aaa issue with none method

Hi,

I am doing some tests with aaa, and I found a gotcha I cant quite explain.

If i configure aaa in the following way for logins:

aaa authentication login MYTEST local none

What i expect to happen is that the user will be authenticated with the local user database, and only in case of error querying this or timeout will the none option be used. However, the result i see when applying this list to a vty line (login authentication MYTEST), is that if i enter in an incorrect username, it will allow me into the router... Not what I had expected. Debug aaa authentication doesnt give any reason as to why this action was taken.

Anyone able to clarify this?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

networker050184

That's odd. I just labed it up myself and just as I though it doesn't allow me to get through using your exact config after failed attempts. Are you sure you do not have anything extra on there?

aaa new-model
!
!
aaa authentication login MYTEST local none
!
!
username user password 0 cisco
!
line vty 0 4
 login authentication MYTEST
line vty 5 15
 login authentication MYTEST
!
!
R1#debug aaa authen
AAA Authentication debugging is on
R1#debug aaa pro local
AAA Local debugs debugging is on
R1#
*Mar  1 00:11:06.847: AAA/LOCAL: exec
*Mar  1 00:11:06.855: AAA/BIND(00000005): Bind i/f
*Mar  1 00:11:06.863: AAA/LOCAL: new_ascii_login: tty 64CC1D34 idb 0
*Mar  1 00:11:06.867: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MYTEST'
*Mar  1 00:11:06.879: AAA/LOCAL/LOGIN(00000005): get user
R1#
*Mar  1 00:11:09.619: AAA/LOCAL/LOGIN(00000005): get password
R1#
*Mar  1 00:11:12.751: AAA/LOCAL/LOGIN(00000005): check username/password
*Mar  1 00:11:12.751: AAA/LOCAL/LOGIN(00000005): invalid username/password
R1#
*Mar  1 00:11:14.763: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MYTEST'
*Mar  1 00:11:14.771: AAA/LOCAL/LOGIN(00000005): get user
R1#
*Mar  1 00:11:20.779: AAA/LOCAL/LOGIN(00000005): get password
*Mar  1 00:11:21.771: AAA/LOCAL/LOGIN(00000005): check username/password
*Mar  1 00:11:21.771: AAA/LOCAL/LOGIN(00000005): invalid username/password
R1#
*Mar  1 00:11:23.783: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MYTEST'
*Mar  1 00:11:23.791: AAA/LOCAL/LOGIN(00000005): get user
R1#
*Mar  1 00:11:28.139: AAA/LOCAL/LOGIN(00000005): get password
*Mar  1 00:11:28.943: AAA/LOCAL/LOGIN(00000005): check username/password
*Mar  1 00:11:28.947: AAA/LOCAL/LOGIN(00000005): invalid username/password



R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Username: user
Password:

% Authentication failed

Username: user
Password:

% Authentication failed

Username: user
Password:

% Authentication failed

[Connection to 10.0.0.1 closed by foreign host]
R2#

kpjungle

networker050184 wrote:

That's odd. I just labed it up myself and just as I though it doesn't allow me to get through using your exact config after failed attempts. Are you sure you do not have anything extra on there?

aaa new-model
!
!
aaa authentication login MYTEST local none
!
!
username user password 0 cisco
!
line vty 0 4
 login authentication MYTEST
line vty 5 15
 login authentication MYTEST
!
!
R1#debug aaa authen
AAA Authentication debugging is on
R1#debug aaa pro local
AAA Local debugs debugging is on
R1#
*Mar  1 00:11:06.847: AAA/LOCAL: exec
*Mar  1 00:11:06.855: AAA/BIND(00000005): Bind i/f
*Mar  1 00:11:06.863: AAA/LOCAL: new_ascii_login: tty 64CC1D34 idb 0
*Mar  1 00:11:06.867: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MYTEST'
*Mar  1 00:11:06.879: AAA/LOCAL/LOGIN(00000005): get user
R1#
*Mar  1 00:11:09.619: AAA/LOCAL/LOGIN(00000005): get password
R1#
*Mar  1 00:11:12.751: AAA/LOCAL/LOGIN(00000005): check username/password
*Mar  1 00:11:12.751: AAA/LOCAL/LOGIN(00000005): invalid username/password
R1#
*Mar  1 00:11:14.763: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MYTEST'
*Mar  1 00:11:14.771: AAA/LOCAL/LOGIN(00000005): get user
R1#
*Mar  1 00:11:20.779: AAA/LOCAL/LOGIN(00000005): get password
*Mar  1 00:11:21.771: AAA/LOCAL/LOGIN(00000005): check username/password
*Mar  1 00:11:21.771: AAA/LOCAL/LOGIN(00000005): invalid username/password
R1#
*Mar  1 00:11:23.783: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MYTEST'
*Mar  1 00:11:23.791: AAA/LOCAL/LOGIN(00000005): get user
R1#
*Mar  1 00:11:28.139: AAA/LOCAL/LOGIN(00000005): get password
*Mar  1 00:11:28.943: AAA/LOCAL/LOGIN(00000005): check username/password
*Mar  1 00:11:28.947: AAA/LOCAL/LOGIN(00000005): invalid username/password



