AAA authorization not working
Hi,
Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.
When connected to console it worked- Authenticated and then supplied the enable password.
When telneted : it says "access approved" and "authorization failed"
Relevant switch configuration is as follows and also debug of aaa authorization.
+++++++++++++++++++++++++++++
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Switch
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group radius if-authenticated local
aaa authorization commands 15 default group radius if-authenticated local
enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/
username cisco privilege 15 password 7 05080F1C224233
vlan 10
vlan 120
ip subnet-zero
vtp mode transparent
spanning-tree extend system-id
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
no ip address
spanning-tree portfast
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/2
no ip address
interface Vlan1
no ip address
shutdown
interface Vlan120
ip address 10.12.8.70 255.255.255.240
ip default-gateway 10.12.8.65
ip classless
ip http server
radius-server host 192.168.38.169 auth-port 1812 acct-port 1813
radius-server host 10.12.1.142 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key cisco
line con 0
line vty 0 4
password 7 grrfcb7swe
transport input telnet
line vty 5 15
end
Debug output :
Switch#
21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:07: AAA/AUTHEN (2947331915): status = PASS
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------# authorization failed #
21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='10.12.7.71' authen_type=ASCII service=LOGIN priv=1
Switch#
Switch#
Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.
Please share the experience.
Thanks in advance,
Subodh
Hi Subodh,
I understand that you are trying to use command authorization using RADIUS.
aaa authorization commands 15 default group radius if-authenticated local
Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed on a router and which cannot.
Please refer the following link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.
Regards,
Karthik Chandran
*kindly rate helpful post*
Similar Messages
-
Analysis Authorization not working - Empty demarcation
Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
- S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
- S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
What I did:
1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
a) S_RS_COMP
- Activity = 03 and 16
- InfoArea = ZIA_TEST
- InfoCube = ZIC_TEST
- Type of report component = *
- Name of report component = *.
b) S_RS_COMP1
- Kept * to all fields.
c) S_RS_AUTH
- I inactivated and deleted this Authorization Object.
(I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
- ZCA_CLI = "CLI_01"
- 0TCAACTVT = "03"
- 0TCAIPROV = "ZIC_TEST"
- 0TCAVALID = "*".
4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
It seems to me that these steps are enough. But:
a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
c) The problem is that in both cases the query brings data from all Clients.
Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
Any help will be very appreciated.
CésarOK Marc, it worked.
Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
1) Security Concept
Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
I changed to "Current Procedure with Analysis Authorizations".
Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
2) Variable Representation
With "Multiple Single Values" it really led to problems.
With "Selection Option" it worked well.
3) 0TCAKYFNM
I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
4) Authorization Policy Definition
The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
I'm now sympathetic to this way:
a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
d) Associate Users to the Composite Roles.
Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
Well, thank you very much for your answers. Now I can go on with my studies on this subject.
César Menezes -
Analysis authorization not working on WAS server
Does BI Java required for Analysis authorization to work ?
Can we manage with WAS server to show analyis authorization ?
Actually we don't have BI java configured in our system...so we are executing the query on WAS server ( BI ABAP).....but on this we are not able to see analysis authorization working....system is showing all the possible values and not the authorized value in AA.....
Regards
Tripple kJason
1. 0BI_ALL is not assigned to the user.
2. I have already set the Authorization scheme as "New analysis authorization" in SPRO.
3. i am executing the report from T-Code RSRT
A> Select the report and click on ABAP Web ( Choose query display as List or Analyzer or HTML) - System is showing entire orgunit while it should show only 3 org unit assigned to user in RSECADMIN.
B> Select the query and execute on Java Web - Error in connectin as BI java is not there on portal side
C> Select the query and choose Query Display as "HTML" click on Execute button - Only 3 values restricted in RSECADMIN are appearing.
Hope somebody can throw some light on this.
