Thanks for getting back to me.
That is right Sadiq, I have enabled not only "Privilege level" with a 15
value, but also the "Shell (exec)". You know that If I would have enabled it,
It would go to the next one on the list. My config is :
CA0272(config)#do sh run | i aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa session-id common
CA0272(config)#
If I add the username on the router it works :
0272(config)#username ez privilege 15 secret xxxxx
0272(config)#
Then :
CA0272#debug aaa authorization
AAA Authorization debugging is on
CA0272#debug tacacs authorization
TACACS+ authorization debugging is on
CA0272#
Mar 11 2010 10:23:24 PST: AAA/AUTHOR: auth_need : user= 'ez' ruser=
'CA0272'rem_addr= '10.128.2.90' priv= 15 list= '' AUTHOR-TYPE= 'command'
Mar 11 2010 10:23:29 PST: AAA/BIND(00000024): Bind i/f
Mar 11 2010 10:23:32 PST: AAA/AUTHOR (0x24): Pick method list 'default'
Mar 11 2010 10:23:32 PST: TPLUS: Queuing AAA Authorization request 36 for
processing
Mar 11 2010 10:23:32 PST: TPLUS: processing authorization request id 36
Mar 11 2010 10:23:32 PST: TPLUS: Protocol set to None .....Skipping
Mar 11 2010 10:23:32 PST: TPLUS: Sending AV service=shell
Mar 11 2010 10:23:32 PST: TPLUS: Sending AV cmd*
Mar 11 2010 10:23:32 PST: TPLUS: Authorization request created for 36(ez)
Mar 11 2010 10:23:32 PST: TPLUS: using previously set server 10.128.0.220 from
group tacacs+
Mar 11 2010 10:23:32 PST: TPLUS(00000024)/0/IDLE/845E37BC: got immediate
connect on new 0
Mar 11 2010 10:23:32 PST: TPLUS(00000024)/0/WRITE/845E37BC: Started 5 sec
timeout
Mar 11 2010 10:23:32 PST: TPLUS(00000024)/0/WRITE: wrote entire 56 bytes
request
Mar 11 2010 10:23:32 PST: TPLUS(00000024)/0/845E37BC: Processing the reply
packet
Mar 11 2010 10:23:32 PST: AAA/AUTHOR/EXEC(00000024): processing AV cmd=
Mar 11 2010 10:23:32 PST: AAA/AUTHOR/EXEC(00000024): processing AV
priv-lvl=15
Mar 11 2010 10:23:32 PST: AAA/AUTHOR/EXEC(00000024): Authorization successful
CA0272#
So, it seems that router receive one answer from the ACS that makes the router
go to the next on the list.
Something that I have not seen before on the debugs is : "got immediate
connect on new 0" when a router is getting authorization from the ACS. Have
any of you got it when perform authorization ?,
Regards
----- Original Message -----
From: Sadiq Yakasai
To: Edouard Zorrilla
Cc: Cisco certification ; security_at_groupstudy.com
Sent: Thursday, March 11, 2010 10:16 AM
Subject: Re: Problem with TACACS Authorization (Router - Cisco ACS)
Hi Ed,
I know this is a basic question (so excuse me) but starting from basics to
cover the ground well here :-)
I take it you have also enabled "Shell (exec)" option after the "Priv lvl"
as well on the User/Group profile, right?
Thanks,
On Thu, Mar 11, 2010 at 6:08 PM, Edouard Zorrilla <ezorrilla_at_tsf.com.pe>
wrote:
Hi,
Have any of you have seen this issue before ?. Let me tell you, I have set
up
fine the ACS and also the router so that it get authenticated so far. The
issue appears when I enable authorization exec on the router, I have also
enabled it on the ACS within the "TACACS+ Settings", making sure that
"privilege level" is checked and with a value of 15. So far so good. The
issue
appears there, as soon as I enable authorization exec I receive a message
when
I try to login :
login as: ez
Using keyboard-interactive authentication.
Password:
% Authorization failed
When I got that message I saw that I successfully pass the authentication
on
the ACS : "03/11/2010 09:55:44 Authen OK ez ", but I am unable to access
the
router because a "authorization failed" message. Performing some debugs on
the
IOS, I got the next when I enable "debug aaa authorization" :
CA0272#
Mar 11 2010 09:21:07 PST: AAA/BIND(00000015): Bind i/f
Mar 11 2010 09:21:10 PST: AAA/AUTHOR (0x15): Pick method list 'default' -
FAIL
Mar 11 2010 09:21:10 PST: AAA/AUTHOR/EXEC(00000015): Authorization FAILED
CA0272#
And when I enable "debug tacacs authorization", I got the message :
CA0272#
Mar 11 2010 09:21:45 PST: TPLUS: Queuing AAA Authorization request 22 for
processing
Mar 11 2010 09:21:45 PST: TPLUS: processing authorization request id 22
Mar 11 2010 09:21:45 PST: TPLUS: Protocol set to None .....Skipping
Mar 11 2010 09:21:45 PST: TPLUS: Sending AV service=shell
Mar 11 2010 09:21:45 PST: TPLUS: Sending AV cmd*
Mar 11 2010 09:21:45 PST: TPLUS: Authorization request created for 22(ez)
Mar 11 2010 09:21:45 PST: TPLUS: using previously set server 10.128.0.220
from
group tacacs+
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/IDLE/840EFD84: got immediate
connect on new 0
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE/840EFD84: Started 5 sec
timeout
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE: wrote entire 56 bytes
request
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/840EFD84: Processing the
reply
packet
CA0272#
The current device that I am using is :
0272#sh version | i IOS
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version
12.4(24)T2, RELEASE SOFTWARE (fc2)
0272#sh inventory
NAME: "881", DESCR: "881 chassis, Hw Serial#: xxxxxxx, Hw Revision: 1.0"
PID: CISCO881-SEC-K9 , VID: V01 , SN: xxxxx
0272#
Also I have realized that sometimes it works and sometimes it does not,
it
seems to be a bug with the ACS but I do not see on the web site any issue
related to my problem. I am using ACS Release 4.1(1) Build 23 Patch 4.
I have tested this deveices with out any configuration and it works fine,
so I
could think that the problem is the config on the routers but I get droped
by
the ACS not by the router. I am not sure if the problem could be the ACS
or
the routers theyself. Currently they have already enabled DMVPN , CBAC
and
urlfilter with WebSense Server.
Let me know your thought.,
Regards
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
--
CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 11 2010 - 10:26:50 ART
This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:34 ART