R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Username: user
Password:

% Authentication failed

Username: user
Password:

% Authentication failed

Username: user
Password:

% Authentication failed

[Connection to 10.0.0.1 closed by foreign host]
R2#

Not that I can see:

aaa new-model
!
!
aaa authentication login MYTEST local none
!
line vty 0 4
 login authentication MYTEST

Gives me this:

R1#telnet 192.168.12.2
Trying 192.168.12.2 ... Open

User Access Verification

Username: baduser
R2>

and the debug output on R2 (thanks to your help with the debug aaa protocol local):
*Mar 1 00:04:47.903: AAA/LOCAL: exec
*Mar 1 00:04:47.915: AAA/LOCAL: new_ascii_login: tty 64CB46C4 idb 0
*Mar 1 00:04:47.931: AAA/LOCAL/LOGIN(00000006): get user
R2#
*Mar 1 00:04:52.415: AAA/LOCAL/LOGIN(00000006): user baduser not found
*Mar 1 00:04:52.415: AAA/LOCAL/LOGIN(00000006): get password
*Mar 1 00:04:52.419: AAA/LOCAL/LOGIN(00000006): failover

Strange...

networker050184

Hmmm it let me in when I used a user name that is not defined. Not sure why that is though....

Cisco wrote:

The list-name is a character string used to name the list you are creating. The method argument refers to the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.

I guess the bad user name is considered an error and not a "fail".

fonque

networker050184 wrote: »

Hmmm it let me in when I used a user name that is not defined. Not sure why that is though....

I guess the bad user name is considered an error and not a "fail".

did this happen with or without a username/password configured on the switch?

networker050184 - in your config you have the line
username user password 0 cisco

kpjungle - do you have any usernames configured for your local database?
my assumption would be that you do not, hence the fail instead of a invalid

networker050184

fonque wrote: »

networker050184 - in your config you have the line
username user password 0 cisco

Yes, but when I tried to log in with a username not defined it let me in.

With a username that is defined and bad password it will not let you in.

kpjungle

fonque wrote: »

did this happen with or without a username/password configured on the switch?

networker050184 - in your config you have the line
username user password 0 cisco

kpjungle - do you have any usernames configured for your local database?
my assumption would be that you do not, hence the fail instead of a invalid

Yeah, I had a username defined in the local database (defined through. username something pass something).

The behavior I would expect would be to only receive a failure if the local database wasnt working or timeout.

prem.annuniv@gmail.com

hi ,
First of all lemme tell....what u have seen is a special functionality of "local" method .
the aaa authentication will fallback to the next method if username is not correct ,even if tou have a local username configured in router and if you give incorrect username and a incorrect password u ll be authenticated or even if incorrect username n correct password...n to add to this topic...

it is authenticated into > mode if none is after local

if there is a config such that "line local radius"...and if there is no line pass and local usrname n pass n radius is configured , if u give raduser n raduser or any username n passwrd in radusr...u ll expect an authentication failure as user is present locally and with wrong username n pass fallback 2 radius doesnt take place but to ur suprise fallback to radius will take place and u will be authenticated.

only if local is your first mehtod such as"local radius" failover doesnt take place....try this!!!!!!!!!

i am actually not sure y this feature is existing...n ll find and reply in a couple of days...!!!!!

PStefanov

kpjungle wrote: »

Hi,

I am doing some tests with aaa, and I found a gotcha I cant quite explain.

If i configure aaa in the following way for logins:

aaa authentication login MYTEST local none

What i expect to happen is that the user will be authenticated with the local user database, and only in case of error querying this or timeout will the none option be used. However, the result i see when applying this list to a vty line (login authentication MYTEST), is that if i enter in an incorrect username, it will allow me into the router... Not what I had expected. Debug aaa authentication doesnt give any reason as to why this action was taken.

Anyone able to clarify this?

This is exactly what you would expect.

Remember that when you specify multiple methods in a aaa command, and when the first method is unavailable, then and only then a second method might be used if configured. That is, if the first method returns an "authentication failed" (for example, you've typed in wrong username or password), then the second method is NOT consulted. Only if the router fails to communicate via the first method (for instance, is not able to communicate with a RADIUS server), then the second method is consulted. Fallback does not happen for failed authentication.

HTH,
Pavel

networker050184

PStefanov wrote: »

This is exactly what you would expect.

Remember that when you specify multiple methods in a aaa command, and when the first method is unavailable, then and only then a second method might be used if configured. That is, if the first method returns an "authentication failed" (for example, you've typed in wrong username or password), then the second method is NOT consulted. Only if the router fails to communicate via the first method (for instance, is not able to communicate with a RADIUS server), then the second method is consulted. Fallback does not happen for failed authentication.

HTH,
Pavel

That is what I thought as well, but if you type the wrong user name it will go to the next method with the above configuration. If you use a wrong password it will not go to the next method though which is what I found strange.

PStefanov

Yes, you are correct. I just labbed this up and you are absolutely right. Thanks for point this out.