Regards
Tripple k -
AAA authentication not working and 'default' method list
Guys,
I hope someone can help me here in troubleshooting AAA issue. I have copied configuration and debug below. The router keeps using local username/password even though ACS servers are reachable and working. From debugs it seems it keeps using 'default' method list ignoring TACACS config. Any help will be appreciated
Config
aaa new-model
username admin privilege 15 secret 5 xxxxxxxxxx.
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization reverse-access default group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 0006140E54xxxxxxxxxx
ip tacacs source-interface Vlan200
Debugs
002344: Dec 5 01:36:03.087 ICT: AAA/BIND(00000022): Bind i/f
002345: Dec 5 01:36:03.087 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
002346: Dec 5 01:36:11.080 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
core01#
002347: Dec 5 01:36:59.404 ICT: AAA: parse name=tty0 idb type=-1 tty=-1
002348: Dec 5 01:36:59.404 ICT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
002349: Dec 5 01:36:59.404 ICT: AAA/MEMORY: create_user (0x6526934) user='admin' ruser='core01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
002350: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port='tty0' list='' service=CMD
002351: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user='admin'
002352: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV service=shell
002353: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd=configure
002354: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=terminal
002355: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=<cr>
002356: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found list "default"
002357: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=tacacs+ (tacacs+)
002358: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): user=admin
002359: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV service=shell
002360: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd=configure
002361: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=terminal
002362: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=<cr>
Enter configuration commands, one per line. End with CNTL/Z.
core01(config)#
002363: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = ERROR
002364: Dec 5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=LOCAL
002365: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = PASS_ADD
002366: Dec 5 01:37:04.261 ICT: AAA/MEMORY: free_user (0x6526934) user='admin' ruser='core01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15
core01(config)#Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.
As rick suggested sh tacacs would be good as well. That would show failures and successes
HTH
Kishore -
Bluetooth authorization not working (bluez-simple-agent)
Hello
I'm trying to connect my Sony BD remote control to my laptop. Pairing and manual connect using hcitool works fine, but when my remote control initiates the connection, my laptop seem to deny its connection requests. (See attached hcidump output).
I have tried using bluez-simple-agent, and I get the authorization request prompt. I enter 'yes', hit return, and I immediately get "Cancel" printed on the terminal. The remote control is still not authorized.
I have dbus running, as well as bluetoothd, hci2hci and hidd running.
Please help! I'm clueless at this point.
hcidump says:
* Connection pending - Authorization pending
* Connection refused - security block
* Reason: Remote User Terminated Connection
hcidump output:
> ACL data: handle 11 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 19 scid 0x0148
< ACL data: handle 11 flags 0x02 dlen 16
L2CAP(s): Connect rsp: dcid 0x0041 scid 0x0148 result 1 status 2
Connection pending - Authorization pending
< ACL data: handle 11 flags 0x02 dlen 16
L2CAP(s): Connect rsp: dcid 0x0041 scid 0x0148 result 3 status 0
Connection refused - security block
> HCI Event: Number of Completed Packets (0x13) plen 5
handle 11 packets 2
> ACL data: handle 11 flags 0x02 dlen 12
L2CAP(s): Disconn req: dcid 0x0040 scid 0x0147
< ACL data: handle 11 flags 0x02 dlen 12
L2CAP(s): Disconn rsp: dcid 0x0040 scid 0x0147
> HCI Event: Number of Completed Packets (0x13) plen 5
handle 11 packets 2
> ACL data: handle 11 flags 0x02 dlen 12
L2CAP(s): Disconn req: dcid 0x0041 scid 0x0148
< ACL data: handle 11 flags 0x02 dlen 12
L2CAP(s): Disconn rsp: dcid 0x0041 scid 0x0148
> ACL data: handle 11 flags 0x02 dlen 12
L2CAP(s): Disconn rsp: dcid 0x0147 scid 0x0040
> HCI Event: Number of Completed Packets (0x13) plen 5
handle 11 packets 2
> HCI Event: Number of Completed Packets (0x13) plen 5
handle 11 packets 1
> HCI Event: Disconn Complete (0x05) plen 4
status 0x00 handle 11 reason 0x13
Reason: Remote User Terminated Connection
Last edited by oskarn (2009-10-29 17:03:43)Is there any way to add a device to a list of trusted devices?
