[c-nsp] Very Strange AAA behaviour in a 3750 stack

luismi asturluismi at gmail.com
Thu Aug 7 06:55:47 EDT 2008 

Hi all,

I have a strange behaviour here with two 3750 stacks.

My AAA config is...

aaa group server tacacs+ tac-plus
 server 10.10.10.10
!
aaa authentication attempts login 2
aaa authentication login default group tacacs+ local-case
aaa authentication login console group tacacs+ local-case
aaa authorization exec default group tacacs+ local 
aaa authorization network default group tacacs+ local 
aaa accounting send stop-record authentication failure vrf default
aaa accounting suppress null-username
aaa accounting update newinfo jitter maximum 0
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
tacacs-server host 10.10.10.10 single-connection
tacacs-server timeout 10
no tacacs-server directed-request
tacacs-server key 7 xxxx
!
line con 0
 exec-timeout 15 0
 logging synchronous
line vty 0 4
 access-class 1 in
 exec-timeout 15 0
 logging synchronous
 transport input telnet ssh
line vty 5 15
 access-class 1 in
 exec-timeout 15 0
 logging synchronous
 transport input telnet ssh

The TACACs software is "tac-plus F4.0.4.alpha-12" running in a linux
box.

The configuration is quite simple:

$ cat /etc/tac-plus/tacacs.conf
accounting file = /var/log/tac-plus/account
# default authorization = permit

key = xxxx

user = DEFAULT {
default service = permit
}

user = myuser {
 name = "Uh"
 member = oper3
 login = des blablablabla
 service = exec {}
 service = shell {}
}


That configuration is working perfectly in 2950 and 2960 switches but
not in 3750 stacks.
I am just able to get access only by ssh.
Telnet reports "authorization failed", i did a debug but I didn't find
the reason.
But that is not the end of the story, if I am logged in the 3750 stack
with a ssh session I am able to do a telnet to it and use my TACACs
credentials without problems.

I have the same behaviour in 2 3750 stacks one of them is running
c3750-advipservicesk9-mz.122-44.SE2 and the other stack is running
c3750-ipservicesk9-mz.122-44.SE1

I didn't review yet the open and solved caveats for the next releases
for that IOS -if there is a new release-, neither I can't remember to
see any issue with AAA when I checked both "release notes".

Any comment will be appreciated.

Thanks.

More information about the cisco-nsp mailing list