01-18-2018 04:14 AM - edited 02-21-2020 10:43 AM
Hi,
I have Cisco ISE 2.3 and the router has IOS . I am using TACACS+ function on ISE
Am try put unknown users in ISE(Network Access Users) with blank password(by enter)
we found the return message is "Enter Old Password:" on the router.
what I doing wrong?
router configuration
aaa new-model
!
!
aaa authentication login default local group tacacs+
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 3 default local group tacacs+ if-authenticated
aaa authorization commands 5 default local group tacacs+ if-authenticated
aaa authorization commands 15 default local group tacacs+ if-authenticated
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 3 default
action-type start-stop
group tacacs+
!
aaa accounting commands 5 default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
01-23-2018 02:57 PM
Hi,
When you enter a TACACS+ username a blank password is a 'change password' action.
I think the question would be "why do I get this prompt even though the user does not exist".
In this case you can easily see that in a capture done on ISE. Unfortunately, now I don't have any ISE or ACS to test, but it would be nice if someone can confirm that ACS is behaving the same way or not.
Thanks,
Octavian
01-24-2018 12:30 AM - edited 01-24-2018 06:10 PM
Thank you for your advice i have changed the subject.
and i experimented on ACS version 5.8 i found the same thing.
I wonder if this is normal process.
01-24-2018 02:07 PM
If ACS behaves the same exact way, I would say it's a feature :).
I'm just imagining that the whole authentication process (even though this is interactive/message by message) is done only after one has succesfully sent both his username and password.
I mean, give me user (X) and password (Y) in a total of 4 messages (request/response) and after that and only after that I'll tell you if you're authenticated or not (doesn't matter if the user exists or not; I must have user's password to check)
If the above logic is correct, then the password change functionality would behave the same way.
Enter any user and press enter. AAA system will initiate the password change functionality and request your old password + your new password. Only after you've provided all this info, the AAA server is able to tell you that it can't do anything about it because actually the first authentication phase was not succesful (because there's no such username)
Regards,
Octavian
02-05-2018 02:55 AM
I was the one tested on version 2.3. i found same the return message is "Enter Old Password:" and i try put known users in ISE with blank password. i found return message is "% Authentication failed. "
I think that is a vulnerability for those who do not hope to find a real user.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide