RE: AAA Authorization question !!!

From: Keith Barker (kbarker@ccbootcamp.com)
Date: Mon Mar 09 2009 - 13:04:40 ARST

• Next message: Peter Kurdziel: "Re: OT :-) Top Signs u have sat the lab too many times"
• Previous message: Andrew Shin: "NAT"
• Maybe in reply to: Edouard Zorrilla: "AAA Authorization question !!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Edouard-

When you set the command authorization to use the local database with the command:

aaa authorization commands 2 default local

All the commands assigned to priv level 2 will cause the router to check the local database for authorization, (looking for the user in the local database), before allowing the command to be run. Earlier in your config you assigned the show command to level 2. That would be consistent with the output.

Best wishes-

Keith Barker
CCIE #6783 (R&S / Security)
CCSI #21763

Instructor
CCBOOTCAMP - Cisco Learning Partner (CLP)

702.968.5100 Office
877.654.2243 Toll Free
702.446.0357 Fax
KBarker@ccbootcamp.com

www.ccbootcamp.com (Cisco Training and Advanced Technology Rental Racks)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Edouard Zorrilla
Sent: Saturday, March 07, 2009 4:34 PM
To: security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: AAA Authorization question !!!

Hi there,

I hope some of you can help me with this.

I have set up my router so that It can authenticate agains the TACACS and
authorizate exe with TACACS also. So far so good:

Rack1R4#sh run | sec aaa
aaa new-model
aaa authentication login default group tacacs+
aaa authentication login CON0 none
aaa authorization exec default group tacacs+
aaa session-id common
Rack1R4#
Rack1R4(config)#do sh run | sec privilege
privilege exec level 2 show running-config
privilege exec level 2 show
 privilege level 15
Rack1R4(config)#

From R5:

Rack1R5#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

Username: ezorrilla-2
Password:
Rack1R4#sh privilege
Current privilege level is 2
Rack1R4#

Now, As soon as I enter the command :"Rack1R4(config)#aaa authorization
commands 2 default local", then I get the next error:

Rack1R4#sh ip int brief
% Authorization failed.
% Incomplete command.

Rack1R4#sh run
% Authorization failed.
% Incomplete command.

Rack1R4#

Rack1R4(config)#
Mar 7 19:26:23.069: AAA: parse name=tty322 idb type=-1 tty=-1
Mar 7 19:26:23.069: AAA: name=tty322 flags=0x11 type=5 shelf=0 slot=0
adapter=0 port=322 channel=0
Mar 7 19:26:23.069: AAA/MEMORY: create_user (0x473AD3B4) user='ezorrilla-2'
ruser='Rack1R4' ds0=0 port='tty322' rem_addr='132.1.45.5' authen_type=ASCII
service=NONE priv=2 initial_task_id='0', vrf= (id=0)
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): Port='tty322' list=''
service=CMD
Mar 7 19:26:23.069: AAA/AUTHOR/CMD: tty322(1930842668) user='ezorrilla-2'
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): send AV service=shell
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): send AV cmd=show
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): send AV
cmd-arg=running-config
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): send AV cmd-arg=<cr>
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): found list "default"
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): Metho
Rack1R4(configd=LOCAL
Mar 7 19:26:23.069: AAA/AUTHOR/LOCAL: no entry for ezorrilla-2
Mar 7 19:26:23.073: AAA/AUTHOR (1930842668): Post authorization status =
ERROR
Mar 7 19:26:23.073: tty322 AAA/AUTHOR/CMD(1930842668): Method=NOT_SET
Mar 7 19:26:23.073: tty322 AAA/AUTHOR/CMD(1930842668): no methods left to
try
Mar 7 19:26:23.073: AAA/AUTHOR (1930842668): Post authorization status =
ERROR
Mar 7 19:26:23.073: AAA/MEMORY: free_user (0x473AD3B4) user='ezorrilla-2'
ruser='Rack1R4' port='tty322' rem_addr='132.1.45.5' authen_type=ASCII
service=NONE priv=2 vrf= (id=0))#
Rack1R4(config)#

Debugs show me that ezorrilla-2 is not there, so As soon as I enter the
username it works:

Rack1R4(config)#username ezorrilla-2
Rack1R4(config)#

Telnet from R5:

Rack1R5#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

Username: ezorrilla-2
Password:
Rack1R4#sh privilege
Current privilege level is 2
Rack1R4#
Rack1R4#sh run
Building configuration...
Current configuration : 173 bytes
<output-omited>
Rack1R4#

Question, do I need to enter the username in global config so that "aaa
authorization commands 2 default local" can work ? Is it not just about the
command ? I gues it does nothing to do with the username.

I could be wrong. -:(

Any help would be appreciated,

Regards

Blogs and organic groups at http://www.ccie.net

• Next message: Peter Kurdziel: "Re: OT :-) Top Signs u have sat the lab too many times"
• Previous message: Andrew Shin: "NAT"
• Maybe in reply to: Edouard Zorrilla: "AAA Authorization question !!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:04 ART