[tac_plus] Console login issue???

Andy Saykao asaykao at gmail.com
Mon Dec 14 03:29:15 UTC 2009


Hi All,

I've noticed that with all the AAA commands applied, when I log into a
router/switch via the console, I get two username prompts before I
successfully authenticate. It seems that on the first try, it detects
a "abort reason=Carrier dropped" when waiting for the username (See
debugs below). On the second try, it's able to receive the username.
All of our devices are plugged into a term server (cisco 2511).

Example:

> telnet ts1-cr 2001
Trying 203.10.110.x...
Connected to ts1-cr.
Escape character is '^]'.

User Access Verification

Username: testuser
Password:

User Access Verification

Username: testuser
Password:

myrouter>


Debug - first try:

Dec 14 14:22:20.303 AEDT: AAA: parse name=tty2 idb type=-1 tty=-1
Dec 14 14:22:20.303 AEDT: AAA: name=tty2 flags=0x11 type=5 shelf=0
slot=0 adapter=0 port=2 channel=0
Dec 14 14:22:20.303 AEDT: AAA/MEMORY: create_user (0x315B210)
user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='210.15.210.x'
authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf=
(id=0)
Dec 14 14:22:20.303 AEDT: AAA/AUTHEN/START (1220359403): port='tty2'
list='' action=LOGIN service=LOGIN
Dec 14 14:22:20.303 AEDT: AAA/AUTHEN/START (1220359403): using "default" list
Dec 14 14:22:20.303 AEDT: AAA/AUTHEN/START (1220359403):
Method=tacacs+ (tacacs+)
Dec 14 14:22:20.303 AEDT: TAC+: send AUTHEN/START packet ver=192 id=1220359403
Dec 14 14:22:20.504 AEDT: TAC+: ver=192 id=1220359403 received AUTHEN
status = GETUSER
Dec 14 14:22:20.504 AEDT: AAA/AUTHEN (1220359403): status = GETUSER
Dec 14 14:22:20.504 AEDT: AAA/AUTHEN/ABORT: (1220359403) because
Carrier dropped.
Dec 14 14:22:20.504 AEDT: TAC+: send abort reason=Carrier dropped
Dec 14 14:22:20.605 AEDT: AAA/AUTHEN/ABORT: (1220359403) because
Carrier dropped.
Dec 14 14:22:20.605 AEDT: TAC+: send abort reason=Carrier dropped
Dec 14 14:22:20.706 AEDT: AAA/MEMORY: free_user (0x315B210)
user='NULL' ruser='NULL' port='tty2' rem_addr='210.15.210.x'
authen_type=ASCII service=LOGIN priv=1

Debug continued - second try:

Dec 14 14:22:43.380 AEDT: AAA: parse name=tty0 idb type=-1 tty=-1
Dec 14 14:22:43.380 AEDT: AAA: name=tty0 flags=0x11 type=4 shelf=0
slot=0 adapter=0 port=0 channel=0
Dec 14 14:22:43.380 AEDT: AAA/MEMORY: create_user (0x43C6B80)
user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async'
authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf=
(id=0)
Dec 14 14:22:43.380 AEDT: AAA/AUTHEN/START (1183523905): port='tty0'
list='' action=LOGIN service=LOGIN
Dec 14 14:22:43.380 AEDT: AAA/AUTHEN/START (1183523905): using "default" list
Dec 14 14:22:43.380 AEDT: AAA/AUTHEN/START (1183523905):
Method=tacacs+ (tacacs+)
Dec 14 14:22:43.380 AEDT: TAC+: send AUTHEN/START packet ver=192 id=1183523905
Dec 14 14:22:43.581 AEDT: TAC+: ver=192 id=1183523905 received AUTHEN
status = GETUSER
Dec 14 14:22:43.581 AEDT: AAA/AUTHEN (1183523905): status = GETUSER
Dec 14 14:22:52.515 AEDT: AAA/AUTHEN/CONT (1183523905): continue_login
(user='(undef)')
Dec 14 14:22:52.515 AEDT: AAA/AUTHEN (1183523905): status = GETUSER
Dec 14 14:22:52.515 AEDT: AAA/AUTHEN (1183523905): Method=tacacs+ (tacacs+)
Dec 14 14:22:52.515 AEDT: TAC+: send AUTHEN/CONT packet id=1183523905
Dec 14 14:22:52.717 AEDT: TAC+: ver=192 id=1183523905 received AUTHEN
status = GETPASS
Dec 14 14:22:52.717 AEDT: AAA/AUTHEN (1183523905): status = GETPASS
Dec 14 14:22:58.874 AEDT: AAA/AUTHEN/CONT (1183523905): continue_login
(user='asaykao')
Dec 14 14:22:58.874 AEDT: AAA/AUTHEN (1183523905): status = GETPASS
Dec 14 14:22:58.874 AEDT: AAA/AUTHEN (1183523905): Method=tacacs+ (tacacs+)
Dec 14 14:22:58.874 AEDT: TAC+: send AUTHEN/CONT packet id=1183523905
Dec 14 14:22:59.075 AEDT: TAC+: ver=192 id=1183523905 received AUTHEN
status = PASS
Dec 14 14:22:59.075 AEDT: AAA/AUTHEN (1183523905): status = PASS

AAA config:

aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 3 default group tacacs+ if-authenticated
aaa authorization commands 4 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 4 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

Why is this happening that it is unable to receive the username on the
first try? Is there a way to fix this?

Thanks.

Andy


More information about the tac_plus mailing list