CPM radius authentication failure

book

Article ID: 168096

calendar_today

Updated On:

Products

XOS

Issue/Introduction

CPM radius authentication failure. When the CPM authentication is configured with Radius servers, and the radius server is not reachable,  the system might prompted twice for the password.

If the CPM is being configured to use the RADIUS server and those servers suddenly become unavailable (such case happen if the box that might NOT have access to the production RADIUS servers), the login sequence will prompt for a second time for a local UNIX password after first timing out:

Unauthorized use is prohibited.
test_x40 login: admin
Password: <enter password, a pause occurs as RADIUS times out>
Password: <enter password again>

Last login: Thu Feb 16 05:43:55 on ttyS0
test_x40#

Cause

Eliminate the second authentication prompt, so that the client's won't fail to authenticate.

Resolution

This is inconvenient at best, and, at worst, can cause the SCP activities to time out before re-login if not using a client that can handle a no-error second PASSWORD call. There is a way to fix it to try RADIUS first and then, if that fails, try the local UNIX password next without a secondary prompt.;

  • Find the file /etc/pam.d/system-auth.

In that file, find this line:

auth sufficient /lib/security/pam_unix.so likeauth nullok

  • Change the line to this:

auth sufficient /lib/security/pam_unix.so use_first_pass likeauth nullok

This will alter PAM's behavior so that it will use the system stack password from any previous module first, instead of initiating a new password prompt.