Remove user-account in n9k from AAA remote auth

eddychristian10 · ‎03-01-2016

I have configured AAA authentication using RADIUS in N9k.

It works fine for first login but after that it fails. I suspect because the user-account in n9k cached it as network-operator.

After the first login, i configured the radius server to reply using network-admin role.

show user-account

user:testuser
roles:network-operator
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user
account
Local login not possible

Is there a way to remove this user-account or setup a timeout?

Javier Henderson · ‎03-01-2016

Eddy,

Can you please enable debugs for aaa authentication and radius on the Nexus, then log in twice (i.e., a successful and a failed attempt) and show us the output?

Javier Henderson

Cisco Systems

eddychristian10 · ‎03-02-2016

Below the output for failed attempt.

I need to get the user to try again using other username.

016 Mar 1 06:57:19 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: Unable to create
temporary user testuser. Error 0x404a000a usermod: group 'testuser' does not exist
r/home/admin/.ssh/admin': File exists (100663296) - login[807]
2016 Mar 1 06:57:19 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authenti
cation failed for user testuser from 172.16.74.23 - login[807]
2016 Mar 1 06:57:28 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: Unable to create
temporary user testuser. Error 0x404a000a usermod: group 'testuser' does not exist
(100663296) - login[807]
2016 Mar 1 06:57:28 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authenti
cation failed for user testuser from 172.16.74.23 - login[807]
2016 Mar 1 06:57:59 TWR5_SVR_RM_9300_1 %AUTHPRIV-2-SYSTEM_MSG: pam_unix(login:s
ession): close_session - error recovering username - login[807]
2016 Mar 1 06:58:32 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: Unable to create
temporary user testuser. Error 0x404a000a usermod: group 'testuser' does not exist
(100663296) - login[820]
2016 Mar 1 06:58:32 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authenti
cation failed for user testuser from 172.16.74.23 - login[820]
2016 Mar 1 07:08:27 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: Unable to create
temporary user testuser. Error 0x404a000a usermod: group 'testuser' does not exist
(100663296) - login[1128]
2016 Mar 1 07:08:27 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authenti
cation failed for user testuser from 172.16.74.23 - login[1128]
2016 Mar 1 07:08:36 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authenti
cation failed for user exit from 172.16.74.23 - login[1128]
2016 Mar 1 07:08:41 TWR5_SVR_RM_9300_1 %AUTHPRIV-2-SYSTEM_MSG: pam_unix(login:s
ession): close_session - error recovering username - login[1128]

it was cleared by rebooting the switch and i managed to login successfully using network-admin role now. Before, It tried to add same username locally but it rejected because it was created by remote auth. "no username <user>" also didn't clear the user-account.

There should be a way to clear it out or set a timeout value. Anyone facing the same issue in n9k?

eddychristian10 · ‎03-14-2016

just for anyone who is having the same problem. It's caused by a bug.

https://supportforums.cisco.com/discussion/12763251/how-could-remove-cache-user-account-nexus-9k

David Carrasco · ‎05-21-2019

YES. Yes I'm facing the same issue now and rebooting the switch fixed it for me. I tried this out in my lab switches to verify that reloading fixes the issue. But I can't possibly do this to hundreds of production switches. So...I may have to open a TAC case for this.