Symptom
After upgrading an N9k to 7.0(3)I2(2c) from 6.1(2)I3(5) on the Nexus 9000 (N9k) a logon using either down-level (DOMAIN\USER) logon or User Principal Name fails. Other version of code may be affected.
LINUX01a$ ssh 10.201.175.25 -l "aaa\nadmin"
User Access Verification
aaa\nadmin@10.201.175.25's password:
Permission denied, please try again.
From the log messages:
2016 Apr 20 19:48:44 513E.C.12-N9K-9 %DAEMON-3-SYSTEM_MSG: Unable to create temporary user aaa\nadmin. Error 0x404a000a useradd: invalid user name 'aaa\nadmin' (50331648) - sshd[10113]
2016 Apr 20 19:48:44 513E.C.12-N9K-9 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user aaa\nadmin from 172.18.254.97 - sshd[10113]
This logon works prior to the upgrade.
Conditions
*After upgrading to 7.0(3)I2(2c) using the down-level logon no longer works.
*TACACS+ or RADIUS configured.
*Seen when attempting a down-level logon or UPN logon.
Workaround
*Specifying only the user name works as expected.
*Note: the "nadmin" account is a Windows Active Directory (AD) domain account and not a local account on the switch.
LINUX01$ ssh 10.201.175.25 -l "nadmin"
User Access Verification
nadmin@10.201.175.25's password:
N9K#
*N9k also supports direct LDAP authentication:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_0110.html
Neither of these solutions will be sufficient in every scenario.
Further Problem Description
*See following document for a description of these logon formats:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx
*Other platforms are not affected by this (example Nexus 7000).
*Write erase reload does not resolve issue.
*Deleting temporary user files from BASH does not resolve issue.
