[c-nsp] workaround for CSCsw51727 bug if local username authentication is not in use
Martin T
m4rtntns at gmail.com
Tue May 29 04:17:45 EDT 2018
Hi!
When one connects to a console port of a non-master stacked Cisco 3750
series switch, then the switch will use VTY lines authorization
configuration. This is described in CSCsw51727. Let's say that
authorization is done by TACACS+ server. There is a workaround
possible when local username authentication is in use for console
line. For example, let's say that authentication list named "console"
is used for "line con 0", i.e "login authentication console" is
configured under "line con 0". In addition, local username
authentication is used for this authentication list, i.e "aaa
authentication login console local" is configured. Now, when one
connects to a console port of a non-master stacked Cisco 3750 series
switch, then switch uses provided local username in authorization
request to TACACS+ server and if TACACS+ server has this local user
properly configured, then authorization succeeds. However, what if
instead of local username authentication, the enable password
authentication is used? In other words, instead of "aaa authentication
login console local" the "aaa authentication login console enable" is
configured. With "aaa authentication login console enable" there is no
username. As much as I have tried, then the empty username is used in
authorization request sent to TACACS+ server and such requests are
denied by TACACS+ server. Is there a workaround for CSCsw51727 bug if
local username authentication is not in use? Has CSCsw51727 been fixed
in latest IOS releases?
thanks,
Martin
More information about the cisco-nsp
mailing list