AAA mystery.

krishnarkrishnar
in CCIE Routing & Switching Technical

Hi Experts,

R2#sh run | sec aaa
aaa new-model
aaa authentication login default local
aaa authorization exec default if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common

I have configured R2 to authorize any user who has authenticated successfully.

But when I try access from a remote router R1, the connection is not working as expected.

R2#tel 12.1.1.2
Trying 12.1.1.2 ... Open


User Access Verification

Username: krishna
Password:

R2>en
% Error in authentication.

Why is it not taking the user to enable mode since he has authenticated successfully.


Debug from R2:

R2#
*Mar  1 19:34:22.915: AAA/BIND(0000001A): Bind i/f
R2#
*Mar  1 19:34:27.899: AAA/AUTHOR (0000001A): Method=If-authen for method list id=00000000.Skip author
R2#
*Mar  1 19:34:29.155: AAA: parse name=tty227 idb type=-1 tty=-1
*Mar  1 19:34:29.155: AAA: name=tty227 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=227 channel=0
*Mar  1 19:34:29.159: AAA/MEMORY: create_user (0x654212E0) user='krishna' ruser='NULL' ds0=0 port='tty227' rem_addr='12.1.1.2' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Mar  1 19:34:29.159: AAA/MEMORY: free_user (0x654212E0) user='krishna' ruser='NULL' port='tty227' rem_addr='12.1.1.2' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

 

 

· Share on FacebookShare on Twitter

Comments

  • Hari.sapkotaHari.sapkota ✭✭

    Hi Krishna,

    The "if-authenticated" method list allows us to execute the commands even if the TACACS+ server is not reachable. I think your authentication is not successful because of not having enable pasword. 

    HTH

    · Share on FacebookShare on Twitter
  • nickoneillnickoneill

    Krishna

     

    Exec = > prompt which you have so it is "working", however you get priv 1 if either the line is set to priv 1 or the user is set to priv 1.  

     

    If you want level 15 without prompt then you need to configure the user as a level 15 user and then it will bypass this.

     

    Nick

    · Share on FacebookShare on Twitter
  • somniferoussomniferous

     

    Add the command

    aaa authentication enable default enable

    enable secret yadiyada

    !!!!!

    To get straight to # prompt like mentioned earlier either

    line vy 0 4

    privilege level 15

    or

    username test privilege level 15 secret test (Doesnt work with my 3700 GNS 3-still priivilege 1)

    · Share on FacebookShare on Twitter
Sign In or Register to comment.