09:28:32.467 PAK: AAA/AUTHEN/START (238219777): non-console enable - default to enable password

329430: *Jun 23 09:28:32.467 PAK: AAA/AUTHEN/START (238219777): Method=ENABLE

329431: *Jun 23 09:28:32.467 PAK: AAA/AUTHEN(238219777): Status=GETPASS

329432: *Jun 23 09:28:35.375 PAK: %FAN-3-FAN_FAILED: Fan 1 had a rotation error reported.

329433: *Jun 23 09:28:40.395 PAK: AAA/AUTHEN/CONT (238219777): continue_login (user='(undef)')

329434: *Jun 23 09:28:40.395 PAK: AAA/AUTHEN(238219777): Status=GETPASS

329435: *Jun 23 09:28:40.395 PAK: AAA/AUTHEN/CONT (238219777): Method=ENABLE

329436: *Jun 23 09:28:40.399 PAK: AAA/AUTHEN(238219777): Status=PASS

329437: *Jun 23 09:28:40.399 PAK: AAA/MEMORY: free_user (0x6461EB48) user='NULL' ruser='NULL' port='tty163' rem_addr='192.168.1.199' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

Re: Local Account Authentication - Concern

Premdeep Banga — Fri, 22 Aug 2008 12:13:50 GMT

Is 'paknt' a local user or a user on Tacacs server ?

Regards,

Prem

Re: Local Account Authentication - Concern

Amin Shaikh — Fri, 22 Aug 2008 14:35:53 GMT

Its a local user created on Router, no such user exists on ACS Box.

Re: Local Account Authentication - Concern

Premdeep Banga — Fri, 22 Aug 2008 15:56:52 GMT

Either something is not right the way your Tacacs is responding or something not right on the code, check this,

329420: *Jun 23 09:28:26.179 PAK: TPLUS(00000082)/1/WRITE/641C166C: Started 5 sec timeout

329421: *Jun 23 09:28:26.179 PAK: TPLUS(00000082)/1/WRITE: wrote entire 27 bytes request

329422: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/READ/641C166C: timed out

329423: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/READ/641C166C: timed out, clean up

329424: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/641C166C: Processing the reply packet

After device sent the credentials to the TACACS server @ 09:28:26.179, The device started the 5sec timeout. And could not get a reply back from the authentication server in 5 sec i.e. (09:28:26.179 + 5 = 09:28:31.179), so device timed out on the Tacacs reply @ 09:28:31.179.

This triggered the fallback method, though IOS has not ozzed the fallback related debugs as I expected. But one thing is for sure, the device is timing out on the Tacacs reply.

Here are my suggestions.

- Increase the tacacs server timeout,

tacacs-server timeout (default is 5sec)

- Or try some other code.

To take a look at good debugs with your/similar configuration check the attachment.

Regards,

Prem

Please rate if it helps!

Re: Local Account Authentication - Concern

Richard Burts — Fri, 22 Aug 2008 16:20:23 GMT

It looks to me like there is some issue on the TACACS server. The server is there and is at least somewhat active in the beginning of the transaction. The router sends the beginning of the transaction to the server and the router gets some resonse from the server as shown in:

329415: *Jun 23 09:28:16.771 PAK: TPLUS(00000082)/1/641C1728: Processing the reply packet

329416: *Jun 23 09:28:16.771 PAK: TPLUS: Received authen response status GET_PASSWORD (8)

but then the router sends the password, waits for a response, and gets no response. So it times out and falls back to local authentication.

HTH

Rick

Re: Local Account Authentication - Concern

pranuv.pandit — Fri, 05 Sep 2008 14:47:22 GMT

As you have already told "paknt" is a local user account and no such user exists on Tacacs. So what I feel, if no such user is available on TAcacs, it will look for same user credentials on local database. You try to make one more user with same user name i.e. "paknt" and set different password for it....then try again. Then it should login with Tacacs username/password pair not with local user/password pair.