I once read about a certain file called "trusted" in a bluetooth directory, and it almost worked when I added my device there, but once connected it disconnected and the device was removed from the trusted list.
Any idea what is going on here? -
Hierarchy Authorization not working on Navigational Attribute
Hello,
We have 0ORGUNIT as nav attribute in 0EMPLOYEE and 0ORGUNIT has enterprise hierarchy set.
Now we have analysis authorization based on both 0ORGUNIT and 0EMPLOYEE__0ORGUNIT (nav attr).
When an user tries to run a web report which has normal 0ORGUNIT in it, in the variable screen he is able to see the entire hierarchy tree structure as per his authorizations. On the other hand when the same user tries to run another report which has nav attr 0EMPLOYEE__0ORGUNIT in it, in the variable screen he can see only the top nodes of the hierarchy to which he is authorized. He cant see the tree structure.
Please note we are on BI 7 SPS 21 and in both the queries we are using hierarchy variable set on correct hierarchy. Also the attributes in the query have hierarchy activated on them.
Please suggest any ideas/views for the same.
Thanks!!
Regards,
ShashankNeo - We need current info on 0ORGUNIT and hence cant go with concept of historic truth as per what you mentioned.
Bhawani - We have set it to level 1 which is perfectly fine as it works for other hierarchy's perfectly.
Regards,
SHahsank -
I have a problem with authorization - I tried to play music that my brother had bought on his computer, and was prompted to authorize (it was already authorized). After authorizing the song did not play, but when I clicked on it it prompted me to authorize again. Each time I authorized it displayed a message along the lines of "Authorization Successful, 5 out of 5 machines authorized." I went to the account and deauthorized all computers. Now when I try to authorize it says Authorization Successful, 1 out of 5 machines authorized, but when I try to play it again prompts me to authorize.
I have recently uninstalled iTunes 7.6 and installed 7.5(.02?) because of other problems that I was having. Could this be the source of the problem? To me it doesn't seem likely and I would really hate to go back to 7.6.
Thanks for any helpClick here and follow the instructions.
(29743) -
Authorization not working on new computer; can't play music!
I moved all of my music from my old computer to my new computer, and I did so using my iPod and the instructions that Apple provides on their website. All of the music shows up in iTunes on the new computer, but it won't play. I get a pop-up indicating that I need to authorize this computer to play whatever song I have selected, but even after it tells me "Authorization Successful, You have authorized two out of five computers," I cannot play the music. I have tried everything humanly possible to fix the problem, to no avail. Can anyone help? This is very frustrating.
Windows XPSuedarn,
When you bought and downloaded the episodes, you got what you paid for. When you goto another computer you can't redownload them, you have to transfer the file from the old PC to the new one or make a backup of what you bought so when your PC crashes, you can reload the PC with a backup.
If you only saved the "Programs" folder and not the "My Music" folder where iTunes puts all its bought songs at, then your most likly out of luck. You can try to email the Music storee to see if they will set up a "Re download" of your lost episodes and download them using "Check for purchases" under the advance menu in iTUnes. Just keep in mind there under no obligation to do so, it states on there site if you loose it you have to buy it again. I had a system failer and emailed them and LUCKLY they offered a re download option for me to get my songs back and I made a backup ASAP
Heres a link to email the music store http://www.apple.com/support/itunes/musicstore/download/
Heres a link on how to backup purchases in iTunes http://www.apple.com/support/itunes/musicstore/backup/ -
Help! Apps won't load and authorization not working.
Hi.
