Problem with TACACS Authorization (Router - Cisco ACS)

From: Edouard Zorrilla <ezorrilla_at_tsf.com.pe>
Date: Thu, 11 Mar 2010 10:08:05 -0800

Hi,

Have any of you have seen this issue before ?. Let me tell you, I have set up
fine the ACS and also the router so that it get authenticated so far. The
issue appears when I enable authorization exec on the router, I have also
enabled it on the ACS within the "TACACS+ Settings", making sure that
"privilege level" is checked and with a value of 15. So far so good. The issue
appears there, as soon as I enable authorization exec I receive a message when
I try to login :

login as: ez
Using keyboard-interactive authentication.
Password:
% Authorization failed

When I got that message I saw that I successfully pass the authentication on
the ACS : "03/11/2010 09:55:44 Authen OK ez ", but I am unable to access the
router because a "authorization failed" message. Performing some debugs on the
IOS, I got the next when I enable "debug aaa authorization" :

CA0272#
Mar 11 2010 09:21:07 PST: AAA/BIND(00000015): Bind i/f
Mar 11 2010 09:21:10 PST: AAA/AUTHOR (0x15): Pick method list 'default' -
FAIL
Mar 11 2010 09:21:10 PST: AAA/AUTHOR/EXEC(00000015): Authorization FAILED
CA0272#

And when I enable "debug tacacs authorization", I got the message :

CA0272#
Mar 11 2010 09:21:45 PST: TPLUS: Queuing AAA Authorization request 22 for
processing
Mar 11 2010 09:21:45 PST: TPLUS: processing authorization request id 22
Mar 11 2010 09:21:45 PST: TPLUS: Protocol set to None .....Skipping
Mar 11 2010 09:21:45 PST: TPLUS: Sending AV service=shell
Mar 11 2010 09:21:45 PST: TPLUS: Sending AV cmd*
Mar 11 2010 09:21:45 PST: TPLUS: Authorization request created for 22(ez)
Mar 11 2010 09:21:45 PST: TPLUS: using previously set server 10.128.0.220 from
group tacacs+
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/IDLE/840EFD84: got immediate
connect on new 0
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE/840EFD84: Started 5 sec
timeout
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE: wrote entire 56 bytes
request
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/840EFD84: Processing the reply
packet
CA0272#

The current device that I am using is :

0272#sh version | i IOS
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version
12.4(24)T2, RELEASE SOFTWARE (fc2)

0272#sh inventory
NAME: "881", DESCR: "881 chassis, Hw Serial#: xxxxxxx, Hw Revision: 1.0"
PID: CISCO881-SEC-K9 , VID: V01 , SN: xxxxx
0272#

Also I have realized that sometimes it works and sometimes it does not, it
seems to be a bug with the ACS but I do not see on the web site any issue
related to my problem. I am using ACS Release 4.1(1) Build 23 Patch 4.

I have tested this deveices with out any configuration and it works fine, so I
could think that the problem is the config on the routers but I get droped by
the ACS not by the router. I am not sure if the problem could be the ACS or
the routers theyself. Currently they have already enabled DMVPN , CBAC and
urlfilter with WebSense Server.

Let me know your thought.,

Regards

Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 11 2010 - 10:08:05 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:34 ART