[c-nsp] Very Strange AAA behaviour in a 3750 stack

Nic Tjirkalli nic.tjirkalli at za.verizonbusiness.com
Thu Aug 7 07:52:30 EDT 2008


howdy ho,

> Hi all,
>
> I have a strange behaviour here with two 3750 stacks.
>
> My AAA config is...
>
> aaa group server tacacs+ tac-plus
> server 10.10.10.10
> !
> aaa authentication attempts login 2
> aaa authentication login default group tacacs+ local-case
> aaa authentication login console group tacacs+ local-case
> aaa authorization exec default group tacacs+ local
> aaa authorization network default group tacacs+ local
> aaa accounting send stop-record authentication failure vrf default
> aaa accounting suppress null-username
> aaa accounting update newinfo jitter maximum 0
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 0 default start-stop group tacacs+
> aaa accounting commands 1 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting network default start-stop group tacacs+
> aaa accounting connection default start-stop group tacacs+
> aaa accounting system default start-stop group tacacs+
> !
> tacacs-server host 10.10.10.10 single-connection
> tacacs-server timeout 10
> no tacacs-server directed-request
> tacacs-server key 7 xxxx
> !
> line con 0
> exec-timeout 15 0
> logging synchronous
> line vty 0 4
> access-class 1 in
> exec-timeout 15 0
> logging synchronous
> transport input telnet ssh
> line vty 5 15
> access-class 1 in
> exec-timeout 15 0
> logging synchronous
> transport input telnet ssh
>
> The TACACs software is "tac-plus F4.0.4.alpha-12" running in a linux
> box.
>
> The configuration is quite simple:
>
> $ cat /etc/tac-plus/tacacs.conf
> accounting file = /var/log/tac-plus/account
> # default authorization = permit
>
> key = xxxx
>
> user = DEFAULT {
> default service = permit
> }
>
> user = myuser {
> name = "Uh"
> member = oper3
> login = des blablablabla
> service = exec {}
> service = shell {}
maybe add
   default service = permit
here
> }
>
>

iF that fails, maybe try on aaa config of box to add :-
aaa authorization commands 1 default local group tacacs+ if-authenticated
aaa authorization commands 15 default local group tacacs+ if-authenticated

good luck

> That configuration is working perfectly in 2950 and 2960 switches but
> not in 3750 stacks.
> I am just able to get access only by ssh.
> Telnet reports "authorization failed", i did a debug but I didn't find
> the reason.
> But that is not the end of the story, if I am logged in the 3750 stack
> with a ssh session I am able to do a telnet to it and use my TACACs
> credentials without problems.
>
> I have the same behaviour in 2 3750 stacks one of them is running
> c3750-advipservicesk9-mz.122-44.SE2 and the other stack is running
> c3750-ipservicesk9-mz.122-44.SE1
>
> I didn't review yet the open and solved caveats for the next releases
> for that IOS -if there is a new release-, neither I can't remember to
> see any issue with AAA when I checked both "release notes".
>
> Any comment will be appreciated.
>
> Thanks.
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


---------------------------------------------------------------------
It is easier to fight for one's principles than to live up to them

Nic Tjirkalli
Verizon Business South Africa
Network Strategy Team

Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
is strictly confidential and intended only for use by the addressee unless
otherwise indicated.

Company Information:http:// www.verizonbusiness.com/za/contact/legal/

This e-mail is strictly confidential and intended only for use by the
addressee unless otherwise indicated.



More information about the cisco-nsp mailing list