Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4461
Views
0
Helpful
4
Replies

why do I get this prompt even though the user does not exist.(ISE2.3)

hatman
Level 1
Level 1

‎01-18-2018 04:14 AM - edited ‎02-21-2020 10:43 AM

Hi,

I have Cisco ISE 2.3 and the router has IOS . I am using TACACS+ function on ISE 
Am try put unknown users in ISE(Network Access Users) with blank password(by enter)

we found the return message is "Enter Old Password:" on the router.

what  I doing wrong? 

 

router configuration

 

aaa new-model
!
!
aaa authentication login default local group tacacs+
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 3 default local group tacacs+ if-authenticated
aaa authorization commands 5 default local group tacacs+ if-authenticated
aaa authorization commands 15 default local group tacacs+ if-authenticated
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 3 default
action-type start-stop
group tacacs+
!
aaa accounting commands 5 default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!

 

 

pb-1.pngpb-2.pngpb-3.png

Labels:
0 Helpful
4 Replies 4

Octavian Szolga
Level 4
Level 4

‎01-23-2018 02:57 PM

Hi,

 

When you enter a TACACS+ username a blank password is a 'change password' action.

I think the question would be "why do I get this prompt even though the user does not exist".

In this case you can easily see that in a capture done on ISE. Unfortunately, now I don't have any ISE or ACS to test, but it would be nice if someone can confirm that ACS is behaving the same way or not.

 

Thanks,

Octavian

0 Helpful

hatman
Level 1
Level 1
In response to Octavian Szolga

‎01-24-2018 12:30 AM - edited ‎01-24-2018 06:10 PM

Thank you for your advice i have changed the subject.
and i experimented on ACS version 5.8 i found the same thing.
I wonder if this is normal process.

0 Helpful

Octavian Szolga
Level 4
Level 4
In response to hatman

‎01-24-2018 02:07 PM

If ACS behaves the same exact way, I would say it's a feature :).

I'm just imagining that the whole authentication process (even though this is interactive/message by message) is done only after one has succesfully sent both his username and password.

 

I mean, give me user (X) and password (Y) in a total of  4 messages (request/response) and after that and only after that I'll tell you if you're authenticated or not (doesn't matter if the user exists or not; I must have user's password to check)

 

If the above logic is correct, then the password change functionality would behave the same way.

Enter any user and press enter. AAA system will initiate the password change functionality and request your old password + your new password. Only after you've provided all this info, the AAA server is able to tell you that it can't do anything about it because actually the first authentication phase was not succesful (because there's no such username)

 

Regards,

Octavian

0 Helpful

Jakapan
Level 1
Level 1
In response to Octavian Szolga

‎02-05-2018 02:55 AM

I was the one tested on version 2.3. i found same the return message is "Enter Old Password:" and i try put known users in ISE with blank password. i found return message is "% Authentication failed. "
I think that is a vulnerability for those who do not hope to find a real user.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents