RE: AAA trouble....

From: NET HE (he_net@hotmail.com)
Date: Tue Feb 24 2009 - 00:56:27 ARST

• Next message: Thameem Maranveetil Parambath: "Re: OT: By Michael Heart"
• Previous message: Luan Nguyen: "RE: CCIE Worldwide Statistics - Update"
• Maybe in reply to: Modular: "AAA trouble...."
• Next in thread: Edouard Zorrilla: "Re: AAA trouble...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Maybe it's just the logic between local and line.

I tried using a Radius server today, and it didn't follow this logic. When I
entered a username which hadn't been set in Radius-server, the authencation
failed and radius-server reported "unknown username, user (abc) authentication
failed"

I used WinRadius.

Best Regards,
Net (Xin) He

> Date: Sun, 22 Feb 2009 19:18:48 -0500
> Subject: Re: AAA trouble....
> From: jandiorio@gmail.com
> To: ezorrilla@tsf.com.pe
> CC: modulartx@gmail.com; ccielab@groupstudy.com
>
> a failure occurs when an incorrect usernam / password are provided.
> if the user does not exist it is not an auth failure but an error.
>
>
>
> On 2/22/09, Edouard Zorrilla <ezorrilla@tsf.com.pe> wrote:
> > Hi there,
> >
> > Performing a debugging for a user allowed inside the router with the
> > username command:
> >
> >
*****************************************************************************
********
> > Rack1R1#
> > *Feb 22 22:22:51.693: AAA/LOCAL: exec
> > *Feb 22 22:22:51.693: AAA/BIND(0000000D): Bind i/f
> > *Feb 22 22:22:51.697: AAA/LOCAL: new_ascii_login: tty 46A99DE8 idb 0
> > *Feb 22 22:22:51.697: AAA/AUTHEN/LOGIN (0000000D): Pick method list 'VTY'
> > *Feb 22 22:22:51.697: AAA/LOCAL/LOGIN(0000000D): get user
> > Rack1R1#
> > *Feb 22 22:23:01.769: AAA/LOCAL/LOGIN(0000000D): get password
> > Rack1R1#
> > *Feb 22 22:23:08.609: AAA/LOCAL/LOGIN(0000000D): check username/password
> > Rack1R1#
> >
*****************************************************************************
********
> >
> >
> > For a failed username and entering the line password:
> >
> >
> >
*****************************************************************************
********
> > Rack1R1#
> > *Feb 22 22:23:18.189: AAA/LOCAL: exec
> > *Feb 22 22:23:18.193: AAA/BIND(0000000E): Bind i/f
> > *Feb 22 22:23:18.193: AAA/LOCAL: new_ascii_login: tty 46A99DE8 idb 0
> > *Feb 22 22:23:18.193: AAA/AUTHEN/LOGIN (0000000E): Pick method list 'VTY'
> > *Feb 22 22:23:18.193: AAA/LOCAL/LOGIN(0000000E): get user
> > Rack1R1#
> > *Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): user www not found
> > *Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): get password
> > *Feb 22 22:23:24.885: AAA/LOCAL/LOGIN(0000000E): failover
> > *Feb 22 22:23:24.885: AAA/AUTHEN/LINE(0000000E): GET_PASSWORD
> > Rack1R1#
> > *Feb 22 22:23:31.765: AAA/AUTHEN/LINE(0000000E): PASS
> >
*****************************************************************************
********
> >
> > So, there is message that says "failover": *Feb 22 22:23:24.885:
> > AAA/LOCAL/LOGIN(0000000E): failover
> >
> > It seems that that makes the router change from local to line
> > authentication. I understand that it shouldn't but as a matter of fact,
it
> > does.
> >
> > So what does this "failover" message means ? Does it mean switching from
> > local to line since it does not get the username ?. I understood as Mod
said
> > this is failed issue not a error issue so it should not switch from local
to
> > line.
> >
> > Any one ?
> >
> > Regards
> >
> > ----- Original Message -----
> > From: "Modular" <modulartx@gmail.com>
> > To: "Cisco certification" <ccielab@groupstudy.com>
> > Sent: Friday, February 20, 2009 11:19 PM
> > Subject: AAA trouble....
> >
> >
> >> I'm confused about a AAA configuration in the practice lab that I'm
> >> working
> >> on. The requirement is that someone should be able to log in using the
> >> username of cisco and password. For any other user, they should be able
to
> >> login using the password CCIE.
> >>
> >>
> >>
> >> The proctor guide has the following:
> >>
> >>
> >>
> >> aaa new-model
> >>
> >>
> >>
> >> aaa authentication login VTY local line
> >>
> >>
> >>
> >> line vty 0 4
> >>
> >> login authentication VTY
> >>
> >> password CCIE
> >>
> >>
> >>
> >>
> >>
> >> So . I thought that the way using multiple "methods" was supposed to
work
> >> was that if the first method listed was tried and an "error" is
received,
> >> (not a fail, but an error), then the second method would be used.
> >>
> >>
> >>
> >> I set it up and it does work. If I use the username cisco I can only use
> >> the
> >> password cisco to gain access. But, if I use any other username I can
> >> access
> >> the router using the password of CCIE. How is this working? Is the
router
> >> returning an "error" because the username I use is not set up on the
> >> router?
> >> If you're using RADIUS and the username you try is not configured on the
> >> RADIUS server does the RADIUS server return an "error" or a "fail"??
> >>
> >>
> >>
> >> Thanks,
> >>
> >> Mod
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

• Next message: Thameem Maranveetil Parambath: "Re: OT: By Michael Heart"
• Previous message: Luan Nguyen: "RE: CCIE Worldwide Statistics - Update"
• Maybe in reply to: Modular: "AAA trouble...."
• Next in thread: Edouard Zorrilla: "Re: AAA trouble...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST