11-22-2016 07:11 AM - edited 03-08-2019 08:15 AM
Hi
I have a strange issue with authentication on n5k
aaa config
aaa authentication login default group radius local
aaa authentication login console local
aaa accounting default group radius
aaa authentication login error-enable
radius-server timeout 2
radius-server retransmit 2
radius-server host <SERER-IP1> key 7 "XXXYYY" authentication accounting
radius-server host <SERVER-IP2> key 7 "XXXYYY" authentication accounting
aaa group server radius auth
server <SERVER-IP1>
server <SERVER-IP2>
source-interface VlanZZ
Following Messages are in the log
2016 Nov 22 15:57:25 switch %DAEMON-3-SYSTEM_MSG: Unable to create temporary user domain\username. Error 0x404a0031 (0) - sshd[7141]
2016 Nov 22 15:57:25 switch %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from <IP> - sshd[7141]
testing the aaa server from CLI is successfull
switch# test aaa server radius <SERVER-IP1> domain\username password
user has been authenticated
Switch (5672UP) is running 7.1(4)N1(1)
Any idea? Thanks in advance
Alfred
Solved! Go to Solution.
02-07-2017 12:39 AM
Hi
some more infos regarding "my problem setup" ;)
Windows Radius Server
login is like domain\us_er_name
This combination works von n3k, n5k but not on n56xx
I first tried to change the password to a simple one, didn't work. With a username without _ in it's name it works here on all nexus plattforms.
Hope this helps! Cheers
Alfred
01-17-2017 12:36 AM
It seems the reason for this problem is that the account contains _ in its username.
02-06-2017 07:17 AM
Hello,
since we have the exact same issue, you mean to say its because th name is like xxx_yyy? As this seems to work well on other Nexuas Platforms and other NXX-OS Versions. Also, if we use xxx_yyy without domain extension it also works - or an xxx_yyy user with another domain extension.
We also get the:
%DAEMON-3-SYSTEM_MSG: Unable to create temporary user ad.aaaaa-services.cd\xxx_yyy. Error 0x404a0031 (0) - sshd[31666
]
It seems, for us:
aaaaa-bbb.intra\xxx_yyy works fine, but
ad.aaaaa-services.cd\xxx_yyy fails (we also tried uppercase, same thing)
We are using ISE as AAA Server.
Did you mean to say it worked for you with users without "_" in the userid?
02-07-2017 12:39 AM
Hi
some more infos regarding "my problem setup" ;)
Windows Radius Server
login is like domain\us_er_name
This combination works von n3k, n5k but not on n56xx
I first tried to change the password to a simple one, didn't work. With a username without _ in it's name it works here on all nexus plattforms.
Hope this helps! Cheers
Alfred
02-07-2017 06:48 AM
Hello,
we could verify that in our case it was (is) a length restriction. Domain+User have to be less than 30 characters.
Appears on 5548 in 7.0(7)N1(1)
Isn't there on 5548 in 7.0(6)N1(1)
02-07-2017 10:37 PM
seems there are different conditions hitting this bug. my domain\us_er_name combination is less than 30 chars
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: