cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5012
Views
0
Helpful
4
Replies

why do I get this prompt even though the user does not exist.(ISE2.3)

hatman
Level 1
Level 1

Hi,

I have Cisco ISE 2.3 and the router has IOS . I am using TACACS+ function on ISE 
Am try put unknown users in ISE(
Network Access Users) with blank password(by enter)

we found the return message is "Enter Old Password:" on the router.

what  I doing wrong? 

 

router configuration

 

aaa new-model
!
!
aaa authentication login default local group tacacs+
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 3 default local group tacacs+ if-authenticated
aaa authorization commands 5 default local group tacacs+ if-authenticated
aaa authorization commands 15 default local group tacacs+ if-authenticated
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 3 default
action-type start-stop
group tacacs+
!
aaa accounting commands 5 default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!

 

 

pb-1.pngpb-2.pngpb-3.png

4 Replies 4

Octavian Szolga
Level 4
Level 4

Hi,

 

When you enter a TACACS+ username a blank password is a 'change password' action.

I think the question would be "why do I get this prompt even though the user does not exist".

In this case you can easily see that in a capture done on ISE. Unfortunately, now I don't have any ISE or ACS to test, but it would be nice if someone can confirm that ACS is behaving the same way or not.

 

Thanks,

Octavian

Thank you for your advice i have changed the subject.
and i experimented on ACS version 5.8 i found the same thing.
I wonder if this is normal process.

If ACS behaves the same exact way, I would say it's a feature :).

I'm just imagining that the whole authentication process (even though this is interactive/message by message) is done only after one has succesfully sent both his username and password.

 

I mean, give me user (X) and password (Y) in a total of  4 messages (request/response) and after that and only after that I'll tell you if you're authenticated or not (doesn't matter if the user exists or not; I must have user's password to check)

 

If the above logic is correct, then the password change functionality would behave the same way.

Enter any user and press enter. AAA system will initiate the password change functionality and request your old password + your new password. Only after you've provided all this info, the AAA server is able to tell you that it can't do anything about it because actually the first authentication phase was not succesful (because there's no such username)

 

Regards,

Octavian

I was the one tested on version 2.3. i found same the return message is "Enter Old Password:" and i try put known users in ISE with blank password. i found return message is "% Authentication failed. "
I think that is a vulnerability for those who do not hope to find a real user.