How does Cisco perform authentication server reachability on aaa

aaa

Let's suppose we have a line like this:

aaa authentication login default group radius group tacacs+ local

According to the IOS 12.2 documentation:

If R1 authenticates the user, it issues a PASS response to the network access server and the user is allowed to access the network. If R1 returns a FAIL response, the user is denied access and the session is terminated. If R1 does not respond, then the network access server processes that as an ERROR and queries R2 for authentication information

It is important to remember that a FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria contained in the applicable authentication database to be successfully authenticated. Authentication ends with a FAIL response. An ERROR means that the security server has not responded to an authentication query. Because of this, no authentication has been attempted. Only when an ERROR is detected will AAA select the next authentication method defined in the authentication method list.

My question is: How does a Cisco device exactly perform the check on an authentication server? Is it possible to modify/extend this method?

The motivation behind this question is to ensure that the reachability creteria meet some specific L7 methods rather than L3/L4.

Best Answer

The router sends the initial request, and simply waits for a well-formed answer from the Radius/TACACS server. There are no active "keepalive" style health checks; the router doesn't ping the server and look at response-times or anything like that.

What the router does next, depends on your configured criteria. In general, once the timeout expires (default is 5 seconds), or if a malformed response is received, the router will try the secondary server or fail down to the next configured authentication method.

Radius, unlike TACACS, can also mark a server as "dead" and cease to try authentications against it for a preconfigured amount of time.

See the following settings to tweak this behavior:

Timeout Configuration:

TEST-1861(config)#tacacs-server timeout ?
  <1-1000>  Wait time (default 5 seconds)

TEST-1861(config)#radius-server timeout ?
  <1-1000>  Wait time (default 5 seconds)

Radius Dead-timer configuration:

TEST-1861(config)#radius-server deadtime ?
  <1-1440>  time in minutes

TEST-1861(config)#radius-server dead-criteria ?
  time   The time during which no properly formed 
         response must be recieved from the RADIUS server
  tries  The number of times the router must fail 
         to receive a response from the radius server
         to mark it as dead

TEST-1861(config)#radius-server dead-criteria time ?
  <1-120>  Time in seconds during which no response must
  be received from the RADIUS server in order to consider it dead

TEST-1861(config)#radius-server dead-criteria tries ?
  <1-100>  Number of transmits to radius server without 
  responses before marking server as dead

Related Solutions

Cisco – AAA/TACACS+ password on Cisco switch always fails at second password prompt

I would do a debug on your TACACS+ server while you are trying this.

I'll assume that you only want to use TACACS authentication and only fall-back to local logins if it can't access the server?

Try using this:
aaa authentication login default group tacacs+ line aaa authentication enable default group tacacs+ enable

Also see this site: It has some good examples and explanations

http://my.safaribooksonline.com/book/networking/cisco-ios/0596527225/tacacsplus/i13896_heada_4_2#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTA1OTY1MjcyMjUlMkZpNTAzNjNfX2hlYWRhX180XzEmcXVlcnk9

My guess is that since you have the "local" keyword in:
aaa authentication login default group tacacs+ local line

The TACACS+ authentication returns a fail, so the router tries doing local authentication. I guess you should provide us with the line vty sanitized configuration. If you have
line vty 0 15 login local

Then it would do a username/password authentication otherwise its doing password

Cisco ASA 5585 SSH LDAP Authentication

EDIT: Oops, I just re-read your question and I believe you are hoping to limit who can SSH to your ASA using the "ldap-attribute-map". As far as I know, the LDAP Attribute Map feature is only used for modifying VPN access, not management access to the ASA itself. I'll leave my original answer below in case you (or anyone else) finds it helpful)

The LDAP attribute map allows you to 'override' policies that are inherited from the "default-group-policy" command in the tunnel group for this particular VPN. So in essence, what you need to do is have it so the default-group-policy allows no access, but group-policy 6 allows full access (or whatever access you desire).

Without seeing the rest of your configuration, its hard to give you exact configurations you will need, but here is an effective summary:

tunnel-group TG-SVC-VPN type remote-access
tunnel-group TG-SVC-VPN general-attributes
  authentication-server-group LDAP_mybusinessda
  default-group-policy GP-SVC-NO-ACCESS
tunnel-group TG-SVC-VPN webvpn-attributes
  group-alias Default enable

group-policy GP-SVC-NO-ACCESS internal
group-policy GP-SVC-NO-ACCESS attributes
  vpn-simultaneous-logins 0

group-policy 6 internal
group-policy 6 attributes
  vpn-simultaneous-logins 1
  [vpn-filter ...]
  [ip pool ...]
  [etc]

This will make it so that anyone that authenticates against your tunnel group is not allowed to connect... EXCEPT if they match your LDAP attribute map which overrides the "simultaneous logins" setting from 0 to 1.

Best Answer

Related Solutions

Cisco – AAA/TACACS+ password on Cisco switch always fails at second password prompt

Cisco ASA 5585 SSH LDAP Authentication

Related Topic