11-22-2016 07:11 AM - edited 03-08-2019 08:15 AM
Hi
I have a strange issue with authentication on n5k
aaa config
aaa authentication login default group radius local
aaa authentication login console local
aaa accounting default group radius
aaa authentication login error-enable
radius-server timeout 2
radius-server retransmit 2
radius-server host <SERER-IP1> key 7 "XXXYYY" authentication accounting
radius-server host <SERVER-IP2> key 7 "XXXYYY" authentication accounting
aaa group server radius auth
server <SERVER-IP1>
server <SERVER-IP2>
source-interface VlanZZ
Following Messages are in the log
2016 Nov 22 15:57:25 switch %DAEMON-3-SYSTEM_MSG: Unable to create temporary user domain\username. Error 0x404a0031 (0) - sshd[7141]
2016 Nov 22 15:57:25 switch %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from <IP> - sshd[7141]
testing the aaa server from CLI is successfull
switch# test aaa server radius <SERVER-IP1> domain\username password
user has been authenticated
Switch (5672UP) is running 7.1(4)N1(1)
Any idea? Thanks in advance
Alfred
Solved! Go to Solution.
02-07-2017 12:39 AM
Hi
some more infos regarding "my problem setup" ;)
Windows Radius Server
login is like domain\us_er_name
This combination works von n3k, n5k but not on n56xx
I first tried to change the password to a simple one, didn't work. With a username without _ in it's name it works here on all nexus plattforms.
Hope this helps! Cheers
Alfred
01-17-2017 12:36 AM
It seems the reason for this problem is that the account contains _ in its username.
02-06-2017 07:17 AM
Hello,
since we have the exact same issue, you mean to say its because th name is like xxx_yyy? As this seems to work well on other Nexuas Platforms and other NXX-OS Versions. Also, if we use xxx_yyy without domain extension it also works - or an xxx_yyy user with another domain extension.
We also get the:
%DAEMON-3-SYSTEM_MSG: Unable to create temporary user ad.aaaaa-services.cd\xxx_yyy. Error 0x404a0031 (0) - sshd[31666
]
It seems, for us:
aaaaa-bbb.intra\xxx_yyy works fine, but
ad.aaaaa-services.cd\xxx_yyy fails (we also tried uppercase, same thing)
We are using ISE as AAA Server.
Did you mean to say it worked for you with users without "_" in the userid?
02-07-2017 12:39 AM
Hi
some more infos regarding "my problem setup" ;)
Windows Radius Server
login is like domain\us_er_name
This combination works von n3k, n5k but not on n56xx
I first tried to change the password to a simple one, didn't work. With a username without _ in it's name it works here on all nexus plattforms.
Hope this helps! Cheers
Alfred
02-07-2017 06:48 AM
Hello,
we could verify that in our case it was (is) a length restriction. Domain+User have to be less than 30 characters.
Appears on 5548 in 7.0(7)N1(1)
Isn't there on 5548 in 7.0(6)N1(1)
02-07-2017 10:37 PM
seems there are different conditions hitting this bug. my domain\us_er_name combination is less than 30 chars
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide