[tac_plus] Re: Console login issue???

Schmidt, Daniel dan.schmidt at uplinkdata.com
Mon Dec 14 16:21:51 UTC 2009 

You aren't, perchance, using single-connection are you?  You omitted the
one line I wanted to see. 

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Andy Saykao
Sent: Sunday, December 13, 2009 8:29 PM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Console login issue???

Hi All,

I've noticed that with all the AAA commands applied, when I log into a
router/switch via the console, I get two username prompts before I
successfully authenticate. It seems that on the first try, it detects
a "abort reason=Carrier dropped" when waiting for the username (See
debugs below). On the second try, it's able to receive the username.
All of our devices are plugged into a term server (cisco 2511).

Example:

> telnet ts1-cr 2001
Trying 203.10.110.x...
Connected to ts1-cr.
Escape character is '^]'.

User Access Verification

Username: testuser
Password:

User Access Verification

Username: testuser
Password:

myrouter>


Debug - first try:

Dec 14 14:22:20.303 AEDT: AAA: parse name=tty2 idb type=-1 tty=-1
Dec 14 14:22:20.303 AEDT: AAA: name=tty2 flags=0x11 type=5 shelf=0
slot=0 adapter=0 port=2 channel=0
Dec 14 14:22:20.303 AEDT: AAA/MEMORY: create_user (0x315B210)
user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='210.15.210.x'
authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf=
(id=0)
Dec 14 14:22:20.303 AEDT: AAA/AUTHEN/START (1220359403): port='tty2'
list='' action=LOGIN service=LOGIN
Dec 14 14:22:20.303 AEDT: AAA/AUTHEN/START (1220359403): using "default"
list
Dec 14 14:22:20.303 AEDT: AAA/AUTHEN/START (1220359403):
Method=tacacs+ (tacacs+)
Dec 14 14:22:20.303 AEDT: TAC+: send AUTHEN/START packet ver=192
id=1220359403
Dec 14 14:22:20.504 AEDT: TAC+: ver=192 id=1220359403 received AUTHEN
status = GETUSER
Dec 14 14:22:20.504 AEDT: AAA/AUTHEN (1220359403): status = GETUSER
Dec 14 14:22:20.504 AEDT: AAA/AUTHEN/ABORT: (1220359403) because
Carrier dropped.
Dec 14 14:22:20.504 AEDT: TAC+: send abort reason=Carrier dropped
Dec 14 14:22:20.605 AEDT: AAA/AUTHEN/ABORT: (1220359403) because
Carrier dropped.
Dec 14 14:22:20.605 AEDT: TAC+: send abort reason=Carrier dropped
Dec 14 14:22:20.706 AEDT: AAA/MEMORY: free_user (0x315B210)
user='NULL' ruser='NULL' port='tty2' rem_addr='210.15.210.x'
authen_type=ASCII service=LOGIN priv=1

Debug continued - second try:

Dec 14 14:22:43.380 AEDT: AAA: parse name=tty0 idb type=-1 tty=-1
Dec 14 14:22:43.380 AEDT: AAA: name=tty0 flags=0x11 type=4 shelf=0
slot=0 adapter=0 port=0 channel=0
Dec 14 14:22:43.380 AEDT: AAA/MEMORY: create_user (0x43C6B80)
user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async'
authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf=
(id=0)
Dec 14 14:22:43.380 AEDT: AAA/AUTHEN/START (1183523905): port='tty0'
list='' action=LOGIN service=LOGIN
Dec 14 14:22:43.380 AEDT: AAA/AUTHEN/START (1183523905): using "default"
list
Dec 14 14:22:43.380 AEDT: AAA/AUTHEN/START (1183523905):
Method=tacacs+ (tacacs+)
Dec 14 14:22:43.380 AEDT: TAC+: send AUTHEN/START packet ver=192
id=1183523905
Dec 14 14:22:43.581 AEDT: TAC+: ver=192 id=1183523905 received AUTHEN
status = GETUSER
Dec 14 14:22:43.581 AEDT: AAA/AUTHEN (1183523905): status = GETUSER
Dec 14 14:22:52.515 AEDT: AAA/AUTHEN/CONT (1183523905): continue_login
(user='(undef)')
Dec 14 14:22:52.515 AEDT: AAA/AUTHEN (1183523905): status = GETUSER
Dec 14 14:22:52.515 AEDT: AAA/AUTHEN (1183523905): Method=tacacs+
(tacacs+)
Dec 14 14:22:52.515 AEDT: TAC+: send AUTHEN/CONT packet id=1183523905
Dec 14 14:22:52.717 AEDT: TAC+: ver=192 id=1183523905 received AUTHEN
status = GETPASS
Dec 14 14:22:52.717 AEDT: AAA/AUTHEN (1183523905): status = GETPASS
Dec 14 14:22:58.874 AEDT: AAA/AUTHEN/CONT (1183523905): continue_login
(user='asaykao')
Dec 14 14:22:58.874 AEDT: AAA/AUTHEN (1183523905): status = GETPASS
Dec 14 14:22:58.874 AEDT: AAA/AUTHEN (1183523905): Method=tacacs+
(tacacs+)
Dec 14 14:22:58.874 AEDT: TAC+: send AUTHEN/CONT packet id=1183523905
Dec 14 14:22:59.075 AEDT: TAC+: ver=192 id=1183523905 received AUTHEN
status = PASS
Dec 14 14:22:59.075 AEDT: AAA/AUTHEN (1183523905): status = PASS

AAA config:

aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 3 default group tacacs+ if-authenticated
aaa authorization commands 4 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 4 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

Why is this happening that it is unable to receive the username on the
first try? Is there a way to fix this?

Thanks.

Andy
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list