aaa issue with none method

kpjunglekpjungle Member Posts: 426
Hi,

I am doing some tests with aaa, and I found a gotcha I cant quite explain.

If i configure aaa in the following way for logins:

aaa authentication login MYTEST local none

What i expect to happen is that the user will be authenticated with the local user database, and only in case of error querying this or timeout will the none option be used. However, the result i see when applying this list to a vty line (login authentication MYTEST), is that if i enter in an incorrect username, it will allow me into the router... Not what I had expected. Debug aaa authentication doesnt give any reason as to why this action was taken.

Anyone able to clarify this?
Studying for CCNP (All done)

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    That's odd. I just labed it up myself and just as I though it doesn't allow me to get through using your exact config after failed attempts. Are you sure you do not have anything extra on there?
    aaa new-model
    !
    !
    aaa authentication login MYTEST local none
    !
    !
    username user password 0 cisco
    !
    line vty 0 4
     login authentication MYTEST
    line vty 5 15
     login authentication MYTEST
    !
    !
    R1#debug aaa authen
    AAA Authentication debugging is on
    R1#debug aaa pro local
    AAA Local debugs debugging is on
    R1#
    *Mar  1 00:11:06.847: AAA/LOCAL: exec
    *Mar  1 00:11:06.855: AAA/BIND(00000005): Bind i/f
    *Mar  1 00:11:06.863: AAA/LOCAL: new_ascii_login: tty 64CC1D34 idb 0
    *Mar  1 00:11:06.867: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MYTEST'
    *Mar  1 00:11:06.879: AAA/LOCAL/LOGIN(00000005): get user
    R1#
    *Mar  1 00:11:09.619: AAA/LOCAL/LOGIN(00000005): get password
    R1#
    *Mar  1 00:11:12.751: AAA/LOCAL/LOGIN(00000005): check username/password
    *Mar  1 00:11:12.751: AAA/LOCAL/LOGIN(00000005): invalid username/password
    R1#
    *Mar  1 00:11:14.763: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MYTEST'
    *Mar  1 00:11:14.771: AAA/LOCAL/LOGIN(00000005): get user
    R1#
    *Mar  1 00:11:20.779: AAA/LOCAL/LOGIN(00000005): get password
    *Mar  1 00:11:21.771: AAA/LOCAL/LOGIN(00000005): check username/password
    *Mar  1 00:11:21.771: AAA/LOCAL/LOGIN(00000005): invalid username/password
    R1#
    *Mar  1 00:11:23.783: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MYTEST'
    *Mar  1 00:11:23.791: AAA/LOCAL/LOGIN(00000005): get user
    R1#
    *Mar  1 00:11:28.139: AAA/LOCAL/LOGIN(00000005): get password
    *Mar  1 00:11:28.943: AAA/LOCAL/LOGIN(00000005): check username/password
    *Mar  1 00:11:28.947: AAA/LOCAL/LOGIN(00000005): invalid username/password
    
    
    
    R2#telnet 10.0.0.1
    Trying 10.0.0.1 ... Open
    
    
    User Access Verification
    
    Username: user
    Password:
    
    % Authentication failed
    
    Username: user
    Password:
    
    % Authentication failed
    
    Username: user
    Password:
    
