Solved: AAA Users and Passwords

Conor Cunningham · ‎11-05-2009

Hi All,

I'm currently studying for my CCNA Security and have been toying around with AAA. I have an 851w with advsecurity 12.4 IOS.

What I have noticed, and find interesting is that I seem to have one user configured locally, but it appears to have two passwords.

For instance, if I log in with SSH or telnet, I enter my username with password 'ABC' and I'm in. This account is privilege level 15. However, if I access the SDM, I must enter the same username with a different password, e.g. '1234'. If I enter the password 'ABC' which works for SSH and telnet, I am not granted access.

I was wondering if anyone can explain this? I have tried using the show aaa commands to see what is going on, but it doesn't seem to help. As I said, aaa is using the local database for its user database. Below is some config.

Any help greatly appreciated.

Cheers,

Conor

aaa new-model

aaa authentication login default local

aaa authentication login NO_LOGIN none

aaa authorization exec default local

aaa session-id common

username conor privilege 15 secret 5 blahblah

line con 0

exec-timeout 300 0

privilege level 15

password 7 blahblah

logging synchronous

login authentication NO_LOGIN

no modem enable

line aux 0

line vty 0 4

exec-timeout 300 0

privilege level 15

password 7 blahblah

logging synchronous

Jatin Katyal · ‎11-05-2009

Hi conor,

You may go through it:

https://supportforums.cisco.com/docs/DOC-4643;jsessionid=0C19A82CCA5D05A3AF75ED6BBDC1530A.node0

HTH

JK

Plz rate helpful posts-

~Jatin

View solution in original post

Jagdeep Gambhir · ‎11-05-2009

Please get the debugs for both instances, telnet and SDM

debug aaa authentication

debug aaa authorization

Regards,

~JG

Conor Cunningham · ‎11-05-2009

Hi JG,

Below is the output from the three various methods of logging in.

SSH

===

002578: Nov 5 19:37:14.744 PCTime: AAA/BIND(00000305): Bind i/f

002579: Nov 5 19:37:14.744 PCTime: AAA/AUTHEN/LOGIN (00000305): Pick method list 'default'

EDGE#

002580: Nov 5 19:37:17.652 PCTime: AAA/AUTHOR (0x305): Pick method list 'default'

002581: Nov 5 19:37:17.652 PCTime: AAA/AUTHOR/EXEC(00000305): processing AV cmd=

002582: Nov 5 19:37:17.652 PCTime: AAA/AUTHOR/EXEC(00000305): processing AV priv-lvl=15

002583: Nov 5 19:37:17.652 PCTime: AAA/AUTHOR/EXEC(00000305): Authorization successful

Telnet

======

002638: Nov 5 19:44:04.116 PCTime: AAA/BIND(0000033A): Bind i/f

002639: Nov 5 19:44:04.116 PCTime: AAA/AUTHEN/LOGIN (0000033A): Pick method list 'default'

EDGE#

002640: Nov 5 19:44:07.548 PCTime: AAA/AUTHOR (0x33A): Pick method list 'default'

002641: Nov 5 19:44:07.548 PCTime: AAA/AUTHOR/EXEC(0000033A): processing AV cmd=

002642: Nov 5 19:44:07.548 PCTime: AAA/AUTHOR/EXEC(0000033A): processing AV priv-lvl=15

002643: Nov 5 19:44:07.548 PCTime: AAA/AUTHOR/EXEC(0000033A): Authorization successful

SDM via HTTPS

=============

002647: Nov 5 19:46:22.368 PCTime: AAA/BIND(0000033E): Bind i/f

002648: Nov 5 19:46:23.092 PCTime: AAA/BIND(0000033F): Bind i/f

These messages regarding SDM were repeated around 25 times.

Both Authorisation and Authentication debugging modes were on.

Thanks for the help. Much appreciated.

Conor

Conor Cunningham · ‎11-05-2009

All,

I have worked out that the SDM is using my enable secret for authentication as opposed to AAA.

I assume this is the default behaviour. Thanks JG for getting me thinking along these lines by looking at the debug aaa authenication and authorisation.

If you know whether it is possible to configure SDM to authenticate against SDM, I would be more than happy to know how to perform such a configuration. I'm searching for such a config on google but not having much luck.

Again, thanks for pointing me in the right direction.

Cheers,

Conor

Jatin Katyal · ‎11-05-2009

Hi conor,

You may go through it:

https://supportforums.cisco.com/docs/DOC-4643;jsessionid=0C19A82CCA5D05A3AF75ED6BBDC1530A.node0

HTH

JK

Plz rate helpful posts-

~Jatin