[c-nsp] TACACS+ exec authorisation no working on Cisco 2960CG

Javier Henderson (javier) javier at cisco.com
Wed Jul 30 12:30:53 EDT 2014 

You already got some good advice on this, I’d like to add a couple of comments.

Since you have “aaa authorization exec …” in your config, the privilege level for the users could be assigned by the TACACS+ server, then the users would get that upon log-in rather than having to type enable and enter a password.

You may want to add command accounting, to keep an audit trail of commands executed on your IOS devices:

aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Javier Henderson
javier at cisco.com

> On Jul 30, 2014, at 8:39 AM, Sam Stickland <sam at spacething.org> wrote:
> 
> Hi,
> 
> I have a very simple TACACS+ configuration that is still using the local
> enable secret and not the the TACACS server:
> 
> aaa new-model
> aaa authentication login default group tacacs+ local
> aaa authorization exec default group tacacs+ local
> aaa session-id common
> 
> tacacs-server host x.x.x.x key 7 XXXXX
> tacacs-server directed-request
> 
> With this configuration I can login using the username and password
> database of the TACACS server, but to enable I have to use the local secret.
> 
> Checking "show tacacs" from a concurrent session shows the total packets
> sent incrementing for a login, but not for "enable". Checking via Wireshark
> on the TACACS server confirms this.
> 
> I'm really stumped. Why does it not talk to the TACACS server for
> exec/enable?
> 
> This is a debug for a failed "enable" attempt:
> 
> pub#show debug
> General OS:
>  TACACS access control debugging is on
>  TACACS+ events debugging is on
>  TACACS+ authorization debugging is on
>  AAA Authentication debugging is on
>  AAA Authorization debugging is on
> #
> 
> 002046: *Mar  1 01:21:22.951 UTC: AAA: parse name=tty6 idb type=-1 tty=-1
> 002047: *Mar  1 01:21:22.951 UTC: AAA: name=tty6 flags=0x11 type=5 shelf=0
> slot=0 adapter=0 port=6 channel=0
> 002048: *Mar  1 01:21:22.951 UTC: AAA/MEMORY: create_user (0x3D24224)
> user='adm' ruser='NULL' ds0=0 port='tty6' rem_addr='10.226.1.65'
> authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
> 002049: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976):
> port='tty6' list='' action=LOGIN service=ENABLE
> 002050: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976):
> non-console enable - default to enable password
> pub#
> 002051: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976):
> Method=ENABLE
> 002052: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN (2841968976): status = GETPASS
> pub#
> 002053: *Mar  1 01:21:26.154 UTC: AAA/AUTHEN/CONT (2841968976):
> continue_login (user='(undef)')
> 002054: *Mar  1 01:21:26.154 UTC: AAA/AUTHEN (2841968976): status = GETPASS
> 002055: *Mar  1 01:21:26.154 UTC: AAA/AUTHEN/CONT (2841968976):
> Method=ENABLE
> 002056: *Mar  1 01:21:26.159 UTC: AAA/AUTHEN (2841968976): password
> incorrect
> 002057: *Mar  1 01:21:26.159 UTC: AAA/AUTHEN (2841968976): status = FAIL
> 002058: *Mar  1 01:21:26.159 UTC: AAA/MEMORY: free_user (0x3D24224)
> user='NULL' ruser='NULL' port='tty6' rem_addr='10.226.1.65'
> authen_type=ASCII service=ENABLE
> 
> And this is a debug for a success attempt (using the local enable secret):
> 
> 002059: *Mar  1 01:22:16.202 UTC: AAA: parse name=tty6 idb type=-1 tty=-1
> 002060: *Mar  1 01:22:16.202 UTC: AAA: name=tty6 flags=0x11 type=5 shelf=0
> slot=0 adapter=0 port=6 channel=0
> 002061: *Mar  1 01:22:16.202 UTC: AAA/MEMORY: create_user (0x3D24224)
> user='adm' ruser='NULL' ds0=0 port='tty6' rem_addr='10.226.1.65'
> authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
> 002062: *Mar  1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694):
> port='tty6' list='' action=LOGIN service=ENABLE
> 002063: *Mar  1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694):
> non-console enable - default to enable password
> pub#
> 002064: *Mar  1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694):
> Method=ENABLE
> 002065: *Mar  1 01:22:16.208 UTC: AAA/AUTHEN (3792887694): status = GETPASS
> pub#
> 002066: *Mar  1 01:22:19.291 UTC: AAA/AUTHEN/CONT (3792887694):
> continue_login (user='(undef)')
> 002067: *Mar  1 01:22:19.291 UTC: AAA/AUTHEN (3792887694): status = GETPASS
> 002068: *Mar  1 01:22:19.291 UTC: AAA/AUTHEN/CONT (3792887694):
> Method=ENABLE
> 002069: *Mar  1 01:22:19.306 UTC: AAA/AUTHEN (3792887694): status = PASS
> 002070: *Mar  1 01:22:19.306 UTC: AAA/MEMORY: free_user (0x3D24224)
> user='NULL' ruser='NULL' port='tty6' rem_addr='10.226.1.65'
> authen_type=ASCII service=ENABLE priv=15
> 
> Neither of these appears to be trying the TACACS server, but the line:
> 
> aaa authorization exec default group tacacs+ local
> 
> is configured!
> 
> Confuzzled.
> 
> Regards,

More information about the cisco-nsp mailing list