1 2 Previous Next 15 Replies Latest reply: Feb 9, 2014 6:44 AM by AAM RSS

    enable view   "% authentication failure"

    Abhishek

      Hi all,

       

      I am facing a strange problem while configuring view command in my 3725 router.

       

      I am using cisco ACS 4.2 and tacacs+ for AAA.I have already configured AAA new model commands &AAA is working properly as I am able to login with my defined Username & password in the ACS user setup.

       

      I have enabled the secret passsword.But still when i enter "enable view" command I am get "%authentication failure" error.

       

       

      I am ready to share more details of the configuration if some one is interested.So please if anyone can troubleshoot it will be very helpfull.

       

       

      Thanks in Advance.

      Abhishek B

        • 1. Re: enable view   "% authentication failure"
          Vim

          Hi Abhishek,

           

          Would you be able to post your running config so that we can have a look?

           

          Best wishes,

          Vim

          • 2. Re: enable view   "% authentication failure"
            Paul Stewart  -  CCIE Security

            Here is a sample of creating a view.  I had already enabled AAA, but didn't set any authentication or authorization methods.

             

            R1(config)#enable secret cisco

            *Mar  1 00:04:51.119: %SYS-5-CONFIG_I: Configured from console by console

            R1#enable view

            Password:

            *Mar  1 00:04:55.459: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

            R1#conf t

            Enter configuration commands, one per line.  End with CNTL/Z.

            R1(config)#parser view CISCO

            R1(config-view)#

            *Mar  1 00:05:16.711: %PARSER-6-VIEW_CREATED: view 'CISCO' successfully created.

            R1(config-view)#secret cisco

            R1(config-view)#end

            *Mar  1 00:05:32.307: %SYS-5-CONFIG_I: Configured from console by console

            R1#enable view CISCO

            Password:

             

             

            R1#

            *Mar  1 00:05:43.423: %PARSER-6-VIEW_SWITCH: successfully set to view 'CISCO'.

            R1#

            • 3. Re: enable view   "% authentication failure"
              Abhishek

              Hi all,

               

              Here is my running config.Hope this helps you guys to troubleshoot.

               

              Router#show run

              Building configuration...

               

               

              Current configuration : 2728 bytes

              !

              version 12.4

              service timestamps debug datetime msec

              service timestamps log datetime msec

              service password-encryption

              !

              hostname Router

              !

              boot-start-marker

              boot-end-marker

              !

              enable secret 5 $1$rCd/$Fk5q07OWn1ez.DdvphoOz1

              !

              aaa new-model

              !

              !

              aaa authentication login default group tacacs+ local

              !

              aaa session-id common

              memory-size iomem 5

              ip cef

               

               

              Router#show run

              Building configuration...

               

               

              Current configuration : 2728 bytes

              !

              version 12.4

              service timestamps debug datetime msec

              service timestamps log datetime msec

              service password-encryption

              !

              hostname Router

              !

              boot-start-marker

              boot-end-marker

              !

              enable secret 5 $1$rCd/$Fk5q07OWn1ez.DdvphoOz1

              !

              aaa new-model

              !

              !

              aaa authentication login default group tacacs+ local

              !

              aaa session-id common

              memory-size iomem 5

              ip cef

              !

              !

              !

              !

              no ip domain lookup

              login on-failure log

              login on-success log

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              crypto pki trustpoint TP-self-signed-4279256517

              enrollment selfsigned

              subject-name cn=IOS-Self-Signed-Certificate-4279256517

              revocation-check none

              rsakeypair TP-self-signed-4279256517

              !

              !

              crypto pki certificate chain TP-self-signed-4279256517

              certificate self-signed 01

                3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

                31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

                69666963 6174652D 34323739 32353635 3137301E 170D3032 30333031 30303030

                33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

                4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32373932

                35363531 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

                8100A04D 795F0354 6030AFDB D7AE1450 BE5F0056 1FCEBBC0 2A150D0D 26ABB56A

                4B73EB25 814BE31C 863D23D1 CF020569 A26CE15B 6FBA5869 51EE3379 C4AE156E

                FEA70951 1448EA43 D691F093 BD98510A 286A3B54 A47B7B27 A463ACE2 69791930

                0E73393D 233E7EC5 BA716937 A9351084 1A18D399 296D7F00 326BBAC2 FDF56B6F

                0D9F0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603

                551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 17AD1BE4

                9452CC35 EAE13CB9 369035A8 358C781C 301D0603 551D0E04 16041417 AD1BE494

                52CC35EA E13CB936 9035A835 8C781C30 0D06092A 864886F7 0D010104 05000381

                81007664 84C62284 459B178B B5AA4F62 B24CADEF C12072D8 F4FF4BA9 37C5C325

                752258BF B6010B7F A8E7EF3F 59541199 8767AC06 28BB71C0 DA6F0D4B 34059C4B

                5E0660D6 9A30A595 1EC954A6 24D6DDA1 7942D87F 8E4B8793 1EFCF750 9339D877

                933E32CA FFBF3DD8 5D2771BA 85254DF0 241F412A C5B4662F 95153E04 EFDD3F91 AC2F

                quit

              username Abhishek privilege 15 password 7 045802150C2E

              !

              !

              !

              !

              !

              !

              !

              interface FastEthernet0/0

              ip address 192.168.0.1 255.255.255.0

              duplex auto

              speed auto

              !

              interface FastEthernet0/1

              ip address 192.168.206.3 255.255.255.0

              duplex auto

              speed auto

              !

              ip forward-protocol nd

              !

