Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
832
Views
5
Helpful
2
Replies

TACACS allows any username to authenticate

Go to solution
cybrsage
Level 1
Level 1

‎02-15-2019 07:27 AM - edited ‎02-15-2019 07:33 AM

I am not even sure where to begin looking for the error.  I recently discovered that my tacacs server (ACS 5.8.1) is allowing ANY username to authenticate - including ones that do not appear in TACACS.    If you use a legitimate username and an incorrect password, it denies you access to the devices.  Yet if you were to use BillGates as your username (is not a valid username) and MelindaGates as the password (which is in violation of the password rules), you get logged into the devices in Enable Mode.

 

Anyone have any idea where to look to fix this.  I am sure it is just a setting that says something like "continue" instead of "deny"...

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-15-2019 08:53 AM

Bare with me as I'm doing this from memory, I do not have an ACS VM spun up right now. You are looking for the main policy menu on the left where all of this would be configured, "Access Policies".

First look at " Access Policies > Service Selection Rules" and at the bottom you should see the default, ensure it is set to deny access, and not permit.

You're then going to have to navigate through each of your authentication polices "Identity" configuration advanced settings. ex. "Access Policies > Default Device Admin > Identity (then click advanced options to display the continue/drop/reject). You will have to follow your authentication flow to determine if there should be a reject drop or continue in the options. Like you, I suspect this is due to the continue actions on the "user not found" setting.

View solution in original post

2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-15-2019 08:53 AM

Bare with me as I'm doing this from memory, I do not have an ACS VM spun up right now. You are looking for the main policy menu on the left where all of this would be configured, "Access Policies".

First look at " Access Policies > Service Selection Rules" and at the bottom you should see the default, ensure it is set to deny access, and not permit.

You're then going to have to navigate through each of your authentication polices "Identity" configuration advanced settings. ex. "Access Policies > Default Device Admin > Identity (then click advanced options to display the continue/drop/reject). You will have to follow your authentication flow to determine if there should be a reject drop or continue in the options. Like you, I suspect this is due to the continue actions on the "user not found" setting.

Go to solution
cybrsage
Level 1
Level 1
In response to Damien Miller

‎02-15-2019 11:49 AM

Somehow the Default Device Admin Identity settings had If user not found set to Continue.  Should have been reject.  Now that I changed it, everything is back to normal.

 

Thanks!  Great memory, by the way!

0 Helpful
Customers Also Viewed These Support Documents