03-01-2016 01:39 AM - edited 03-10-2019 11:32 PM
I have configured AAA authentication using RADIUS in N9k.
It works fine for first login but after that it fails. I suspect because the user-account in n9k cached it as network-operator.
After the first login, i configured the radius server to reply using network-admin role.
show user-account
user:testuser
roles:network-operator
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user
account
Local login not possible
Is there a way to remove this user-account or setup a timeout?
03-01-2016 04:30 AM
Eddy,
Can you please enable debugs for aaa authentication and radius on the Nexus, then log in twice (i.e., a successful and a failed attempt) and show us the output?
Javier Henderson
Cisco Systems
03-02-2016 01:46 AM
Below the output for failed attempt.
I need to get the user to try again using other username.
016 Mar 1 06:57:19 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: Unable to create
temporary user testuser. Error 0x404a000a usermod: group 'testuser' does not exist
r/home/admin/.ssh/admin': File exists (100663296) - login[807]
2016 Mar 1 06:57:19 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authenti
cation failed for user testuser from 172.16.74.23 - login[807]
2016 Mar 1 06:57:28 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: Unable to create
temporary user testuser. Error 0x404a000a usermod: group 'testuser' does not exist
(100663296) - login[807]
2016 Mar 1 06:57:28 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authenti
cation failed for user testuser from 172.16.74.23 - login[807]
2016 Mar 1 06:57:59 TWR5_SVR_RM_9300_1 %AUTHPRIV-2-SYSTEM_MSG: pam_unix(login:s
ession): close_session - error recovering username - login[807]
2016 Mar 1 06:58:32 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: Unable to create
temporary user testuser. Error 0x404a000a usermod: group 'testuser' does not exist
(100663296) - login[820]
2016 Mar 1 06:58:32 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authenti
cation failed for user testuser from 172.16.74.23 - login[820]
2016 Mar 1 07:08:27 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: Unable to create
temporary user testuser. Error 0x404a000a usermod: group 'testuser' does not exist
(100663296) - login[1128]
2016 Mar 1 07:08:27 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authenti
cation failed for user testuser from 172.16.74.23 - login[1128]
2016 Mar 1 07:08:36 TWR5_SVR_RM_9300_1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authenti
cation failed for user exit from 172.16.74.23 - login[1128]
2016 Mar 1 07:08:41 TWR5_SVR_RM_9300_1 %AUTHPRIV-2-SYSTEM_MSG: pam_unix(login:s
ession): close_session - error recovering username - login[1128]
it was cleared by rebooting the switch and i managed to login successfully using network-admin role now. Before, It tried to add same username locally but it rejected because it was created by remote auth. "no username <user>" also didn't clear the user-account.
There should be a way to clear it out or set a timeout value. Anyone facing the same issue in n9k?
03-14-2016 09:23 PM
just for anyone who is having the same problem. It's caused by a bug.
https://supportforums.cisco.com/discussion/12763251/how-could-remove-cache-user-account-nexus-9k
05-21-2019 01:36 PM
YES. Yes I'm facing the same issue now and rebooting the switch fixed it for me. I tried this out in my lab switches to verify that reloading fixes the issue. But I can't possibly do this to hundreds of production switches. So...I may have to open a TAC case for this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide