RE: Command Authorization Problem from Mohammad Eslami on 2009-04-17 (Ccielab archives 04/2009)

From: Mohammad Eslami <mohamadeslami_at_gmail.com>
Date: Fri, 17 Apr 2009 18:10:07 +0330

I enter the command "copy start tftp://1.2.3.4/name" and hit enter, and the
IOS sends: command "copy", first argument "startup-config" second argument
"<cr>".

From: Pavel Bykov [mailto:slidersv_at_gmail.com]
Sent: Thursday, April 16, 2009 12:44 AM
To: Mohammad Eslami
Cc: ccielab_at_groupstudy.com
Subject: Re: Command Authorization Problem

Well, how are you entering your command?
<CR> is a carriage return, or enter on keyboards.

You need to enter your command like this:

"copy start tftp://1.2.3.4/name"

and NOT like this:
"
copy start tftp:
1.2.3.4
name
"

On Fri, Apr 10, 2009 at 6:37 PM, Mohammad Eslami <mohamadeslami_at_gmail.com>
wrote:

Hi Group,

I'm trying to configure command authorization using ACS for the "copy
startup tftp:" exec command, but the IOS sends the <cr> as the argument
instead of tftp: to the ACS Server:

debug aaa authorization turned on

R8#copy startup tftp:
Command authorization failed.

*Apr 5 00:02:36.067: AAA: parse name=tty3 idb type=-1 tty=-1
*Apr 5 00:02:36.067: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0
adapter=0 port=3 channel=0
*Apr 5 00:02:36.067: AAA/MEMORY: create_user (0x83B37358) user='user1'
ruser='R8' ds0=0 port='tty3' rem_addr='192.168.0.10' authen_type=ASCII
service=NONE priv=15 initial_task_id='0', vrf= (id=0)
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): Port='tty3'
list='TAC' service=CMD
*Apr 5 00:02:36.067: AAA/AUTHOR/CMD: tty3(2859225967) user='user1'
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): send AV service=shell
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): send AV cmd=copy
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): send AV
cmd-arg=startup-config
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): send AV cmd-arg=<cr>
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): found list "TAC"
*Apr 5 00:02:36.067: tty3 AAA/AUTHOR/CMD(2859225967): Method=tacacs+
(tacacs+)
*Apr 5 00:02:36.067: AAA/AUTHOR/TAC+: (2859225967): user=user1
*Apr 5 00:02:36.067: AAA/AUTHOR/TAC+: (2859225967): send AV service=shell
*Apr 5 00:02:36.067: AAA/AUTHOR/TAC+: (2859225967): send AV cmd=copy
*Apr 5 00:02:36.067: AAA/AUTHOR/TAC+: (2859225967): send AV
cmd-arg=startup-config
*Apr 5 00:02:36.067: AAA/AUTHOR/TAC+: (2859225967): send AV cmd-arg=<cr>
*Apr 5 00:02:36.271: AAA/AUTHOR (2859225967): Post authorization status =
FAIL
*Apr 5 00:02:36.271: AAA/MEMORY: free_user (0x83B37358) user='user1'
ruser='R8' port='tty3' rem_addr='192.168.0.10' authen_type=ASCII
service=NONE priv=15 vrf= (id=0)

On the router the aaa has been configured as follows:

!
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
aaa authorization commands 0 default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
!
tacacs-server host 192.168.0.12 key cisco
!

Any help will be greatly appreciated,

Regards

Mohammad

__________ Information from ESET Smart Security, version of virus signature
database 3994 (20090407) __________

The message was checked by ESET Smart Security.

http://www.eset.com

Blogs and organic groups at http://www.ccie.net
Received on Fri Apr 17 2009 - 18:10:07 ART

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:12 ART