[c-nsp] "aaa session-id [ common | unique ]" command in IOS

Martin T m4rtntns at gmail.com
Wed Jun 1 04:37:24 EDT 2016 

Hi,

I have a Cisco ISR family router with IOS version 15.1 which has AAA
enabled. One of the "aaa" configuration commands is "aaa session-id
common" which according to Cisco documentation "ensures that all
session identification (ID) information that is sent out for a given
call will be made identical". However, when I check the debug output
of TACACS+ server(pro-bono TACACS+ version 201603291913), then session
IDs are frequently changed. For example here I telnet into router and
provide TACACS+ username and password:

4509: 10:53:08.264 0/e488579d: session id: 9d5788e4 data length: 24
4509: 10:53:08.264 0/e488579d: AUTHEN/START, priv_lvl=1
4509: 10:53:14.201 0/e488579d: session id: 9d5788e4 data length: 10
4509: 10:53:14.201 0/e488579d: AUTHEN/CONT user_msg_len=5, user_data_len=0
4509: 10:53:19.929 0/e488579d: session id: 9d5788e4 data length: 10
4509: 10:53:19.929 0/e488579d: AUTHEN/CONT user_msg_len=5, user_data_len=0
4509: 10:53:19.937 1/3fdc5a70: session id: 705adc3f data length: 48
4509: 10:53:19.937 1/3fdc5a70: AUTHOR priv_lvl=1 authen=1
method=tacacs+ (6) svc=1
4509: 10:53:19.950 2/69d08d1f: session id: 1f8dd069 data length: 69
4509: 10:53:19.950 2/69d08d1f: ACCT flags=0x2 method=6 priv_lvl=15 type=1 svc=1

As seen above, authentication, authorization and accounting parts of
the process did not share the same session ID. Behavior is exactly the
same as in case of "aaa session-id unique". In addition, if I execute
for example "sh run" three times, then again, accounting session IDs
are changed three times both in case of "aaa session-id common" and
"aaa session-id unique". In a nutshell, I'm not able to see any
difference between "aaa session-id common" and "aaa session-id
unique".

What exactly should this "aaa session-id common" do? I thought that it
keeps the same session ID throughout authentication, authorization and
accounting in order to associate sessions in TACACS+ log files easily.
Or at least keeps the same session ID per authentication,
authorization and accounting service.


thanks,
Martin

More information about the cisco-nsp mailing list