    % Authentication failed
    
    [Connection to 10.0.0.1 closed by foreign host]
    R2#
    
    An expert is a man who has made all the mistakes which can be made.
  • kpjunglekpjungle Member Posts: 426
    That's odd. I just labed it up myself and just as I though it doesn't allow me to get through using your exact config after failed attempts. Are you sure you do not have anything extra on there?
    aaa new-model
    !
    !
    aaa authentication login MYTEST local none
    !
    !
    username user password 0 cisco
    !
    line vty 0 4
     login authentication MYTEST
    line vty 5 15
     login authentication MYTEST
    !
    !
    R1#debug aaa authen
    AAA Authentication debugging is on
    R1#debug aaa pro local
    AAA Local debugs debugging is on
    R1#
    *Mar  1 00:11:06.847: AAA/LOCAL: exec
    *Mar  1 00:11:06.855: AAA/BIND(00000005): Bind i/f
    *Mar  1 00:11:06.863: AAA/LOCAL: new_ascii_login: tty 64CC1D34 idb 0
    *Mar  1 00:11:06.867: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MYTEST'
    *Mar  1 00:11:06.879: AAA/LOCAL/LOGIN(00000005): get user
    R1#
    *Mar  1 00:11:09.619: AAA/LOCAL/LOGIN(00000005): get password
    R1#
    *Mar  1 00:11:12.751: AAA/LOCAL/LOGIN(00000005): check username/password
    *Mar  1 00:11:12.751: AAA/LOCAL/LOGIN(00000005): invalid username/password
    R1#
    *Mar  1 00:11:14.763: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MYTEST'
    *Mar  1 00:11:14.771: AAA/LOCAL/LOGIN(00000005): get user
    R1#
    *Mar  1 00:11:20.779: AAA/LOCAL/LOGIN(00000005): get password
    *Mar  1 00:11:21.771: AAA/LOCAL/LOGIN(00000005): check username/password
    *Mar  1 00:11:21.771: AAA/LOCAL/LOGIN(00000005): invalid username/password
    R1#
    *Mar  1 00:11:23.783: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MYTEST'
    *Mar  1 00:11:23.791: AAA/LOCAL/LOGIN(00000005): get user
    R1#
    *Mar  1 00:11:28.139: AAA/LOCAL/LOGIN(00000005): get password
    *Mar  1 00:11:28.943: AAA/LOCAL/LOGIN(00000005): check username/password
    *Mar  1 00:11:28.947: AAA/LOCAL/LOGIN(00000005): invalid username/password
    
    
    
    R2#telnet 10.0.0.1
    Trying 10.0.0.1 ... Open
    
    
    User Access Verification
    
    Username: user
    Password:
    
    % Authentication failed
    
    Username: user
    Password:
    
    % Authentication failed
    
    Username: user
    Password:
    
    % Authentication failed
    
    [Connection to 10.0.0.1 closed by foreign host]
    R2#
    

    Not that I can see:
    aaa new-model
    !
    !
    aaa authentication login MYTEST local none
    !
    line vty 0 4
     login authentication MYTEST
    

    Gives me this:

    R1#telnet 192.168.12.2
    Trying 192.168.12.2 ... Open


    User Access Verification

    Username: baduser
    R2>

    and the debug output on R2 (thanks to your help with the debug aaa protocol local):
    *Mar 1 00:04:47.903: AAA/LOCAL: exec
    *Mar 1 00:04:47.915: AAA/LOCAL: new_ascii_login: tty 64CB46C4 idb 0
    *Mar 1 00:04:47.931: AAA/LOCAL/LOGIN(00000006): get user
    R2#
    *Mar 1 00:04:52.415: AAA/LOCAL/LOGIN(00000006): user baduser not found
    *Mar 1 00:04:52.415: AAA/LOCAL/LOGIN(00000006): get password
    *Mar 1 00:04:52.419: AAA/LOCAL/LOGIN(00000006): failover


    Strange...
    Studying for CCNP (All done)
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Hmmm it let me in when I used a user name that is not defined. Not sure why that is though....
    Cisco wrote:
    The list-name is a character string used to name the list you are creating. The method argument refers to the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.

    I guess the bad user name is considered an error and not a "fail".
    An expert is a man who has made all the mistakes which can be made.
  • fonquefonque Member Posts: 92 ■■□□□□□□□□
    Hmmm it let me in when I used a user name that is not defined. Not sure why that is though....



