I’ve set up a very basic lab to test the AAA output for the CCNA Security exam.

Both routers have direct connectivity, with R2 having AAA configured as follows:

R2#show run | I aaa
aaa new-model
aaa authentication login default group tacacs+ group radius local
aaa authentication enable default enable

Note that the enable mode has been set to use the

R2#show run | i enable
aaa authentication enable default enable
R2#show run | i secret
R2#show run | I user
username test password 0 test

Connecting from R1 allows me to use the local database on R2 as tacacs+ and radius are unreachable, but denies me from accessing the enable mode as there is no enable secret specified for the enable mode

I receive the following debugging from R2 with debug aaa authentication on.

*Mar 1 00:11:33.927: AAA: parse name=tty98 idb type=-1 tty=-1
*Mar 1 00:11:33.927: AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
*Mar 1 00:11:33.927: AAA/MEMORY: create_user (0x673E89B8) user=’test’ ruser=’NULL’ ds0=0 port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 initial_task_id=’0′, vrf= (id=0)
*Mar 1 00:11:33.927: AAA/AUTHEN/START (4089221605): port=’tty98′ list=” action=LOGIN service=ENABLE
*Mar 1 00:11:33.927: AAA/AUTHEN/START (4089221605): using “default” list
*Mar 1 00:11:33.927: AAA/AUTHEN/START (4089221605): Method=ENABLE
*Mar 1 00:11:33.927: AAA/AUTHEN(4089221605): can’t find any passwords
R2(config)#
*Mar 1 00:11:33.927: AAA/AUTHEN(4089221605): Status=ERROR
*Mar 1 00:11:33.927: AAA/AUTHEN/START (4089221605): no methods left to try
*Mar 1 00:11:33.927: AAA/AUTHEN(4089221605): Status=ERROR
*Mar 1 00:11:33.927: AAA/AUTHEN/START (4089221605): failed to authenticate
*Mar 1 00:11:33.927: AAA/MEMORY: free_user (0x673E89B8) user=’test’ ruser=’NULL’ port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

Requesting access to enable mode on R2 shows the following output:

*Mar 1 00:12:44.543: AAA: parse name=tty98 idb type=-1 tty=-1
*Mar 1 00:12:44.543: AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
*Mar 1 00:12:44.543: AAA/MEMORY: create_user (0x673E89B8) user=’test’ ruser=’NULL’ ds0=0 port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 initial_task_id=’0′, vrf= (id=0)
*Mar 1 00:12:44.543: AAA/AUTHEN/START (2304815847): port=’tty98′ list=” action=LOGIN service=ENABLE
*Mar 1 00:12:44.543: AAA/AUTHEN/START (2304815847): using “default” list
*Mar 1 00:12:44.543: AAA/AUTHEN/START (2304815847): Method=ENABLE
*Mar 1 00:12:44.543: AAA/AUTHEN(2304815847): Status=GETPASS

If the use inputs the incorrect password, the following is seen:

*Mar 1 00:13:25.795: AAA/AUTHEN/CONT (3571181896): continue_login (user='(undef)’)
*Mar 1 00:13:25.795: AAA/AUTHEN(3571181896): Status=GETPASS
*Mar 1 00:13:25.795: AAA/AUTHEN/CONT (3571181896): Method=ENABLE
*Mar 1 00:13:25.803: AAA/AUTHEN(3571181896): password incorrect
*Mar 1 00:13:25.803: AAA/AUTHEN(3571181896): Status=FAIL
*Mar 1 00:13:25.803: AAA/MEMORY: free_user (0x673E89B8) user=’NULL’ ruser=’NULL’ port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

With the correct enable secret password:

R2(config)#
*Mar 1 00:14:03.923: AAA/AUTHEN/CONT (2016241765): continue_login (user='(undef)’)
*Mar 1 00:14:03.923: AAA/AUTHEN(2016241765): Status=GETPASS
*Mar 1 00:14:03.923: AAA/AUTHEN/CONT (2016241765): Method=ENABLE
*Mar 1 00:14:03.927: AAA/AUTHEN(2016241765): Status=PASS
*Mar 1 00:14:03.927: AAA/MEMORY: free_user (0x673E89B8) user=’NULL’ ruser=’NULL’ port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

