topic Unused AAA Configuration in Network Access Control

Unused AAA Configuration

ipotts — Sun, 10 Mar 2019 14:09:30 GMT

Hello,

I have seen the following configuration used, but don't see the point of the enable method at the end, since it will never progress beyond the line password. I have tested this by having the TACACS server down, and removing the line password, but it still won't fail over to the enable password. Can you see any reason for the use of the enable password?

aaa authentication login default tacacs+ line enable

Many Thanks

Ian

Re: Unused AAA Configuration

tepatel — Thu, 20 Feb 2003 21:02:52 GMT

Need to see the debug for "debug aaa authentication" so that we can pin-point the issue. You will see somthing like following debug. Same worked for me. Here it is

*Mar 14 19:27:39.369: AAA/MEMORY: create_user (0x48FA8C) user='' ruser='' port='tty3' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1

*Mar 14 19:27:39.373: AAA/AUTHEN/START (3803660310): port='tty3' list='' action=LOGIN service=LOGIN

*Mar 14 19:27:39.377: AAA/AUTHEN/START (3803660310): using "default" list

*Mar 14 19:27:39.381: AAA/AUTHEN/START (3803660310): Method=tacacs+ (tacacs+)

*Mar 14 19:27:39.381: TAC+: send AUTHEN/START packet ver=192 id=3803660310

*Mar 14 19:27:44.393: AAA/AUTHEN (3803660310): status = ERROR

*Mar 14 19:27:44.397: AAA/AUTHEN/START (3803660310): Method=LINE

*Mar 14 19:27:44.401: AAA/AUTHEN (3803660310): can't find any passwords

*Mar 14 19:27:44.401: AAA/AUTHEN (3803660310): status = ERROR

*Mar 14 19:27:44.405: AAA/AUTHEN/START (3803660310): Method=ENABLE

*Mar 14 19:27:44.405: AAA/AUTHEN (3803660310): status = GETPASS

*Mar 14 19:27:51.485: AAA/AUTHEN/CONT (3803660310): continue_login (user='(undef)')

*Mar 14 19:27:51.489: AAA/AUTHEN (3803660310): status = GETPASS

*Mar 14 19:27:51.493: AAA/AUTHEN/CONT (3803660310): Method=ENABLE

*Mar 14 19:27:51.493: AAA/AUTHEN (3803660310): status = PASS

Re: Unused AAA Configuration

ipotts — Fri, 21 Feb 2003 09:12:01 GMT

Hello,

Thank you for your excellent reply. I am still having trouble, as shown below, my test never tries the enable method. Would you please tell me what software version you used, and please send me your full configuration.

Thanks again.

TEST-3640#sh ver

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3640-I-M), Version 12.2(13)T1, RELEASE SOFTWARE (fc1)

TAC Support: http://www.cisco.com/tac

Compiled Fri 03-Jan-03 15:10 by ccai

Image text-base: 0x60008930, data-base: 0x60C1A000

TEST-3640#sh run | incl aaa

aaa new-model

aaa authentication login default group tacacs+ line enable

aaa session-id common

TEST-3640#sh run | be line vty

line vty 0 4

end

##########CONFIGURE AN ENABLE PASS AND LINE PASS ON VTY AND AAA AUTHEN###########

TEST-3640(config)#enable pass enable

TEST-3640(config)#line vty 0 4

TEST-3640(config-line)#pass line

TEST-3640(config-line)#^Z

TEST-3640#

*Mar 9 21:21:52.543 UTC: %SYS-5-CONFIG_I: Configured from console by console

TEST-3640#conf t

Enter configuration commands, one per line. End with CNTL/Z.

TEST-3640(config)#aaa new-model

TEST-3640(config)#aaa authen login default group tac line enable

TEST-3640(config)#^Z

TEST-3640#debug aaa authen

AAA Authentication debugging is on

#######LOGIN WITH line password and debug shows it worked################

TEST-3640#

*Mar 9 21:22:40.291 UTC: AAA/AUTHEN/LOGIN (00000014): Pick method list 'default'

*Mar 9 21:22:40.291 UTC: AAA/AUTHEN/LINE(00000014): GET_PASSWORD

*Mar 9 21:22:44.119 UTC: AAA/AUTHEN/LINE(00000014): PASS

#########REMOVE LINE PASSWORD AND FAILS#####################

TEST-3640#conf t

Enter configuration commands, one per line. End with CNTL/Z.

TEST-3640(config)#line vty 0 4

TEST-3640(config-line)#no pass line

TEST-3640(config-line)#^Z

TEST-3640#

*Mar 9 21:23:02.695 UTC: %SYS-5-CONFIG_I: Configured from console by console

*Mar 9 21:23:06.907 UTC: AAA/AUTHEN/LOGIN (00000015): Pick method list 'default'

*Mar 9 21:23:06.911 UTC: AAA/AUTHEN/LINE(00000015): GET_PASSWORD

*Mar 9 21:23:16.683 UTC: AAA/AUTHEN/LINE(00000015): FAIL password incorrect

*Mar 9 21:23:18.683 UTC: AAA/AUTHEN/LOGIN (00000015): Pick method list 'default'

*Mar 9 21:23:18.683 UTC: AAA/AUTHEN/LINE(00000015): GET_PASSWORD

Re: Unused AAA Configuration

tepatel — Fri, 21 Feb 2003 20:10:39 GMT

My debug was on 12.1(18) with following config.

aaa new-model

aaa authen login default group tac line enable

I will test it with your version and let you know.

Re: Unused AAA Configuration

tepatel — Fri, 21 Feb 2003 22:10:08 GMT

You are right..It doesen't work in .T releases. I have just tested it in 12.2(13)T and T1 and its broken. Authentication stops at "line"

To fix the issue use mainline versions like 12.2(13). I have tested it in mainline versions and it works. I am filing a bug and will let you know the bug number to follow.

Re: Unused AAA Configuration

tepatel — Fri, 21 Feb 2003 22:47:41 GMT

I have submitted CSCea26322 for this issue. To fix this issue, use mainline versions

Re: Unused AAA Configuration

ipotts — Mon, 24 Feb 2003 08:30:12 GMT

Hello,

Thank you very much for your hard work. You have provided better service than what I get from the TAC!!!

Well done,

Ian