[c-nsp] TACACS+ exec authorisation no working on Cisco 2960CG

Sam Stickland sam at spacething.org
Wed Jul 30 12:40:15 EDT 2014


Thanks all. I think I had a bit of a brain freeze there.. It's been a while
since I've been configuring devices from scratch without a pre-exisiting
template.

With regard to the accounting, I'm using the  syslog features to log the
commands that way rather than the TACACS server. I prefer being able to see
the commands via "sh log" rather than have to go digging around a TACACS
server :)

Sam


On Wed, Jul 30, 2014 at 4:30 PM, Javier Henderson (javier) <javier at cisco.com
> wrote:

> You already got some good advice on this, I’d like to add a couple of
> comments.
>
> Since you have “aaa authorization exec …” in your config, the privilege
> level for the users could be assigned by the TACACS+ server, then the users
> would get that upon log-in rather than having to type enable and enter a
> password.
>
> You may want to add command accounting, to keep an audit trail of commands
> executed on your IOS devices:
>
> aaa accounting commands 1 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
>
> Javier Henderson
> javier at cisco.com
>
> > On Jul 30, 2014, at 8:39 AM, Sam Stickland <sam at spacething.org> wrote:
> >
> > Hi,
> >
> > I have a very simple TACACS+ configuration that is still using the local
> > enable secret and not the the TACACS server:
> >
> > aaa new-model
> > aaa authentication login default group tacacs+ local
> > aaa authorization exec default group tacacs+ local
> > aaa session-id common
> >
> > tacacs-server host x.x.x.x key 7 XXXXX
> > tacacs-server directed-request
> >
> > With this configuration I can login using the username and password
> > database of the TACACS server, but to enable I have to use the local
> secret.
> >
> > Checking "show tacacs" from a concurrent session shows the total packets
> > sent incrementing for a login, but not for "enable". Checking via
> Wireshark
> > on the TACACS server confirms this.
> >
> > I'm really stumped. Why does it not talk to the TACACS server for
> > exec/enable?
> >
> > This is a debug for a failed "enable" attempt:
> >
> > pub#show debug
> > General OS:
> >  TACACS access control debugging is on
> >  TACACS+ events debugging is on
> >  TACACS+ authorization debugging is on
> >  AAA Authentication debugging is on
> >  AAA Authorization debugging is on
> > #
> >
> > 002046: *Mar  1 01:21:22.951 UTC: AAA: parse name=tty6 idb type=-1 tty=-1
> > 002047: *Mar  1 01:21:22.951 UTC: AAA: name=tty6 flags=0x11 type=5
> shelf=0
> > slot=0 adapter=0 port=6 channel=0
> > 002048: *Mar  1 01:21:22.951 UTC: AAA/MEMORY: create_user (0x3D24224)
> > user='adm' ruser='NULL' ds0=0 port='tty6' rem_addr='10.226.1.65'
> > authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
> > 002049: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976):
> > port='tty6' list='' action=LOGIN service=ENABLE
> > 002050: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976):
> > non-console enable - default to enable password
> > pub#
> > 002051: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976):
> > Method=ENABLE
> > 002052: *Mar  1 01:21:22.951 UTC: AAA/AUTHEN (2841968976): status =
> GETPASS
> > pub#
> > 002053: *Mar  1 01:21:26.154 UTC: AAA/AUTHEN/CONT (2841968976):
> > continue_login (user='(undef)')
> > 002054: *Mar  1 01:21:26.154 UTC: AAA/AUTHEN (2841968976): status =
> GETPASS
> > 002055: *Mar  1 01:21:26.154 UTC: AAA/AUTHEN/CONT (2841968976):
> > Method=ENABLE
> > 002056: *Mar  1 01:21:26.159 UTC: AAA/AUTHEN (2841968976): password
> > incorrect
> > 002057: *Mar  1 01:21:26.159 UTC: AAA/AUTHEN (2841968976): status = FAIL
> > 002058: *Mar  1 01:21:26.159 UTC: AAA/MEMORY: free_user (0x3D24224)
> > user='NULL' ruser='NULL' port='tty6' rem_addr='10.226.1.65'
> > authen_type=ASCII service=ENABLE
> >
> > And this is a debug for a success attempt (using the local enable
> secret):
> >
> > 002059: *Mar  1 01:22:16.202 UTC: AAA: parse name=tty6 idb type=-1 tty=-1
> > 002060: *Mar  1 01:22:16.202 UTC: AAA: name=tty6 flags=0x11 type=5
> shelf=0
> > slot=0 adapter=0 port=6 channel=0
> > 002061: *Mar  1 01:22:16.202 UTC: AAA/MEMORY: create_user (0x3D24224)
> > user='adm' ruser='NULL' ds0=0 port='tty6' rem_addr='10.226.1.65'
> > authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
> > 002062: *Mar  1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694):
> > port='tty6' list='' action=LOGIN service=ENABLE
> > 002063: *Mar  1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694):
> > non-console enable - default to enable password
> > pub#
> > 002064: *Mar  1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694):
> > Method=ENABLE
> > 002065: *Mar  1 01:22:16.208 UTC: AAA/AUTHEN (3792887694): status =
> GETPASS
> > pub#
> > 002066: *Mar  1 01:22:19.291 UTC: AAA/AUTHEN/CONT (3792887694):
> > continue_login (user='(undef)')
> > 002067: *Mar  1 01:22:19.291 UTC: AAA/AUTHEN (3792887694): status =
> GETPASS
> > 002068: *Mar  1 01:22:19.291 UTC: AAA/AUTHEN/CONT (3792887694):
> > Method=ENABLE
> > 002069: *Mar  1 01:22:19.306 UTC: AAA/AUTHEN (3792887694): status = PASS
> > 002070: *Mar  1 01:22:19.306 UTC: AAA/MEMORY: free_user (0x3D24224)
> > user='NULL' ruser='NULL' port='tty6' rem_addr='10.226.1.65'
> > authen_type=ASCII service=ENABLE priv=15
> >
> > Neither of these appears to be trying the TACACS server, but the line:
> >
> > aaa authorization exec default group tacacs+ local
> >
> > is configured!
> >
> > Confuzzled.
> >
> > Regards,
>
>


More information about the cisco-nsp mailing list