AAA authorization with Cat Os on 5500 switches

Hi,
I am new to Cisco Secure and I was wondering if there is a solution to my task. I have been asked to allow only certain users the right to see the configuration on the cato os and ios based switches. The ios based switches seems doable but the cat ios doesn't. One switch I am looking at has cat os 4.5(6a) and that doesn't seem to support what I want to do. Outside of ciscoworks is there a solution?
TIA for any assistance.

The Catalyst 5500's don't support command authorization until software version 5.4.
HTH
Steve

Similar Messages

  • Aaa authorization with Funk SBR EE

    Hello,
    I do not get aaa authorization with Funk SBR EE to work.
    On our cisco switches I configure:
    aaa authentication default group radius local
    aaa authorization exec default radius local
    On the Funk radius server I return
    service-type login
    Cisco-AVPAIR shell:priv-lvl=15
    Authorization always fails and the debug output shows:
    1063433: 46w0d: CLUSTER_MEMBER_1: RADIUS: ustruct sharecount=1
    1063434: 46w0d: CLUSTER_MEMBER_1: RADIUS: Initial Transmit tty3 id 60 [**radius-ip**}:1812, Access-Request, len 82
    1063435: 46w0d: CLUSTER_MEMBER_1: Attribute 4 6 C3A976E2
    1063436: 46w0d: CLUSTER_MEMBER_1: Attribute 5 6 00000003
    1063437: 46w0d: CLUSTER_MEMBER_1: Attribute 61 6 00000005
    1063438: 46w0d: CLUSTER_MEMBER_1: Attribute 1 9 66726974
    1063439: 46w0d: CLUSTER_MEMBER_1: Attribute 31 17 3139352E
    1063440: 46w0d: CLUSTER_MEMBER_1: Attribute 2 18 8772DAFD
    1063441: 46w0d: CLUSTER_MEMBER_1: RADIUS: Received from id 60 [**radius-ip**]:1812, Access-Accept, len 87
    1063442: 46w0d: CLUSTER_MEMBER_1: Attribute 25 67 53425232
    1063443: 46w0d: CLUSTER_MEMBER_1: RADIUS: saved authorization data for user 111BFD8 at D4E310
    1063444: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Port='tty3' list='' service=EXEC
    1063445: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: tty3 (3848954035) user='username'
    1063446: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV service=shell
    1063447: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV cmd*
    1063448: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): found list "default"
    1063449: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Method=radius (radius)
    1063450: 46w0d: CLUSTER_MEMBER_1: RADIUS: no appropriate authorization type for user.
    1063451: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR (3848954035): Post authorization status = FAIL
    1063452: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: Authorization FAILED
    1063453: 46w0d: CLUSTER_MEMBER_1: AAA/MEMORY: free_user (0x111BFD8) user='username' ruser='' port='tty3' rem_addr='[**client-ip**]' authen_type=ASCII service=LOGIN priv=1
    What do I need to add to the radius server to make it work?
    --Joerg

    The document Common Problems in Debugging RADIUS, PAP and CHAP has more information on the debug outputs.
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093f4b.shtml#radnpap

  • Aaa authorization with Tacacs+

    Hello All,
    I am trying to figure out how aaa authorization with tacacs+ works.
    I am totally comfortable with aaa authentication..But am not able to understand how it works...How diff priv levels are assigned to diff users?..
    I am totally freaked out...

    The device side side setup is pretty simple. You just use the aaa authorization command set. A good bit of the setup is on the ACS server end.
    Cisco has a pretty thorough configuration example posted here.

