[c-nsp] TACACS+ exec authorisation no working on Cisco 2960CG

Sam Stickland sam at spacething.org
Wed Jul 30 08:39:46 EDT 2014 

Hi,

I have a very simple TACACS+ configuration that is still using the local
enable secret and not the the TACACS server:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa session-id common

tacacs-server host x.x.x.x key 7 XXXXX
tacacs-server directed-request

With this configuration I can login using the username and password
database of the TACACS server, but to enable I have to use the local secret.

Checking "show tacacs" from a concurrent session shows the total packets
sent incrementing for a login, but not for "enable". Checking via Wireshark
on the TACACS server confirms this.

I'm really stumped. Why does it not talk to the TACACS server for
exec/enable?

This is a debug for a failed "enable" attempt:

pub#show debug
General OS:
  TACACS access control debugging is on
  TACACS+ events debugging is on
  TACACS+ authorization debugging is on
  AAA Authentication debugging is on
  AAA Authorization debugging is on
#

002046: *Mar  1 01:21:22.951 UTC: AAA: parse name=tty6 idb type=-1 tty=-1
002047: *Mar  1 01:21:22.951 UTC: AAA: name=tty6 flags=0x11 type=5 shelf=0
slot=0 adapter=0 port=6 channel=0
002048: *Mar  1 01:21:22.951 UTC: AAA/MEMORY: create_user (0x3D24224)
user='adm' ruser='NULL' ds0=0 port='tty6' rem_addr='10.226.1.65'
authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
002049: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976):
port='tty6' list='' action=LOGIN service=ENABLE
002050: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976):
non-console enable - default to enable password
pub#
002051: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976):
Method=ENABLE
002052: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN (2841968976): status = GETPASS
pub#
002053: *Mar  1 01:21:26.154 UTC: AAA/AUTHEN/CONT (2841968976):
continue_login (user='(undef)')
002054: *Mar  1 01:21:26.154 UTC: AAA/AUTHEN (2841968976): status = GETPASS
002055: *Mar  1 01:21:26.154 UTC: AAA/AUTHEN/CONT (2841968976):
Method=ENABLE
002056: *Mar  1 01:21:26.159 UTC: AAA/AUTHEN (2841968976): password
incorrect
002057: *Mar  1 01:21:26.159 UTC: AAA/AUTHEN (2841968976): status = FAIL
002058: *Mar  1 01:21:26.159 UTC: AAA/MEMORY: free_user (0x3D24224)
user='NULL' ruser='NULL' port='tty6' rem_addr='10.226.1.65'
authen_type=ASCII service=ENABLE

And this is a debug for a success attempt (using the local enable secret):

002059: *Mar  1 01:22:16.202 UTC: AAA: parse name=tty6 idb type=-1 tty=-1
002060: *Mar  1 01:22:16.202 UTC: AAA: name=tty6 flags=0x11 type=5 shelf=0
slot=0 adapter=0 port=6 channel=0
002061: *Mar  1 01:22:16.202 UTC: AAA/MEMORY: create_user (0x3D24224)
user='adm' ruser='NULL' ds0=0 port='tty6' rem_addr='10.226.1.65'
authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
002062: *Mar  1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694):
port='tty6' list='' action=LOGIN service=ENABLE
002063: *Mar  1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694):
non-console enable - default to enable password
pub#
002064: *Mar  1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694):
Method=ENABLE
002065: *Mar  1 01:22:16.208 UTC: AAA/AUTHEN (3792887694): status = GETPASS
pub#
002066: *Mar  1 01:22:19.291 UTC: AAA/AUTHEN/CONT (3792887694):
continue_login (user='(undef)')
002067: *Mar  1 01:22:19.291 UTC: AAA/AUTHEN (3792887694): status = GETPASS
002068: *Mar  1 01:22:19.291 UTC: AAA/AUTHEN/CONT (3792887694):
Method=ENABLE
002069: *Mar  1 01:22:19.306 UTC: AAA/AUTHEN (3792887694): status = PASS
002070: *Mar  1 01:22:19.306 UTC: AAA/MEMORY: free_user (0x3D24224)
user='NULL' ruser='NULL' port='tty6' rem_addr='10.226.1.65'
authen_type=ASCII service=ENABLE priv=15

Neither of these appears to be trying the TACACS server, but the line:

aaa authorization exec default group tacacs+ local

is configured!

Confuzzled.

Regards,

Sam

More information about the cisco-nsp mailing list