Re: Problem with TACACS Authorization (Router - Cisco ACS) from Edouard Zorrilla on 2010-03-12 (Ccielab archives 03/2010)

From: Edouard Zorrilla <ezorrilla_at_tsf.com.pe>
Date: Fri, 12 Mar 2010 10:20:32 -0800

For all you, the problem that I got was this bug :

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsf25057

Just FYI, then the problem was solved,

Regards

----- Original Message -----
From: "Sadiq Yakasai" <sadiqtanko_at_gmail.com>
To: "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>
Cc: "Cisco certification" <ccielab_at_groupstudy.com>;
<security_at_groupstudy.com>
Sent: Thursday, March 11, 2010 10:16 AM
Subject: Re: Problem with TACACS Authorization (Router - Cisco ACS)

> Hi Ed,
>
> I know this is a basic question (so excuse me) but starting from basics to
> cover the ground well here :-)
>
> I take it you have also enabled "Shell (exec)" option after the "Priv lvl"
> as well on the User/Group profile, right?
>
> Thanks,
>
> On Thu, Mar 11, 2010 at 6:08 PM, Edouard Zorrilla
> <ezorrilla_at_tsf.com.pe>wrote:
>
>> Hi,
>>
>> Have any of you have seen this issue before ?. Let me tell you, I have
>> set
>> up
>> fine the ACS and also the router so that it get authenticated so far. The
>> issue appears when I enable authorization exec on the router, I have also
>> enabled it on the ACS within the "TACACS+ Settings", making sure that
>> "privilege level" is checked and with a value of 15. So far so good. The
>> issue
>> appears there, as soon as I enable authorization exec I receive a message
>> when
>> I try to login :
>>
>> login as: ez
>> Using keyboard-interactive authentication.
>> Password:
>> % Authorization failed
>>
>> When I got that message I saw that I successfully pass the authentication
>> on
>> the ACS : "03/11/2010 09:55:44 Authen OK ez ", but I am unable to access
>> the
>> router because a "authorization failed" message. Performing some debugs
>> on
>> the
>> IOS, I got the next when I enable "debug aaa authorization" :
>>
>>
>> CA0272#
>> Mar 11 2010 09:21:07 PST: AAA/BIND(00000015): Bind i/f
>> Mar 11 2010 09:21:10 PST: AAA/AUTHOR (0x15): Pick method list 'default' -
>> FAIL
>> Mar 11 2010 09:21:10 PST: AAA/AUTHOR/EXEC(00000015): Authorization FAILED
>> CA0272#
>>
>> And when I enable "debug tacacs authorization", I got the message :
>>
>> CA0272#
>> Mar 11 2010 09:21:45 PST: TPLUS: Queuing AAA Authorization request 22 for
>> processing
>> Mar 11 2010 09:21:45 PST: TPLUS: processing authorization request id 22
>> Mar 11 2010 09:21:45 PST: TPLUS: Protocol set to None .....Skipping
>> Mar 11 2010 09:21:45 PST: TPLUS: Sending AV service=shell
>> Mar 11 2010 09:21:45 PST: TPLUS: Sending AV cmd*
>> Mar 11 2010 09:21:45 PST: TPLUS: Authorization request created for 22(ez)
>> Mar 11 2010 09:21:45 PST: TPLUS: using previously set server 10.128.0.220
>> from
>> group tacacs+
>> Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/IDLE/840EFD84: got immediate
>> connect on new 0
>> Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE/840EFD84: Started 5 sec
>> timeout
>> Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE: wrote entire 56 bytes
>> request
>> Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/840EFD84: Processing the
>> reply
>> packet
>> CA0272#
>>
>> The current device that I am using is :
>>
>> 0272#sh version | i IOS
>> Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version
>> 12.4(24)T2, RELEASE SOFTWARE (fc2)
>>
>> 0272#sh inventory
>> NAME: "881", DESCR: "881 chassis, Hw Serial#: xxxxxxx, Hw Revision: 1.0"
>> PID: CISCO881-SEC-K9 , VID: V01 , SN: xxxxx
>> 0272#
>>
>> Also I have realized that sometimes it works and sometimes it does not,
>> it
>> seems to be a bug with the ACS but I do not see on the web site any issue
>> related to my problem. I am using ACS Release 4.1(1) Build 23 Patch 4.
>>
>> I have tested this deveices with out any configuration and it works fine,
>> so I
>> could think that the problem is the config on the routers but I get
>> droped
>> by
>> the ACS not by the router. I am not sure if the problem could be the ACS
>> or
>> the routers theyself. Currently they have already enabled DMVPN , CBAC
>> and
>> urlfilter with WebSense Server.
>>
>> Let me know your thought.,
>>
>> Regards
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIE #19963

Blogs and organic groups at http://www.ccie.net
Received on Fri Mar 12 2010 - 10:20:32 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:34 ART