Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6152
Views
0
Helpful
3
Replies

AAA login authentication methods

Go to solution
Oscar Falcon Ortiz
Level 1
Level 1

‎07-05-2012 05:44 AM - edited ‎03-10-2019 07:16 PM

Hello guys,

I've noticed a strange behaviour with AAA authentication login.

My AAA configuration for login authentication is: aaa authentication login default group tacacs+ local

No tacacs server exists, but username and password in local database does. Indeed everything works fine when I log in: aaa authentication login default group tacacs+ local line none

The problem comes up when I add to the method list line and none authentication methods.

In this case, when I log into the switch (via console for example), and I'm asked for username, there is no validation of the username, I mean to say, I can put whatever username and been granted access.

Conclusion: According to my aaa authentication list, method line or none should not be used unless tacacs and local are not available. In this case, local method is available and should fail so login should be rejected, but it jumps to the next method, finally giving access.

Is this a bug in AAA? or am I misunderstanding something.

Thanks a lot.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎07-05-2012 11:25 AM

It's not a bug, it works as designed.

Your confusion is caused by the way the method "local" works. "local" does not give an error if the username doesn't exist as a typical RADIUS- or TACACS-server would do. Instead the next available method is picked.

What happens in your case:

- You log in with "anyname"

- TACACS-server is not available, so fall back to next method (local)

- "anyname" is not in the local userdatabase, so fall back to the next method (line)

- a line password is not configured, so fall back to the next method (none)

- you're in!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎07-05-2012 07:25 AM

What is the config you have under the line you are logging from (console, vty ... Etc.)?

What happens when you remove the "none" keyword from the config?

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Oscar Falcon Ortiz
Level 1
Level 1
In response to Amjad Abdullah

‎07-05-2012 09:21 AM

Only exec-timeout command, so it applies the default list defined by aaa.

When I remove the none, authentication fails. I've debugged AAA authentication and shows:

User Access Verification

Username:
Jul  5 18:16:48.329 METDST: AAA/BIND(00000035): Bind i/f 
Jul  5 18:16:49.493 METDST: AAA/AUTHEN/LOGIN (00000035): Pick method list 'default' adsf

Jul  5 18:16:56.382 METDST: AAA/AUTHEN/LINE(00000035): FAIL - Line password not found
% Authentication failed

Username:

Local authentication method is being bypassed.

If I configure a password under line con 0, I've access regardless of the username, so no local authentication is being enforced as well.

Thanks.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎07-05-2012 11:25 AM

It's not a bug, it works as designed.

Your confusion is caused by the way the method "local" works. "local" does not give an error if the username doesn't exist as a typical RADIUS- or TACACS-server would do. Instead the next available method is picked.

What happens in your case:

- You log in with "anyname"

- TACACS-server is not available, so fall back to next method (local)

- "anyname" is not in the local userdatabase, so fall back to the next method (line)

- a line password is not configured, so fall back to the next method (none)

- you're in!

0 Helpful
Customers Also Viewed These Support Documents