Debugging Authentication on IOS
I’ve set up a very basic lab to test the AAA output for the CCNA Security exam.
Both routers have direct connectivity, with R2 having AAA configured as follows:
R2#show run | I aaa
aaa new-model
aaa authentication login default group tacacs+ group radius local
aaa authentication enable default enable
Note that the enable mode has been set to use the
R2#show run | i enable
aaa authentication enable default enable
R2#show run | i secret
R2#show run | I user
username test password 0 test
Connecting from R1 allows me to use the local database on R2 as tacacs+ and radius are unreachable, but denies me from accessing the enable mode as there is no enable secret specified for the enable mode
I receive the following debugging from R2 with debug aaa authentication on.
*Mar 1 00:11:33.927: AAA: parse name=tty98 idb type=-1 tty=-1
*Mar 1 00:11:33.927: AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
*Mar 1 00:11:33.927: AAA/MEMORY: create_user (0x673E89B8) user=’test’ ruser=’NULL’ ds0=0 port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 initial_task_id=’0′, vrf= (id=0)
*Mar 1 00:11:33.927: AAA/AUTHEN/START (4089221605): port=’tty98′ list=” action=LOGIN service=ENABLE
*Mar 1 00:11:33.927: AAA/AUTHEN/START (4089221605): using “default” list
*Mar 1 00:11:33.927: AAA/AUTHEN/START (4089221605): Method=ENABLE
*Mar 1 00:11:33.927: AAA/AUTHEN(4089221605): can’t find any passwords
R2(config)#
*Mar 1 00:11:33.927: AAA/AUTHEN(4089221605): Status=ERROR
*Mar 1 00:11:33.927: AAA/AUTHEN/START (4089221605): no methods left to try
*Mar 1 00:11:33.927: AAA/AUTHEN(4089221605): Status=ERROR
*Mar 1 00:11:33.927: AAA/AUTHEN/START (4089221605): failed to authenticate
*Mar 1 00:11:33.927: AAA/MEMORY: free_user (0x673E89B8) user=’test’ ruser=’NULL’ port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Requesting access to enable mode on R2 shows the following output:
*Mar 1 00:12:44.543: AAA: parse name=tty98 idb type=-1 tty=-1
*Mar 1 00:12:44.543: AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
*Mar 1 00:12:44.543: AAA/MEMORY: create_user (0x673E89B8) user=’test’ ruser=’NULL’ ds0=0 port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 initial_task_id=’0′, vrf= (id=0)
*Mar 1 00:12:44.543: AAA/AUTHEN/START (2304815847): port=’tty98′ list=” action=LOGIN service=ENABLE
*Mar 1 00:12:44.543: AAA/AUTHEN/START (2304815847): using “default” list
*Mar 1 00:12:44.543: AAA/AUTHEN/START (2304815847): Method=ENABLE
*Mar 1 00:12:44.543: AAA/AUTHEN(2304815847): Status=GETPASS
If the use inputs the incorrect password, the following is seen:
*Mar 1 00:13:25.795: AAA/AUTHEN/CONT (3571181896): continue_login (user='(undef)’)
*Mar 1 00:13:25.795: AAA/AUTHEN(3571181896): Status=GETPASS
*Mar 1 00:13:25.795: AAA/AUTHEN/CONT (3571181896): Method=ENABLE
*Mar 1 00:13:25.803: AAA/AUTHEN(3571181896): password incorrect
*Mar 1 00:13:25.803: AAA/AUTHEN(3571181896): Status=FAIL
*Mar 1 00:13:25.803: AAA/MEMORY: free_user (0x673E89B8) user=’NULL’ ruser=’NULL’ port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
With the correct enable secret password:
R2(config)#
*Mar 1 00:14:03.923: AAA/AUTHEN/CONT (2016241765): continue_login (user='(undef)’)
*Mar 1 00:14:03.923: AAA/AUTHEN(2016241765): Status=GETPASS
*Mar 1 00:14:03.923: AAA/AUTHEN/CONT (2016241765): Method=ENABLE
*Mar 1 00:14:03.927: AAA/AUTHEN(2016241765): Status=PASS
*Mar 1 00:14:03.927: AAA/MEMORY: free_user (0x673E89B8) user=’NULL’ ruser=’NULL’ port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Changing the enable mode to use radius and then tacacs+ instead of the enable password shows the following when trying to access R2 from R1
R2>en
% Error in authentication.
