Username not being logged when aaa new-model is configured on Switches

Steven van Jaarsveld · ‎11-05-2014

I have an interesting issue on various models of switches that are operating with the 12.2(35)SE5 strain of IOS. When we configure the following commands the username is not logged upon a successful login

aaa new-model
aaa authentication login PHY_ACCESS local
aaa authentication login REMOTE local
aaa authorization console
aaa authorization exec PHY_ACCESS local
aaa authorization exec REMOTE local

login on-success

line vty 0 4

access-class CONN_IN in
exec-timeout 15 0
privilege level 5
authorization exec REMOTE
logging synchronous
login authentication REMOTE

%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: a.b.c.d] [localport: 23] at 11:08:30

On a switch that has 12.2.(55)SE3 the username is logged upon a successful login with the exact same configuration applied.

%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: a.b.c.d] [localport: 23] at 11:37:40

If we remove the AAA configuration on the switches running on 12.2(35)SE5 the username is logged correctly.

Any ideas???

John Blakley · ‎11-05-2014

It seems like an IOS issue at first glance. You could search the bug database to see if this applies to your version:

https://tools.cisco.com/bugsearch/

HTH,

John

HTH, John *** Please rate all useful posts ***

glen.grant · ‎11-05-2014

How do you have your logging levels setup for console, buffer etc ... Compare them and make sure the ones that don't work match the ones that do work for your logging statements .