aaa issue with none method
Hi,
I am doing some tests with aaa, and I found a gotcha I cant quite explain.
If i configure aaa in the following way for logins:
aaa authentication login MYTEST local none
What i expect to happen is that the user will be authenticated with the local user database, and only in case of error querying this or timeout will the none option be used. However, the result i see when applying this list to a vty line (login authentication MYTEST), is that if i enter in an incorrect username, it will allow me into the router... Not what I had expected. Debug aaa authentication doesnt give any reason as to why this action was taken.
Anyone able to clarify this?
I am doing some tests with aaa, and I found a gotcha I cant quite explain.
If i configure aaa in the following way for logins:
aaa authentication login MYTEST local none
What i expect to happen is that the user will be authenticated with the local user database, and only in case of error querying this or timeout will the none option be used. However, the result i see when applying this list to a vty line (login authentication MYTEST), is that if i enter in an incorrect username, it will allow me into the router... Not what I had expected. Debug aaa authentication doesnt give any reason as to why this action was taken.
Anyone able to clarify this?
Studying for CCNP (All done)
Comments
Not that I can see:
Gives me this:
R1#telnet 192.168.12.2
Trying 192.168.12.2 ... Open
User Access Verification
Username: baduser
R2>
and the debug output on R2 (thanks to your help with the debug aaa protocol local):
*Mar 1 00:04:47.903: AAA/LOCAL: exec
*Mar 1 00:04:47.915: AAA/LOCAL: new_ascii_login: tty 64CB46C4 idb 0
*Mar 1 00:04:47.931: AAA/LOCAL/LOGIN(00000006): get user
R2#
*Mar 1 00:04:52.415: AAA/LOCAL/LOGIN(00000006): user baduser not found
*Mar 1 00:04:52.415: AAA/LOCAL/LOGIN(00000006): get password
*Mar 1 00:04:52.419: AAA/LOCAL/LOGIN(00000006): failover
Strange...
I guess the bad user name is considered an error and not a "fail".
did this happen with or without a username/password configured on the switch?
networker050184 - in your config you have the line
username user password 0 cisco
kpjungle - do you have any usernames configured for your local database?
my assumption would be that you do not, hence the fail instead of a invalid
Yes, but when I tried to log in with a username not defined it let me in.
With a username that is defined and bad password it will not let you in.
Yeah, I had a username defined in the local database (defined through. username something pass something).
The behavior I would expect would be to only receive a failure if the local database wasnt working or timeout.
First of all lemme tell....what u have seen is a special functionality of "local" method .
the aaa authentication will fallback to the next method if username is not correct ,even if tou have a local username configured in router and if you give incorrect username and a incorrect password u ll be authenticated or even if incorrect username n correct password...n to add to this topic...
it is authenticated into > mode if none is after local
if there is a config such that "line local radius"...and if there is no line pass and local usrname n pass n radius is configured , if u give raduser n raduser or any username n passwrd in radusr...u ll expect an authentication failure as user is present locally and with wrong username n pass fallback 2 radius doesnt take place but to ur suprise fallback to radius will take place and u will be authenticated.
only if local is your first mehtod such as"local radius" failover doesnt take place....try this!!!!!!!!!
i am actually not sure y this feature is existing...n ll find and reply in a couple of days...!!!!!
This is exactly what you would expect.
Remember that when you specify multiple methods in a aaa command, and when the first method is unavailable, then and only then a second method might be used if configured. That is, if the first method returns an "authentication failed" (for example, you've typed in wrong username or password), then the second method is NOT consulted. Only if the router fails to communicate via the first method (for instance, is not able to communicate with a RADIUS server), then the second method is consulted. Fallback does not happen for failed authentication.
HTH,
Pavel
That is what I thought as well, but if you type the wrong user name it will go to the next method with the above configuration. If you use a wrong password it will not go to the next method though which is what I found strange.