Unable to log into an X-series after Radius has been configured

book

Article ID: 168118

calendar_today

Updated On:

Products

XOS

Issue/Introduction

PAM error when authenticating via Radius due to missing local accountUnable to log into an X-series chassis after Radius is set up.

 

via ssh

Sep 6 15:46:38 EUDC1F002 sshd(pam_unix)[12092]: check pass; user unknown Sep 6 15:46:38 EUDC1F002
sshd(pam_unix)[12092]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=172.28.56.5

 

via telnet
Sep 6 15:38:34 EUDC1F002 login(pam_unix)[12067]: could not identify user (from getpwnam(testuser))
Sep 6 15:38:34 EUDC1F002 login[12067]: User not known to the underlying authentication module


The Cisco ACS is reporting sucessful authentication

Resolution

The username must be defined on the Crossbeam platform itself. If "testuser" is not fully defined and qualified on the Crossbeam (account, permissions, uid, etc.) then it cannot authenticate correctly with radius.

A local user must be configured, because different user levels with different permissions can be configured on Crossbeam. The user access permissions not only specify whether objects can be modified or not, but it also has impact on things like unix level file permissions and audit logging.

Some network devices allow Radius authenticated users without a local account configured, but these are often devices which have a simple set of access permisions and are not based on an operating system like XOS (Linux).

Workaround

N/A