Command Authorization Problem from Mohammad Eslami on 2009-04-10 (Ccielab archives 04/2009)

From: Mohammad Eslami <mohamadeslami_at_gmail.com>
Date: Fri, 10 Apr 2009 20:07:37 +0330

Hi Group,

I'm trying to configure command authorization using ACS for the "copy
startup tftp:" exec command, but the IOS sends the <cr> as the argument
instead of tftp: to the ACS Server:

debug aaa authorization turned on

R8#copy startup tftp:
Command authorization failed.

*Apr 5 00:02:36.067: AAA: parse name=tty3 idb type=-1 tty=-1
*Apr 5 00:02:36.067: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0
adapter=0 port=3 channel=0
*Apr 5 00:02:36.067: AAA/MEMORY: create_user (0x83B37358) user='user1'
ruser='R8' ds0=0 port='tty3' rem_addr='192.168.0.10' authen_type=ASCII
service=NONE priv=15 initial_task_id='0', vrf= (id=0)
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): Port='tty3'
list='TAC' service=CMD
*Apr 5 00:02:36.067: AAA/AUTHOR/CMD: tty3(2859225967) user='user1'
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): send AV service=shell
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): send AV cmd=copy
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): send AV
cmd-arg=startup-config
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): send AV cmd-arg=<cr>
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): found list "TAC"
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): Method=tacacs+
(tacacs+)
*Apr 5 00:02:36.067: AAA/AUTHOR/TAC+: (2859225967): user=user1
*Apr 5 00:02:36.067: AAA/AUTHOR/TAC+: (2859225967): send AV service=shell
*Apr 5 00:02:36.067: AAA/AUTHOR/TAC+: (2859225967): send AV cmd=copy
*Apr 5 00:02:36.067: AAA/AUTHOR/TAC+: (2859225967): send AV
cmd-arg=startup-config
*Apr 5 00:02:36.067: AAA/AUTHOR/TAC+: (2859225967): send AV cmd-arg=<cr>
*Apr 5 00:02:36.271: AAA/AUTHOR (2859225967): Post authorization status =
FAIL
*Apr 5 00:02:36.271: AAA/MEMORY: free_user (0x83B37358) user='user1'
ruser='R8' port='tty3' rem_addr='192.168.0.10' authen_type=ASCII
service=NONE priv=15 vrf= (id=0)

On the router the aaa has been configured as follows:

!
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
aaa authorization commands 0 default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
!
tacacs-server host 192.168.0.12 key cisco
!

Any help will be greatly appreciated,

Regards

Mohammad

__________ Information from ESET Smart Security, version of virus signature
database 3994 (20090407) __________

The message was checked by ESET Smart Security.

http://www.eset.com

Blogs and organic groups at http://www.ccie.net
Received on Fri Apr 10 2009 - 20:07:37 ART

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:11 ART