AAA allowing local authentication with TACACS+ configured.

Discussion in 'Cisco' started by Mike, Jun 26, 2006.

  1. Mike

    Mike Guest

    I was under the impression:

    aaa authentication login default group tacacs+ local

    Means TACACS+ is up and happy, use that. If TACACS+ returns ERROR, use
    local credentials. This is good.

    However, I figures this also meant deny local authentication if TACACS+
    is up and functioning. But I can still login using local credentials
    even when TACACS+ is up and functioning. Is there a way I can disable


    Mike, Jun 26, 2006
    1. Advertisements

  2. Mike

    Merv Guest

    If authentication fails against the TACACS database no futher AAA
    method should be used. If it is being used then it is a bug.

    "A FAIL response is significantly different from an ERROR. A FAIL means
    that the user has not met the criteria contained in the applicable
    authentication database to be successfully authenticated.
    Authentication ends with a FAIL response. An ERROR means that the
    security server has not responded to an authentication query. Because
    of this, no authentication has been attempted. Only when an ERROR is
    detected will AAA select the next authentication method defined in the
    authentication method list."
    Merv, Jun 26, 2006
    1. Advertisements

  3. Mike

    Mike Guest

    Turns out for some reason, although it succesfully logging in users,
    FAILs were timing when communicating with ACS. I noticed this by
    turning tacacs debugging on.

    Bumping the time-out value to 10 seconds took care of it. Our ACS
    servers may need a good kick.

    However, couldn't this be used for a timing attack to harvest accounts?
    Mike, Jun 26, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.