Solved: It seems the reason for this

alfred.thyri · ‎11-22-2016

Hi

I have a strange issue with authentication on n5k

aaa config

aaa authentication login default group radius local
aaa authentication login console local
aaa accounting default group radius
aaa authentication login error-enable

radius-server timeout 2
radius-server retransmit 2
radius-server host <SERER-IP1> key 7 "XXXYYY" authentication accounting
radius-server host <SERVER-IP2> key 7 "XXXYYY" authentication accounting
aaa group server radius auth
server <SERVER-IP1>
server <SERVER-IP2>
source-interface VlanZZ

Following Messages are in the log

2016 Nov 22 15:57:25 switch %DAEMON-3-SYSTEM_MSG: Unable to create temporary user domain\username. Error 0x404a0031 (0) - sshd[7141]
2016 Nov 22 15:57:25 switch %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from <IP> - sshd[7141]

testing the aaa server from CLI is successfull

switch# test aaa server radius <SERVER-IP1> domain\username password
user has been authenticated

Switch (5672UP) is running 7.1(4)N1(1)

Any idea? Thanks in advance

Alfred

alfred.thyri · ‎02-07-2017

Hi

some more infos regarding "my problem setup" ;)

Windows Radius Server

login is like domain\us_er_name

This combination works von n3k, n5k but not on n56xx

I first tried to change the password to a simple one, didn't work. With a username without _ in it's name it works here on all nexus plattforms.

Hope this helps! Cheers

Alfred

View solution in original post

alfred.thyri · ‎01-17-2017

It seems the reason for this problem is that the account contains _ in its username.

gmayer · ‎02-06-2017

Hello,

since we have the exact same issue, you mean to say its because th name is like xxx_yyy? As this seems to work well on other Nexuas Platforms and other NXX-OS Versions. Also, if we use xxx_yyy without domain extension it also works - or an xxx_yyy user with another domain extension.

We also get the:

%DAEMON-3-SYSTEM_MSG: Unable to create temporary user ad.aaaaa-services.cd\xxx_yyy. Error 0x404a0031 (0) - sshd[31666
]

It seems, for us:

aaaaa-bbb.intra\xxx_yyy works fine, but

ad.aaaaa-services.cd\xxx_yyy fails (we also tried uppercase, same thing)

We are using ISE as AAA Server.

Did you mean to say it worked for you with users without "_" in the userid?

alfred.thyri · ‎02-07-2017

Hi

some more infos regarding "my problem setup" ;)

Windows Radius Server

login is like domain\us_er_name

This combination works von n3k, n5k but not on n56xx

I first tried to change the password to a simple one, didn't work. With a username without _ in it's name it works here on all nexus plattforms.

Hope this helps! Cheers

Alfred

gmayer · ‎02-07-2017

Hello,

we could verify that in our case it was (is) a length restriction. Domain+User have to be less than 30 characters.

Appears on 5548 in 7.0(7)N1(1)

Isn't there on 5548 in 7.0(6)N1(1)

alfred.thyri · ‎02-07-2017

seems there are different conditions hitting this bug. my domain\us_er_name combination is less than 30 chars

Nexus 5k - Unable to create temporary user