              !

              ip http server

              ip http authentication local

              ip http secure-server

              !

              logging trap debugging

              logging 192.168.206.128

              !

              !

              !

              tacacs-server host 192.168.206.128

              tacacs-server key 7 1511021F0725

              !

              control-plane

              !

              !

              !

              !

              !

              !

              !

              !

              !

              banner motd ^C**************--- ACCSESS RESTRICTED ---****************^C

              !

              line con 0

              logging synchronous

              line aux 0

              line vty 5 903

              !

              !

              end

               

               

              AND here is the error dat is coming.

               

              Router#enabl

              Router#enable view

              Router#enable view

              Password:

              % Authentication failed

              • 4. Re: enable view   "% authentication failure"
                Abhishek

                When TACACS server is not reachable my router is taking the secret password that is already set.But if the router is connected with TACACS server then it is showing the error.That means it is working correctly form local router database.Not sure why it is not working the other way.

                • 5. Re: enable view   "% authentication failure"
                  Vim

                  Hi Abhishek,

                   

                  Can you also run R#debug aaa authentication and paste any output you're getting.

                   

                  Now, as you're trying to use TACACS for login purposes, login from a terminal window separate to your console window - as you may not be able to see the debug messages from your terminal window because you're not logged in yet, but you will on your console window - if you get what I mean.

                   

                  Also, check

                  a) connectivity between your PC running ACS and router - ping!

                  b) check TCP port 49 is open for connections on your PC - perhaps a firewall is blocking this. In fact, see if disabling your firewall fixes this. I'm assuming you haven't changed default port numbers.

                   

                  Get back with updates and we'll take it from there.

                  Best wishes,

                  Vim

                  • 6. Re: enable view   "% authentication failure"
                    Abhishek

                    After I enabled debug aaa authentication and after entering the command enable view a error is coming saying  " AAA/AUTHEN/VIEW (00000003): Pick method list 'default' ".

                     

                    So what is this error????

                     

                    And connectivity & firewall issues are all good.

                     

                     

                    Regards,

                    Abhishek

                    • 7. Re: enable view   "% authentication failure"
                      Vim

                      Let me make sure I understand your setup and exactly what you're trying to do.

                      - you want to enter root view

                      - you have set an enable secret password

                      - you want to have ACS authenticate your login credentials to enter the root view as your first choice and the local database as your second

                      Is this correct?

                      • 8. Re: enable view   "% authentication failure"
                        Brian McGahan - 4 x CCIE, CCDE

                        When you say enable view you're trying to login to the router with the username "root".  You need to configure the username "root" on your AAA server with whatever password you want. 

                        • 9. Re: enable view   "% authentication failure"
                          Brian McGahan - 4 x CCIE, CCDE

                          The other option would be to issue the aaa authorization exec default group tacacs and aaa authorization console commands, and then configure the ACS server to assign the parser view.

                           

                          This is accomplished with the variable "cli-view-name=[name]" under custom TACACS+ attributes.  For the enable view this would be set to "root", as seen below:

                           

                          acs.parser.view.png

                          • 10. Re: enable view   "% authentication failure"
                            Vim

                            The enable view command uses the enable secret password by default. If you want to do this using ACS I believe you'd need to use

                            R(config)#aaa authentication enable default group tacacs+ enable and not the

                            R(config)#aaa authentication login default group tacacs+ local command.

                             

                            Note that the first method list is for enable and the second is for login. I've not had the luxury of trying this out, but perhaps this maybe your issue.

                            Also, as Brian has pointed out you'd need the "root" username on your AAA server.

                             

                            Let us know how it goes.

                            Best wishes,

                            Vim.

                            • 11. Re: enable view   "% authentication failure"
                              Brian McGahan - 4 x CCIE, CCDE

                              If you are doing local authentication, then yes, the router uses the enable password/secret.  However if you are doing remote login authentication, which is what Abhishek is doing here, then it looks for the username "root".

                               

                              Also the enable command is treated differently than the enable view command.  The former being part of enable authentication, and the second being part of login authentication and exec authorization.

                               

                              AAA can be very confusing to say the least

                              • 12. Re: enable view   "% authentication failure"
                                Vim

                                Makes perfect sense Brian!

                                 

                                confusing - possibly. But then that's why we have the luxury of experts such as yourselves to demistify confusing topics! Thank you

                                • 13. Re: enable view   "% authentication failure"
                                  Abhishek

                                  Hi all,

                                   

                                  Thanks for your extensive support.The issue is finally resolved.Actually I tried the both way.

                                   

                                  a)Configuring a username 'root'

                                  b)with the variable "cli-view-name=[name]"

                                   

                                   

                                  And it worked magically.Again many many thanks for your valuable comments .I had a hard time with it.

                                   

                                   

                                  Regards,

                                  Abhishek B

                                  • 14. Re: enable view   "% authentication failure"
                                    Abhishek

                                    Hi all,

                                     

                                    Thanks for your extensive support.The issue is finally resolved.Actually I tried the both way.

                                     

                                    a)Configuring a username 'root'

                                    b)with the variable "cli-view-name=[name]"

                                     

                                     

                                    And it worked magically.Again many many thanks for your valuable comments .I had a hard time with it.

                                     

                                     

                                    Regards,

                                    Abhishek B

                                    1 2 Previous Next