R2>
Logging on R2
*Mar 1 00:19:09.155: AAA: parse name=tty98 idb type=-1 tty=-1
*Mar 1 00:19:09.155: AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
*Mar 1 00:19:09.155: AAA/MEMORY: create_user (0x673E89B8) user=’test’ ruser=’NULL’ ds0=0 port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 initial_task_id=’0′, vrf= (id=0)
*Mar 1 00:19:09.155: AAA/AUTHEN/START (1099401461): port=’tty98′ list=” action=LOGIN service=ENABLE
*Mar 1 00:19:09.155: AAA/AUTHEN/START (1099401461): using “default” list
*Mar 1 00:19:09.155: AAA/AUTHEN/START (1099401461): Method=radius (radius)
*Mar 1 00:19:09.155: AAA/AUTHEN(1099401461): Status=ERROR
R2(config)#
*Mar 1 00:19:09.155: AAA/AUTHEN/START (1099401461): Method=tacacs+ (tacacs+)
*Mar 1 00:19:09.155: TAC+: send AUTHEN/START packet ver=192 id=1099401461
*Mar 1 00:19:09.155: AAA/AUTHEN(1099401461): Status=ERROR
*Mar 1 00:19:09.155: AAA/AUTHEN/START (1099401461): no methods left to try
*Mar 1 00:19:09.159: AAA/AUTHEN(1099401461): Status=ERROR
*Mar 1 00:19:09.159: AAA/AUTHEN/START (1099401461): failed to authenticate
*Mar 1 00:19:09.159: AAA/MEMORY: free_user (0x673E89B8) user=’test’ ruser=’NULL’ port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
R1 isn’t able to enter enable mode as the radius and tacacs+ servers aren’t reachable.
Setting R2 to ‘aaa authentication login default local enable’ and then logging in successfully from R1 looks like this
*Mar 1 00:35:13.083: AAA/BIND(0000000D): Bind i/f
*Mar 1 00:35:13.087: AAA/AUTHEN/LOGIN (0000000D): Pick method list ‘default’
R2(config)#
*Mar 1 00:35:15.347: AAA/AUTHOR (0000000D): Method list id=0 not configured. Skip author
R2(config)#
*Mar 1 00:35:19.119: AAA: parse name=tty98 idb type=-1 tty=-1
*Mar 1 00:35:19.119: AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
*Mar 1 00:35:19.119: AAA/MEMORY: create_user (0x65066540) user=’test’ ruser=’NULL’ ds0=0 port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 initial_task_id=’0′, vrf= (id=0)
*Mar 1 00:35:19.119: AAA/AUTHEN/START (1903991603): port=’tty98′ list=” action=LOGIN service=ENABLE
*Mar 1 00:35:19.119: AAA/AUTHEN/START (1903991603): non-console enable – default to enable password
*Mar 1 00:35:19.119: AAA/AUTHEN/START (1903991603): Method=ENABLE
R2(config)#
*Mar 1 00:35:19.119: AAA/AUTHEN(1903991603): Status=GETPASS
*Mar 1 00:35:19.915: AAA/AUTHEN/CONT (1903991603): continue_login (user='(undef)’)
*Mar 1 00:35:19.915: AAA/AUTHEN(1903991603): Status=GETPASS
*Mar 1 00:35:19.915: AAA/AUTHEN/CONT (1903991603): Method=ENABLE
*Mar 1 00:35:19.923: AAA/AUTHEN(1903991603): Status=PASS
*Mar 1 00:35:19.923: AAA/MEMORY: free_user (0x65066540) user=’NULL’ ruser=’NULL’ port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)