The problem with the TACACs authorization has been solved. I have just made
this change :
From :
tacacs-server host 10.128.0.220 single-connection key 7
055C515E731D1A5048544347
To:
tacacs-server host 10.128.0.220 key 7 055C515E731D1A5048544347
And now the exec authorization works with Test-stores : 10.118.105.1 and
10.118.108.1. It seems that multiplexing all packets over a single tcp
connection does not like the ACS Server. Let me know if we can deploy now the
"exec authorization" for devices on NMM (I guess Dwayne must approve the
change), with it comes many advantages that we already know.
Then we are talking reagarding a bug issue I have already sent you,
Regards
----- Original Message -----
From: Sadiq Yakasai
To: Tyson Scott
Cc: Edouard Zorrilla ; Cisco certification ; security_at_groupstudy.com
Sent: Friday, March 12, 2010 4:16 AM
Subject: Re: Problem with TACACS Authorization (Router - Cisco ACS)
Hi Ed,
I just ran a quick test for you on my setup (although ACS verison is 4.2)
and IOS is below:
R3#
R3#sh ver | i IOS
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(20)T, RELEASE SOFTWARE (fc3)
R3#
*Mar 12 12:07:30.802: AAA/BIND(00000006): Bind i/f
*Mar 12 12:07:35.466: AAA/AUTHOR (0x6): Pick method list 'default'
*Mar 12 12:07:35.470: TPLUS: Queuing AAA Authorization request 6 for
processing
*Mar 12 12:07:35.470: TPLUS: processing authorization request id 6
*Mar 12 12:07:35.470: TPLUS: Protocol set to None .....Skipping
*Mar 12 12:07:35.470: TPLUS: Sending AV service=shell
*Mar 12 12:07:35.470: TPLUS: Sending AV cmd*
*Mar 12 12:07:35.470: TPLUS: Authorization request created for 6(USER2)
*Mar 12 12:07:35.470: TPLUS: using previously set server 10.0.0.100 from
group tacacs+
*Mar 12 12:07:35.474: TPLUS(00000006)/0/NB_WAIT/488DCC54: Started 5 sec
timeout
*Mar 12 12:07:35.490: TPLUS(00000006)/0/NB_WAIT: socket event 2
*Mar 12 12:07:35.490: TPLUS(00000006)/0/NB_WAIT: wrote entire 59 bytes
request
*Mar 12 12:07:35.490: TPLUS(00000006)/0/READ: socket event 1
*Mar 12 12:07:35.490: TPLUS(00000006)/0/READ: Would block while reading
*Mar 12 12:07:35.522: TPLUS(00000006)/0/READ: socket event 1
*Mar 12 12:07:35.522: TPLUS(00000006)/0/READ: read entire 12 header bytes
(expect 17 bytes data)
*Mar 12 12:07:35.522: TPLUS(00000006)/0/READ: socket event 1
*Mar 12 12:07:35.522: TPLUS(00000006)/0/READ: read entire 29 bytes response
*Mar 12 12:07:35.522: TPLUS(00000006)/0/488DCC54: Processing the reply
packet
*Mar 12 12:07:35.522: TPLUS: Processed AV priv-lvl=2
*Mar 12 12:07:35.522: TPLUS: received authorization response for 6: PASS
*Mar 12 12:07:35.526: AAA/AUTHOR/EXEC(00000006): processing AV cmd=
*Mar 12 12:07:35.526: AAA/AUTHOR/EXEC(00000006): processing AV priv-lvl=2
*Mar 12 12:07:35.526: AAA/AUTHOR/EXEC(00000006): Authorization successful
R3#
Looks strange, the only difference is that debug line you have highlighted.
Just another check, could it be that command authorization has been turned
on for the User/Group profile on ACS and something is getting sent down and
interfering with whats going on on the console? - just a though!
Let us know please.
Sadiq
On Thu, Mar 11, 2010 at 6:36 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:
Edouard,
This really looks to be that you haven't checked exec shell in ACS for
authentication. Are you sure of it because it is upon shell request that
it
is failing.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
(R&S,
Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security &
Service
Provider) Certification Training with locations throughout the United
States, Europe and Australia. Be sure to check out our online communities
at
www.ipexpert.com/communities and our public website at www.ipexpert.com
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Edouard Zorrilla
Sent: Thursday, March 11, 2010 1:08 PM
To: Cisco certification; security_at_groupstudy.com
Subject: Problem with TACACS Authorization (Router - Cisco ACS)
Hi,
Have any of you have seen this issue before ?. Let me tell you, I have
set
up
fine the ACS and also the router so that it get authenticated so far. The
issue appears when I enable authorization exec on the router, I have also
enabled it on the ACS within the "TACACS+ Settings", making sure that
"privilege level" is checked and with a value of 15. So far so good. The
issue
appears there, as soon as I enable authorization exec I receive a message
when
I try to login :
login as: ez
Using keyboard-interactive authentication.
Password:
% Authorization failed
When I got that message I saw that I successfully pass the authentication
on
the ACS : "03/11/2010 09:55:44 Authen OK ez ", but I am unable to access
the
router because a "authorization failed" message. Performing some debugs
on
the
IOS, I got the next when I enable "debug aaa authorization" :
CA0272#
Mar 11 2010 09:21:07 PST: AAA/BIND(00000015): Bind i/f
Mar 11 2010 09:21:10 PST: AAA/AUTHOR (0x15): Pick method list 'default' -
FAIL
Mar 11 2010 09:21:10 PST: AAA/AUTHOR/EXEC(00000015): Authorization FAILED
CA0272#
And when I enable "debug tacacs authorization", I got the message :
CA0272#
Mar 11 2010 09:21:45 PST: TPLUS: Queuing AAA Authorization request 22 for
processing
Mar 11 2010 09:21:45 PST: TPLUS: processing authorization request id 22
Mar 11 2010 09:21:45 PST: TPLUS: Protocol set to None .....Skipping
Mar 11 2010 09:21:45 PST: TPLUS: Sending AV service=shell
Mar 11 2010 09:21:45 PST: TPLUS: Sending AV cmd*
Mar 11 2010 09:21:45 PST: TPLUS: Authorization request created for 22(ez)
Mar 11 2010 09:21:45 PST: TPLUS: using previously set server 10.128.0.220
from
group tacacs+
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/IDLE/840EFD84: got immediate
connect on new 0
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE/840EFD84: Started 5 sec
timeout
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE: wrote entire 56 bytes
request
Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/840EFD84: Processing the
reply
packet
CA0272#
The current device that I am using is :
0272#sh version | i IOS
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version
12.4(24)T2, RELEASE SOFTWARE (fc2)
0272#sh inventory
NAME: "881", DESCR: "881 chassis, Hw Serial#: xxxxxxx, Hw Revision: 1.0"
PID: CISCO881-SEC-K9 , VID: V01 , SN: xxxxx
0272#
Also I have realized that sometimes it works and sometimes it does not,
it
seems to be a bug with the ACS but I do not see on the web site any issue
related to my problem. I am using ACS Release 4.1(1) Build 23 Patch 4.
I have tested this deveices with out any configuration and it works fine,
so
I
could think that the problem is the config on the routers but I get
droped
by
the ACS not by the router. I am not sure if the problem could be the ACS
or
the routers theyself. Currently they have already enabled DMVPN , CBAC
and
urlfilter with WebSense Server.
Let me know your thought.,
Regards
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
--
CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Fri Mar 12 2010 - 10:23:13 ART
This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:34 ART