Modify common-auth-sonic to take care of case where no RADIUS servers are configured. (#14514)

#### Why I did it
Fixes #14277.

Fixes the inconsistent fallback behaviour for RADIUS authentication when AAA authentication is configured as "radius, local".

#### How I did it

Modified common-auth-sonic.j2 template to make sure that when no RADIUS servers are configured (with AAA authentication login method set to radius, local), the system falls back to local authentication successfully.

#### How to verify it

1. Configure authentication based on RADIUS and local.
config aaa authentication login radius local

2. Configure an unreachable RADIUS server.
config radius add 6.6.6.6

3. Try to login to switch with existing admin user credentials. This is successful.

4. Remove RADIUS server configuration.
config radius delete 6.6.6.6

5. Try to login to switch with admin user credentials. This is successful.
This commit is contained in:
shdasari 2023-04-07 00:44:01 +05:30 committed by GitHub
parent 63cee3ff3c
commit dd6659ae07
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -40,7 +40,11 @@ auth [success=1 default=ignore] pam_exec.so /usr/sbin/cache_radius
{% elif auth['login'] == 'radius,local' %}
# root user can only be authenticated locally. Jump to local.
{% if servers | count %}
auth [success={{ (servers | count) }} default=ignore] pam_succeed_if.so user = root
{% else %}
auth [success=ok default=ignore] pam_succeed_if.so user = root
{% endif %}
# For the RADIUS servers, on success jump to the cache the MPL(Privilege)
{% for server in servers %}
auth [success={{ (servers | count) + 1 - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass