topic Re: ISE2.3 username with blank password in Network Access Control

why do I get this prompt even though the user does not exist.(ISE2.3)

hatman — Fri, 21 Feb 2020 18:43:43 GMT

Hi,

I have Cisco ISE 2.3 and the router has IOS . I am using TACACS+ function on ISE
Am try put unknown users in ISE(Network Access Users) with blank password(by enter)

we found the return message is "Enter Old Password:" on the router.

what I doing wrong?

router configuration

aaa new-model
!
!
aaa authentication login default local group tacacs+
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 3 default local group tacacs+ if-authenticated
aaa authorization commands 5 default local group tacacs+ if-authenticated
aaa authorization commands 15 default local group tacacs+ if-authenticated
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 3 default
action-type start-stop
group tacacs+
!
aaa accounting commands 5 default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!

Re: ISE2.3 username with blank password

Octavian Szolga — Tue, 23 Jan 2018 22:57:39 GMT

Hi,

When you enter a TACACS+ username a blank password is a 'change password' action.

I think the question would be "why do I get this prompt even though the user does not exist".

In this case you can easily see that in a capture done on ISE. Unfortunately, now I don't have any ISE or ACS to test, but it would be nice if someone can confirm that ACS is behaving the same way or not.

Thanks,

Octavian

Re: ISE2.3 username with blank password

hatman — Thu, 25 Jan 2018 02:10:07 GMT

Thank you for your advice i have changed the subject.
and i experimented on ACS version 5.8 i found the same thing.
I wonder if this is normal process.

Re: ISE2.3 username with blank password

Octavian Szolga — Wed, 24 Jan 2018 22:07:25 GMT

If ACS behaves the same exact way, I would say it's a feature :).

I'm just imagining that the whole authentication process (even though this is interactive/message by message) is done only after one has succesfully sent both his username and password.

I mean, give me user (X) and password (Y) in a total of 4 messages (request/response) and after that and only after that I'll tell you if you're authenticated or not (doesn't matter if the user exists or not; I must have user's password to check)

If the above logic is correct, then the password change functionality would behave the same way.

Enter any user and press enter. AAA system will initiate the password change functionality and request your old password + your new password. Only after you've provided all this info, the AAA server is able to tell you that it can't do anything about it because actually the first authentication phase was not succesful (because there's no such username)

Regards,

Octavian

Re: ISE2.3 username with blank password

Jakapan — Mon, 05 Feb 2018 10:55:20 GMT

I was the one tested on version 2.3. i found same the return message is "Enter Old Password:" and i try put known users in ISE with blank password. i found return message is "% Authentication failed. "
I think that is a vulnerability for those who do not hope to find a real user.