When I updated my new iPod recently, many of my apps seem to have required 'authorization' in order to upload them to my recently bought iPod Touch 5S. However, when I try to validate, it says it cannot access iTunes Store, even though I can otherwise. My apps aren't uploaded to my iPod. Any help?Can't connect to the iTunes Store
-
Windows to Mac - authorization not working
I just bought a brand new MacBook Pro and wanted to move my iTunes library from my PC to the Mac. I authorized the Mac, turned on Home Sharing, but NONE of the purchased music will import. I'm being told the computer isn't authorized, though it very clearly is. What can I do to get EVERYTHING off my PC onto the Mac so it will be the computer I sync to for numerous devices? Thank you!
If you got to the support page there are some things you can try before you use the chat option to ask Apple for help:
http://www.apple.com/uk/support/itunes/
Go to the Authorisation section and there is a menu for Troubleshooting problems - one of the links is to [Some of my iTunes Store purchases won't play|http://support.apple.com/kb/HT1325]
I'm sorry I don't know how to fix your problem as I've never moved from Windows to Mac. Hopefully someone else with more knowledge will see this and respond.
Regards,
Colin R. -
AAA Authorization with ACS Shell-Sets
Hi all,
I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
I am having trouble getting AAA Authorization to work correctly with ACS.
I am able to set the users up on ACS fine and assign them shell and priv level 7.
I then setup a Shell Auth Set, and enter in the commands show and configure.
When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
to access global config mode by typing in conf (or configure) terminal or t.
If I type con? the only command there is connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 configure terminal
I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
This is most frustrating
The ACS Server is set up with a Shell Command Authorization Set named Level_7
It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
The "Permit Unmatched Args" is also selected.
See an excerpt of my IOS config below:
aaa new-model
aaa group server tacacs+ ACS
server 10.90.0.11
aaa authentication login default group ACS local
aaa authorization exec default group ACS
aaa authorization commands 7 default group ACS local
tacacs-server host 10.90.0.11 key cisco
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show running-config
privilege exec level 7 show
Hope you can help me with this one..
P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?Hi,
So here it is,
You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
This is what I suggest the commands back to normal level.
Below provided are steps to configure shell command authorization:
Follow the following steps over the router:
!--- is the desired username
!--- is the desired password
!--- we create a local username and password
!--- in case we are not able to get authenticated via
!--- our tacacs+ server. To provide a back door.
username password privilege 15
!--- To apply aaa model over the router
aaa new-model
!--- Following command is to specify our ACS
!--- server location, where is the
!--- ip-address of the ACS server. And
!--- is the key that should be same over the ACS and the router.
tacacs-server host key
!--- To get users authentication via ACS, when they try to log-in
!--- If our router is unable to contact to ACS, then we will use
!--- our local username & password that we created above. This
!--- prevents us from locking out.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!--- Following commands are for accounting the user's activity,
!--- when user is logged into the device.
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Configuration on ACS
[1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
Provide any name to the set.
provide the sufficent description (if required)
(a) For Full Access administrative set.
In Unmatched Commands, select 'Permit'
(b) For Limited Access set.
In Unmatched commands, select 'Deny'.
And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
For example: If we want user to be only able to access the following commads:
login
logout
exit
enable
disable
show
Then the configuration should be:
------------------------Permit unmatched Args--
login permit
logout permit
exit permit
enable permit
disable permit
configure permit terminal
interface permit ethernet
permit 0
show permit running-config
in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
[2] Press 'Submit'.
[3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
(cont...) -
Aaa authorization is confusing
hi...this command make me mess for many times :(. is it true aaa authorization can return acl and time for user? how aaa authorization know what user will be associated in case aaa authentication is aaa authentication login default local? for make it more complete...is aaa authorization only work with tacacs? tx a lot ;)
Hi,
If the tacacs server fails to respond, then local network authorization will be performed.
Assuming this command: aaa authorization network test tacacs local.
Keep in mind that only a limited set of functions can be controlled via the local database.
HTH
Regards,
Bjornarsb -
AAA auth with ip http server not working
Hi all,
I am unable to get ip http server to authenticate against tacacs. attached is the debug output when logging in with the user "mark".
