Cisco AAA authorized backdoor Test

Source: Internet
Author: User
Tags juniper srx

Recently, a customer's AAA was not correctly configured, causing him to be locked out of the device. Because it is a multi-switch stack unit in the production environment, it is not allowed to restart and ignore the configuration, remote operations are required to solve the problem, which undoubtedly increases the difficulty of solving the problem.

After several attempts, we found that some settings on Cisco ACS can bypass the authorization to access the device. We will share with you the situation that this scenario is similar to the local ing mechanism of juniper SRX firewall, however, Cisco should not have documented similar situations.

The device configuration is as follows:

AAA authentication login noauth local none

AAA authorization Console

AAA authorization exec default group radius

 

Line con 0

Login authentication noauth

Line aux 0

Logging synchronous

Line vty 0 4

Login authentication noauth

End

The above configuration authenticates the use of the local database, authorizes the use of RADIUS server, and does not configure an escape channel for authorization (potholes)

Telnet fails to log on. The system prompts "reject": Enter the local user and password, and the system prompts "REJECTED ".

An error message is displayed, indicating that authorization failed: Authorization failed.


Enter the correct user (local) Incorrect password to display authentication failure: authentication failed


First, add the authentication server in ACS, select the label network configuration, and add the server


Add a server and click Add entry.


Note that the IP address must be the address of the local Nic, and must be consistent with the RADIUS server address configured on the switch. You can enter the key as needed.

 

Next, we add a vswitch as the radius client.

Shared Secret must be used to add a key that matches the actual configuration on the switch.


Then select Add User in user setup


Note that the user name must be the same as that added locally on your vswitch. Enter Cisco in the password field and submit

 

Now, the Cisco ACS settings are complete.

The telnet logon test result is as follows:

Username:

Password:


R3> enable

Password

R3 #

Note that the username and password used to log on here are both local enable and local enable. Now, the user can access the local system normally.


This article is from the "121212" blog, please be sure to keep this source http://359922.blog.51cto.com/349922/1535212

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.