Cisco AAA authorized backdoor Test

Recently, a customer's AAA was not correctly configured, causing him to be locked out of the device. Because it is a multi-switch stack unit in the production environment, it is not allowed to restart and ignore the configuration, remote operations are required to solve the problem, which undoubtedly increases the difficulty of solving the problem.

After several attempts, we found that some settings on Cisco ACS can bypass the authorization to access the device. We will share with you the situation that this scenario is similar to the local ing mechanism of juniper SRX firewall, however, Cisco should not have documented similar situations.

The device configuration is as follows:

AAA authentication login noauth local none

AAA authorization Console

AAA authorization exec default group radius

 

Line con 0

Login authentication noauth

Line aux 0

Logging synchronous

Line vty 0 4

Login authentication noauth

End

The above configuration authenticates the use of the local database, authorizes the use of RADIUS server, and does not configure an escape channel for authorization (potholes)

Telnet fails to log on. The system prompts "reject": Enter the local user and password, and the system prompts "REJECTED ".

An error message is displayed, indicating that authorization failed: Authorization failed.

Enter the correct user (local) Incorrect password to display authentication failure: authentication failed

First, add the authentication server in ACS, select the label network configuration, and add the server

Add a server and click Add entry.

Note that the IP address must be the address of the local Nic, and must be consistent with the RADIUS server address configured on the switch. You can enter the key as needed.

 

Next, we add a vswitch as the radius client.

Shared Secret must be used to add a key that matches the actual configuration on the switch.

Then select Add User in user setup

Note that the user name must be the same as that added locally on your vswitch. Enter Cisco in the password field and submit

 

Now, the Cisco ACS settings are complete.

The telnet logon test result is as follows:

Username:

Password:

R3> enable

Password

R3 #

Note that the username and password used to log on here are both local enable and local enable. Now, the user can access the local system normally.

This article is from the "121212" blog, please be sure to keep this source http://359922.blog.51cto.com/349922/1535212