    I guess the bad user name is considered an error and not a "fail".


    did this happen with or without a username/password configured on the switch?

    networker050184 - in your config you have the line
    username user password 0 cisco

    kpjungle - do you have any usernames configured for your local database?
    my assumption would be that you do not, hence the fail instead of a invalid
    I program my heart to beat breakbeats and hum basslines in exhalation.... matter, verse, spirit
  • networker050184networker050184 Mod Posts: 11,962 Mod
    fonque wrote: »
    networker050184 - in your config you have the line
    username user password 0 cisco

    Yes, but when I tried to log in with a username not defined it let me in.


    With a username that is defined and bad password it will not let you in.
    An expert is a man who has made all the mistakes which can be made.
  • kpjunglekpjungle Member Posts: 426
    fonque wrote: »
    did this happen with or without a username/password configured on the switch?

    networker050184 - in your config you have the line
    username user password 0 cisco

    kpjungle - do you have any usernames configured for your local database?
    my assumption would be that you do not, hence the fail instead of a invalid

    Yeah, I had a username defined in the local database (defined through. username something pass something).

    The behavior I would expect would be to only receive a failure if the local database wasnt working or timeout.
    Studying for CCNP (All done)
  • prem.annuniv@gmail.comprem.annuniv@gmail.com Member Posts: 1 ■□□□□□□□□□
    hi ,
    First of all lemme tell....what u have seen is a special functionality of "local" method .
    the aaa authentication will fallback to the next method if username is not correct ,even if tou have a local username configured in router and if you give incorrect username and a incorrect password u ll be authenticated or even if incorrect username n correct password...n to add to this topic...

    it is authenticated into > mode if none is after local

    if there is a config such that "line local radius"...and if there is no line pass and local usrname n pass n radius is configured , if u give raduser n raduser or any username n passwrd in radusr...u ll expect an authentication failure as user is present locally and with wrong username n pass fallback 2 radius doesnt take place but to ur suprise fallback to radius will take place and u will be authenticated.


    only if local is your first mehtod such as"local radius" failover doesnt take place....try this!!!!!!!!!

    i am actually not sure y this feature is existing...n ll find and reply in a couple of days...!!!!!
  • PStefanovPStefanov Member Posts: 79 ■■□□□□□□□□
    kpjungle wrote: »
    Hi,

    I am doing some tests with aaa, and I found a gotcha I cant quite explain.

    If i configure aaa in the following way for logins:

    aaa authentication login MYTEST local none

    What i expect to happen is that the user will be authenticated with the local user database, and only in case of error querying this or timeout will the none option be used. However, the result i see when applying this list to a vty line (login authentication MYTEST), is that if i enter in an incorrect username, it will allow me into the router... Not what I had expected. Debug aaa authentication doesnt give any reason as to why this action was taken.

    Anyone able to clarify this?

    This is exactly what you would expect.

    Remember that when you specify multiple methods in a aaa command, and when the first method is unavailable, then and only then a second method might be used if configured. That is, if the first method returns an "authentication failed" (for example, you've typed in wrong username or password), then the second method is NOT consulted. Only if the router fails to communicate via the first method (for instance, is not able to communicate with a RADIUS server), then the second method is consulted. Fallback does not happen for failed authentication.

    HTH,
    Pavel
  • networker050184networker050184 Mod Posts: 11,962 Mod
    PStefanov wrote: »
    This is exactly what you would expect.

    Remember that when you specify multiple methods in a aaa command, and when the first method is unavailable, then and only then a second method might be used if configured. That is, if the first method returns an "authentication failed" (for example, you've typed in wrong username or password), then the second method is NOT consulted. Only if the router fails to communicate via the first method (for instance, is not able to communicate with a RADIUS server), then the second method is consulted. Fallback does not happen for failed authentication.

    HTH,
    Pavel

    That is what I thought as well, but if you type the wrong user name it will go to the next method with the above configuration. If you use a wrong password it will not go to the next method though which is what I found strange.
    An expert is a man who has made all the mistakes which can be made.
  • PStefanovPStefanov Member Posts: 79 ■■□□□□□□□□
    Yes, you are correct. I just labbed this up and you are absolutely right. Thanks for point this out.
Sign In or Register to comment.