Changing the enable mode to use radius and then tacacs+ instead of the enable password shows the following when trying to access R2 from R1

R2>en
% Error in authentication.
R2>

Logging on R2

*Mar 1 00:19:09.155: AAA: parse name=tty98 idb type=-1 tty=-1
*Mar 1 00:19:09.155: AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
*Mar 1 00:19:09.155: AAA/MEMORY: create_user (0x673E89B8) user=’test’ ruser=’NULL’ ds0=0 port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 initial_task_id=’0′, vrf= (id=0)
*Mar 1 00:19:09.155: AAA/AUTHEN/START (1099401461): port=’tty98′ list=” action=LOGIN service=ENABLE
*Mar 1 00:19:09.155: AAA/AUTHEN/START (1099401461): using “default” list
*Mar 1 00:19:09.155: AAA/AUTHEN/START (1099401461): Method=radius (radius)
*Mar 1 00:19:09.155: AAA/AUTHEN(1099401461): Status=ERROR
R2(config)#
*Mar 1 00:19:09.155: AAA/AUTHEN/START (1099401461): Method=tacacs+ (tacacs+)
*Mar 1 00:19:09.155: TAC+: send AUTHEN/START packet ver=192 id=1099401461
*Mar 1 00:19:09.155: AAA/AUTHEN(1099401461): Status=ERROR
*Mar 1 00:19:09.155: AAA/AUTHEN/START (1099401461): no methods left to try
*Mar 1 00:19:09.159: AAA/AUTHEN(1099401461): Status=ERROR
*Mar 1 00:19:09.159: AAA/AUTHEN/START (1099401461): failed to authenticate
*Mar 1 00:19:09.159: AAA/MEMORY: free_user (0x673E89B8) user=’test’ ruser=’NULL’ port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

R1 isn’t able to enter enable mode as the radius and tacacs+ servers aren’t reachable.

Setting R2 to ‘aaa authentication login default local enable’ and then logging in successfully from R1 looks like this

*Mar 1 00:35:13.083: AAA/BIND(0000000D): Bind i/f
*Mar 1 00:35:13.087: AAA/AUTHEN/LOGIN (0000000D): Pick method list ‘default’
R2(config)#
*Mar 1 00:35:15.347: AAA/AUTHOR (0000000D): Method list id=0 not configured. Skip author
R2(config)#
*Mar 1 00:35:19.119: AAA: parse name=tty98 idb type=-1 tty=-1
*Mar 1 00:35:19.119: AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
*Mar 1 00:35:19.119: AAA/MEMORY: create_user (0x65066540) user=’test’ ruser=’NULL’ ds0=0 port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 initial_task_id=’0′, vrf= (id=0)
*Mar 1 00:35:19.119: AAA/AUTHEN/START (1903991603): port=’tty98′ list=” action=LOGIN service=ENABLE
*Mar 1 00:35:19.119: AAA/AUTHEN/START (1903991603): non-console enable – default to enable password
*Mar 1 00:35:19.119: AAA/AUTHEN/START (1903991603): Method=ENABLE
R2(config)#
*Mar 1 00:35:19.119: AAA/AUTHEN(1903991603): Status=GETPASS
*Mar 1 00:35:19.915: AAA/AUTHEN/CONT (1903991603): continue_login (user='(undef)’)
*Mar 1 00:35:19.915: AAA/AUTHEN(1903991603): Status=GETPASS
*Mar 1 00:35:19.915: AAA/AUTHEN/CONT (1903991603): Method=ENABLE
*Mar 1 00:35:19.923: AAA/AUTHEN(1903991603): Status=PASS
*Mar 1 00:35:19.923: AAA/MEMORY: free_user (0x65066540) user=’NULL’ ruser=’NULL’ port=’tty98′ rem_addr=’1.1.1.1′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

 

About The Author

Timothy

Timothy started his networking career in 2014, working for one of the largest telecommunication operators in Australia. When he's not working, he's obsessing over German Shepherd Dogs.

Close