Router config:
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication login ALREADY-IN none
aaa authentication login web group tacacs+ local enable
aaa authorization exec web group tacacs+ local if-authenticated
aaa session-id common
ip http server
ip http authentication aaa login-authentication web
ip http authentication aaa exec-authorization web
the priv-lvl 15 attribute is being sent, but IP HTTP Auth fails.. any ideas why?
Cheers,
Mark
Update: Fixed it! I believe the access-enable autocommand was the cause!Hi,
I have seen that additional attributes such as "access-enable timeout 1920" would not allow http authentication to work with certain IOS versions.
Regards,
Vivek -
Please please please AAA not working
dears,
my company works as ISP and there are customers are using ADSL connectivity , i did my test but i can not access to ADSL i used follwing commands for AAA:
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius.
PLEASE see the attached file for mor details.
please any body tell me why i can not access???Tareq
It looks to me like things are working ok up to this point:
*Sep 23 02:53:17.674: Vi3 AAA/AUTHOR/LCP: Process Author
*Sep 23 02:53:17.674: Vi3 AAA/AUTHOR/LCP: Process Attr: timeout
*Sep 23 02:53:17.674: AAA/AUTHOR: Processing PerUser AV timeout
*Sep 23 02:53:17.674: Vi3 AAA/AUTHOR/LCP: Process Attr: service-type
*Sep 23 02:53:17.674: Vi3 AAA/AUTHOR/LCP: Process Attr: link-compression
*Sep 23 02:53:17.674: AAA/AUTHOR: Processing PerUser AV link-compression
*Sep 23 02:53:17.674: Vi3 AAA/AUTHOR/LCP: Process Attr: h323-return-code
*Sep 23 02:53:17.674: AAA/AUTHOR: mandatory attribute 'h323-return-code' unhandled
and from there the session if failing and is being terminated and cleaned up. Unfortunately I am not clear whether the problem is with the setup of the user in the Radius serve or in the setup of the remote client.
HTH
Rick -
I am trying to get AAA Authentication working on a Cisco 2960-24pc-l running 12.2(55)SE5 IOS and cannot get it to work. I have it currently working on a Cisco 3750-24te-m running 12.2(55)SE IOS. Here is my config:
enable secret 5 xxxxxxxxxxxx
username admin privilege 15 secret 5 xxxxxxxxxxxx
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
tacacs-server host 10.20.8.9 single-connection key xxxxxxxxxxxx
tacacs-server directed-request
line con 0
session-timeout 5
line vty 0 4
session-timeout 5
transport input telnet
line vty 5 15
session-timeout 5
When I login to the 3750, AAA is used. When I login to the 2960, the local username is used. Any thoughs here as to why it works on the 3850 and not the 2960?Can you try adding "login authentication default" under both the console and the vty lines?
So you will have
line con 0
session-timeout 5
login authentication default
line vty 0 4
session-timeout 5
transport input telnet
login authentication default
line vty 5 15
session-timeout 5
login authentication default
Thank you for rating!
Maybe you are looking for
-
How to find out the user who locked the record
i can't delete a particular record from a table while executing the delete command its showing an error specifying that "ORA-02049: timeout: distributed transaction waiting for lock" syntax i used delete from <table_name> where <column_name>='<value>
-
CableCARD issue: Channel 1549 only audio..no video
As previously posted with channels 1620 and 1685 (both in the Spanish language package)...now Channel 1549 is showing the same behaviour on my Tivo's that use CableCARDs...no video..just audio. But on the Verizon STB it comes through just fine. Can
-
Clients are not able to roam between WCS controllers. Our mobility groups are working but we are not able to pass DHCP addresses between controllers
-
Move to another computer?
I want to purchase the Student Edition of the Creative Suite Standard on bahalf of our children (whom we homeschool). We are starting with an older iMac (~2008) and I need to be sure that if I purchase a newer, more powerful, Mac in the future that
-
Can't get iTunes to authorise on my new imac
Hi, I have just taken delivery of new iMac and previously had a HP laptop. iTunes worked fine on laptop and had my music collection but I can't get iMac to authorise on iTunes.