[c-nsp] TACACS+ exec authorisation no working on Cisco 2960CG

Painting, Stuart Stuart.Painting at TheAA.com
Wed Jul 30 09:32:16 EDT 2014 

Consider using the "aaa authentication enable ..." configuration command.

As an aside, only 4 "aaa" lines? Our standard configs have at least 11
"aaa" lines, and I thought ours were pretty cut-down...



-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sam Stickland
Sent: 30 July 2014 13:40
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] TACACS+ exec authorisation no working on Cisco 2960CG

Hi,

I have a very simple TACACS+ configuration that is still using the local
enable secret and not the the TACACS server:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa session-id common

tacacs-server host x.x.x.x key 7 XXXXX
tacacs-server directed-request

With this configuration I can login using the username and password
database of the TACACS server, but to enable I have to use the local secret.

Checking "show tacacs" from a concurrent session shows the total packets
sent incrementing for a login, but not for "enable". Checking via Wireshark
on the TACACS server confirms this.

I'm really stumped. Why does it not talk to the TACACS server for
exec/enable?

This is a debug for a failed "enable" attempt:

pub#show debug
General OS:
  TACACS access control debugging is on
  TACACS+ events debugging is on
  TACACS+ authorization debugging is on
  AAA Authentication debugging is on
  AAA Authorization debugging is on
#

002046: *Mar  1 01:21:22.951 UTC: AAA: parse name=tty6 idb type=-1 tty=-1
002047: *Mar  1 01:21:22.951 UTC: AAA: name=tty6 flags=0x11 type=5 shelf=0
slot=0 adapter=0 port=6 channel=0
002048: *Mar  1 01:21:22.951 UTC: AAA/MEMORY: create_user (0x3D24224)
user='adm' ruser='NULL' ds0=0 port='tty6' rem_addr='10.226.1.65'
authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
002049: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976):
port='tty6' list='' action=LOGIN service=ENABLE
002050: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976):
non-console enable - default to enable password
pub#
002051: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976):
Method=ENABLE
002052: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN (2841968976): status = GETPASS
pub#
002053: *Mar  1 01:21:26.154 UTC: AAA/AUTHEN/CONT (2841968976):
continue_login (user='(undef)')
002054: *Mar  1 01:21:26.154 UTC: AAA/AUTHEN (2841968976): status = GETPASS
002055: *Mar  1 01:21:26.154 UTC: AAA/AUTHEN/CONT (2841968976):
Method=ENABLE
002056: *Mar  1 01:21:26.159 UTC: AAA/AUTHEN (2841968976): password
incorrect
002057: *Mar  1 01:21:26.159 UTC: AAA/AUTHEN (2841968976): status = FAIL
002058: *Mar  1 01:21:26.159 UTC: AAA/MEMORY: free_user (0x3D24224)
user='NULL' ruser='NULL' port='tty6' rem_addr='10.226.1.65'
authen_type=ASCII service=ENABLE

And this is a debug for a success attempt (using the local enable secret):

002059: *Mar  1 01:22:16.202 UTC: AAA: parse name=tty6 idb type=-1 tty=-1
002060: *Mar  1 01:22:16.202 UTC: AAA: name=tty6 flags=0x11 type=5 shelf=0
slot=0 adapter=0 port=6 channel=0
002061: *Mar  1 01:22:16.202 UTC: AAA/MEMORY: create_user (0x3D24224)
user='adm' ruser='NULL' ds0=0 port='tty6' rem_addr='10.226.1.65'
authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
002062: *Mar  1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694):
port='tty6' list='' action=LOGIN service=ENABLE
002063: *Mar  1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694):
non-console enable - default to enable password
pub#
002064: *Mar  1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694):
Method=ENABLE
002065: *Mar  1 01:22:16.208 UTC: AAA/AUTHEN (3792887694): status = GETPASS
pub#
002066: *Mar  1 01:22:19.291 UTC: AAA/AUTHEN/CONT (3792887694):
continue_login (user='(undef)')
002067: *Mar  1 01:22:19.291 UTC: AAA/AUTHEN (3792887694): status = GETPASS
002068: *Mar  1 01:22:19.291 UTC: AAA/AUTHEN/CONT (3792887694):
Method=ENABLE
002069: *Mar  1 01:22:19.306 UTC: AAA/AUTHEN (3792887694): status = PASS
002070: *Mar  1 01:22:19.306 UTC: AAA/MEMORY: free_user (0x3D24224)
user='NULL' ruser='NULL' port='tty6' rem_addr='10.226.1.65'
authen_type=ASCII service=ENABLE priv=15

Neither of these appears to be trying the TACACS server, but the line:

aaa authorization exec default group tacacs+ local

is configured!

Confuzzled.

Regards,

Sam
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

“To our Members we're the 4th Emergency Service " 
This electronic message contains information from AA Corporation Limited or from a member, or members, of its group of companies which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, please delete this e-mail immediately. The contents of this e-mail must not be disclosed or copied without the sender's consent. We cannot accept any responsibility for viruses, so please scan all attachments. 
No changes to Terms and Conditions of trade can be accepted through e-mail communication. All changes to Terms and Conditions must be in writing evidenced by a director of the company and in hard copy format. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. The company does not take any responsibility for the views of the author. ”

More information about the cisco-nsp mailing list