Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2715
Views
0
Helpful
5
Replies

Nexus 5k - Unable to create temporary user

Go to solution
alfred.thyri
Level 1
Level 1

‎11-22-2016 07:11 AM - edited ‎03-08-2019 08:15 AM

Hi

I have a strange issue with authentication on n5k

aaa config

aaa authentication login default group radius local
aaa authentication login console local
aaa accounting default group radius
aaa authentication login error-enable

radius-server timeout 2
radius-server retransmit 2
radius-server host <SERER-IP1> key 7 "XXXYYY" authentication accounting
radius-server host <SERVER-IP2> key 7 "XXXYYY" authentication accounting
aaa group server radius auth
  server <SERVER-IP1>
  server <SERVER-IP2>
  source-interface VlanZZ

Following Messages are in the log

2016 Nov 22 15:57:25 switch %DAEMON-3-SYSTEM_MSG: Unable to create temporary user domain\username. Error 0x404a0031 (0) - sshd[7141]
2016 Nov 22 15:57:25 switch %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from <IP> - sshd[7141]

testing the aaa server from CLI is successfull

switch# test aaa server radius <SERVER-IP1> domain\username password
user has been authenticated

Switch (5672UP) is running 7.1(4)N1(1)

Any idea? Thanks in advance

Alfred

4 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
alfred.thyri
Level 1
Level 1
In response to gmayer

‎02-07-2017 12:39 AM

Hi

some more infos regarding "my problem setup" ;)

Windows Radius Server

login is like domain\us_er_name

This combination works von n3k, n5k but not on n56xx

I first tried to change the password to a simple one, didn't work. With a username without _ in it's name it works here on all nexus plattforms.

Hope this helps! Cheers

Alfred

View solution in original post

0 Helpful
5 Replies 5

Go to solution
alfred.thyri
Level 1
Level 1

‎01-17-2017 12:36 AM

It seems the reason for this problem is that the account contains _ in its username.

0 Helpful

Go to solution
gmayer
Level 1
Level 1
In response to alfred.thyri

‎02-06-2017 07:17 AM

Hello,

since we have the exact same issue, you mean to say its because th name is like xxx_yyy? As this seems to work well on other Nexuas Platforms and other NXX-OS Versions. Also, if we use xxx_yyy without domain extension it also works - or an xxx_yyy user with another domain extension.

We also get the:

%DAEMON-3-SYSTEM_MSG: Unable to create temporary user ad.aaaaa-services.cd\xxx_yyy. Error 0x404a0031 (0) - sshd[31666
]

It seems, for us:

aaaaa-bbb.intra\xxx_yyy works fine, but

ad.aaaaa-services.cd\xxx_yyy fails (we also tried uppercase, same thing)

We are using ISE as AAA Server.

Did you mean to say it worked for you with users without "_" in the userid?

0 Helpful

Go to solution
alfred.thyri
Level 1
Level 1
In response to gmayer

‎02-07-2017 12:39 AM

Hi

some more infos regarding "my problem setup" ;)

Windows Radius Server

login is like domain\us_er_name

This combination works von n3k, n5k but not on n56xx

I first tried to change the password to a simple one, didn't work. With a username without _ in it's name it works here on all nexus plattforms.

Hope this helps! Cheers

Alfred

0 Helpful

Go to solution
gmayer
Level 1
Level 1
In response to alfred.thyri

‎02-07-2017 06:48 AM

Hello,

we could verify that in our case it was (is) a length restriction. Domain+User have to be less than 30 characters.

Appears on 5548 in 7.0(7)N1(1)

Isn't there on 5548 in 7.0(6)N1(1)

0 Helpful

Go to solution
alfred.thyri
Level 1
Level 1
In response to gmayer

‎02-07-2017 10:37 PM

seems there are different conditions hitting this bug. my domain\us_er_name combination is less than 30 chars

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card