RE: Problem with TACACS Authorization (Router - Cisco ACS)

Edouard,

This really looks to be that you haven't checked exec shell in ACS for
authentication. Are you sure of it because it is upon shell request that it
is failing.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S,
Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service
Provider) Certification Training with locations throughout the United
States, Europe and Australia. Be sure to check out our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Edouard Zorrilla
Sent: Thursday, March 11, 2010 1:08 PM
To: Cisco certification; security_at_groupstudy.com
Subject: Problem with TACACS Authorization (Router - Cisco ACS)

Hi,

Have any of you have seen this issue before ?. Let me tell you, I have set
up
fine the ACS and also the router so that it get authenticated so far. The
issue appears when I enable authorization exec on the router, I have also
enabled it on the ACS within the "TACACS+ Settings", making sure that
"privilege level" is checked and with a value of 15. So far so good. The
issue
appears there, as soon as I enable authorization exec I receive a message
when
I try to login :

login as: ez
Using keyboard-interactive authentication.
Password:
% Authorization failed

When I got that message I saw that I successfully pass the authentication on
the ACS : "03/11/2010 09:55:44 Authen OK ez ", but I am unable to access the
router because a "authorization failed" message. Performing some debugs on
the
IOS, I got the next when I enable "debug aaa authorization" :

CA0272#
Mar 11 2010 09:21:07 PST: AAA/BIND(00000015): Bind i/f
Mar 11 2010 09:21:10 PST: AAA/AUTHOR (0x15): Pick method list 'default' -
FAIL
Mar 11 2010 09:21:10 PST: AAA/AUTHOR/EXEC(00000015): Authorization FAILED
CA0272#

And when I enable "debug tacacs authorization", I got the message :

CA0272#
Mar 11 2010 09:21:45 PST: TPLUS: Queuing AAA Authorization request 22 for
processing
Mar 11 2010 09:21:45 PST: TPLUS: processing authorization request id 22
Mar 11 2010 09:21:45 PST: TPLUS: Protocol set to None .....Skipping
Mar 11 2010 09:21:45 PST: TPLUS: Sending AV service=shell
Mar 11 2010 09:21:45 PST: TPLUS: Sending AV cmd*
Mar 11 2010 09:21:45 PST: TPLUS: Authorization request created for 22(ez)
Mar 11 2010 09:21:45 PST: TPLUS: using previously set server 10.128.0.220
from
group tacacs+
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/IDLE/840EFD84: got immediate
connect on new 0
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE/840EFD84: Started 5 sec
timeout
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE: wrote entire 56 bytes
request
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/840EFD84: Processing the reply
packet
CA0272#

The current device that I am using is :

0272#sh version | i IOS
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version
12.4(24)T2, RELEASE SOFTWARE (fc2)

0272#sh inventory
NAME: "881", DESCR: "881 chassis, Hw Serial#: xxxxxxx, Hw Revision: 1.0"
PID: CISCO881-SEC-K9 , VID: V01 , SN: xxxxx
0272#

Also I have realized that sometimes it works and sometimes it does not, it
seems to be a bug with the ACS but I do not see on the web site any issue
related to my problem. I am using ACS Release 4.1(1) Build 23 Patch 4.

I have tested this deveices with out any configuration and it works fine, so
I
could think that the problem is the config on the routers but I get droped
by
the ACS not by the router. I am not sure if the problem could be the ACS or
the routers theyself. Currently they have already enabled DMVPN , CBAC and
urlfilter with WebSense Server.

Let me know your thought.,

Regards

Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 11 2010 - 13:36:11 ART