local authorization failure Highlighted

Created: Sep 29, 2018 11:28:57Latest reply: Oct 12, 2018 16:00:07 1191 5 12 1
[Problem Description]Customer have issue with SSH user rights (privilege level).

Whenever any user connects to switch by SSH with certificate he gets his privilege level from VTY configuration – not from local AAA settings.

[Problem Analysis] 

Let user provide diagnose information

check SSH Configuration is fine

ssh user v_lutyi

ssh user v_lutyi authentication-type rsa

ssh user v_lutyi assign rsa-key v_lutyi_rsa_key

ssh user v_lutyi service-type all

ssh user vit_lutyi

ssh user vit_lutyi authentication-type rsa

 

Check RSA due to user Rsa certification is fine 

rsa peer-public-key v_lutyi_rsa_key

 public-key-code begin

  30820109

    02820100

 

Check the aaa authentication and find the following privilege configured as 0.

aaa

 authentication-scheme default

 authentication-scheme radius

  authentication-mode radius

 authorization-scheme default

 accounting-scheme default

 local-aaa-user password policy administrator

  password history record number 0

  password expire 0

 domain default

  authentication-scheme radius

  radius-server default

 domain default_admin

  authentication-scheme default

 local-user admin password irreversible-cipher $1a$^k~:)_a5D~$}LmtLIOF$=Zr1B!w,w3Qg"nzPrFim$hm9"DL6&H=$

 local-user admin privilege level 15

 local-user admin service-type terminal http

 local-user v_lutyi password irreversible-cipher $1a$$IoD%bQG;N$h-N>'X.7(DSta68<E@JGsR2"VC*O2GgWr|Q0kyC,$

 local-user v_lutyi privilege level 0

 local-user v_lutyi service-type terminal ssh http

 

Found the following privilege is 0, try to modify to 15

 

user-interface con 0

 authentication-mode aaa

user-interface vty 0 4

 authentication-mode aaa

 protocol inbound all

user-interface vty 16 20

 authentication-mode aaa

 protocol inbound all

 

if the account is RSA authentication, you can only obtain the user level from vty, so you need to add command user privilege level 3   under vty.

[Root Cause]
f the account is RSA authentication, only can obtain the user level from vty


This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

No.9527  Enthusiast Technician   Created Sep 29, 2018 13:52:49 Helpful(0) Helpful(0)

I am very interested for this post, which is very helpful to our daily troubleshooting. I always have similar problems in my daily work, but I do not know how to deal with them. Now I have a clear idea. Thank you very much for your sharing. Hope you can update continue like this
  • x
  • convention:

Skay  Enthusiast Technician   Created Sep 29, 2018 14:19:58 Helpful(0) Helpful(0)

I am very interested for this post, which is very helpful to our daily troubleshooting. Is there a number of commands for the user authorization method? If all or none of the configurations are configured, the commands in that view take precedence. Or what is the default user privilege level, can you help explain it.
  • x
  • convention:

SupperRobin  Visitor   Created Sep 29, 2018 14:38:50 Helpful(0) Helpful(0)

Routers support the multi-route mode, which allows you to configure multiple routes with the same destination and preference. If the destinations and costs of multiple routes discovered by the same routing protocol are the same, load balancing can be performed among the routes.

During load balancing, a router forwards packets based on the packets' 5-tuple (source IP address, destination IP address, source port, destination port, and transport protocol). When the 5-tuple information is the same, the router always chooses the next-hop address that is the same as the last one to send packets. When the 5-tuple information is different, the router forwards packets over idle paths.

This post was last edited by SupperRobin at 2018-10-31 15:08.
  • x
  • convention:

wissal  Visitor   Created Sep 30, 2018 01:34:07 Helpful(0) Helpful(0)

Helpful information, thanks
  • x
  • convention:

criss_tee_an  Enthusiast Technician   Created Oct 12, 2018 16:00:07 Helpful(0) Helpful(0)

I had a similar case but the user was from RADIUS. Helpful!:)
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top