  • AAA Authorization with RADIUS and RSA SecurID Authentication Manager

    Hi there.
    I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not.  Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
    I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
    #aaa new-model
    #radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
    #aaa authentication login default group radius enable
    #aaa authorization exec default group radius local
    I have also tried
    #aaa authorization exec default group radius if-authenticated local
    I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
    I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
    I've turned on RADIUS debugging on the IOS device, and I dont get anything either
    I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis."  -- not sure if this is related to my issue?
    I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

    I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
    I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
    The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

  • AAA authorization with ACS 3.2

    I'm trying to configure my devices to use shell command authorization sets located on my ACS box. I want users that are members of a specific group to only be allowed to certain commands (ex. show). I'm pretty sure my ACS box is setup correctly, but my devices aren't. Here is the current config:
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    I want the aaa authorization to use tacacs on my ACS box and whatever shell commands sets that are group specific when a user that is a member of that group logs in.

    Marek
    1) it is good to know that authentication is working and does fail over to the enable password. This helps assure that the problem that we are dealing with is not an issue of failure to communicate.
    2) it is not necessary that the router mirror the groups that are configured on the server. So unless you want to specify authentication or authorization processing different from default then you do not need level1 to be mentioned on the router.
    I agree that there is not a lot of clear documentation about authorization. One of the purposes of this forum is to allow people to ask questions about things that they do not yet understand and hopefully to get some helpful answers. As you get more experience and understand more then you may be able to participate in the forum and providing answers in addition to asking questions.
    3) As I read your config authentication does have a backup method and authorization does not. I am a proponent of having backup methods configured. As long as the server is available you do not need them. But if they are not configured and the server is not available you can manage to lock yourself out of the router.
    I can understand removing them while you concentrate on why the authorization is not working (though I would not do it that way) but I strongly suggest that you plan to put the backups in before you put anything like this into production.
    4) the fact that both users log in and are already at privilege level 15 may be a clue. Look in the config under the console and under the vty ports. Look for this configuration command privilege level 15. If it is there remove it and test over again.
    HTH
    Rick

  • AAA Authorization with ACS Shell-Sets

    Hi all,
    I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
    I am having trouble getting AAA Authorization to work correctly with ACS.
    I am able to set the users up on ACS fine and assign them shell and priv level 7.
    I then setup a Shell Auth Set, and enter in the commands show and configure.
    When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
    to access global config mode by typing in conf (or configure) terminal or t.
    If I type con? the only command there is connect, configure is never an option...
    The only way I can get this to work is by entering the command:
    privilege exec level 7 configure terminal
    I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
    This is most frustrating
    The ACS Server is set up with a Shell Command Authorization Set named Level_7
    It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
    The "Permit Unmatched Args" is also selected.
    See an excerpt of my IOS config below:
    aaa new-model
    aaa group server tacacs+ ACS
    server 10.90.0.11
    aaa authentication login default group ACS local
    aaa authorization exec default group ACS
    aaa authorization commands 7 default group ACS local
    tacacs-server host 10.90.0.11 key cisco
    privilege exec level 7 configure terminal
    privilege exec level 7 configure
    privilege exec level 7 show running-config
    privilege exec level 7 show
    Hope you can help me with this one..
    P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?

    Hi,
    So here it is,
    You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
    Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
    This is what I suggest the commands back to normal level.
    Below provided are steps to configure shell command authorization:
    Follow the following steps over the router:
    !--- is the desired username
    !--- is the desired password
    !--- we create a local username and password
    !--- in case we are not able to get authenticated via
    !--- our tacacs+ server. To provide a back door.
    username password privilege 15
    !--- To apply aaa model over the router
    aaa new-model
    !--- Following command is to specify our ACS
    !--- server location, where is the
    !--- ip-address of the ACS server. And
    !--- is the key that should be same over the ACS and the router.
    tacacs-server host key
    !--- To get users authentication via ACS, when they try to log-in
    !--- If our router is unable to contact to ACS, then we will use
    !--- our local username & password that we created above. This
    !--- prevents us from locking out.
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ local
    aaa authorization config-commands
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    !--- Following commands are for accounting the user's activity,
    !--- when user is logged into the device.
    aaa accounting exec default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    Configuration on ACS
    [1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
    Provide any name to the set.
    provide the sufficent description (if required)
    (a) For Full Access administrative set.
    In Unmatched Commands, select 'Permit'
    (b) For Limited Access set.
    In Unmatched commands, select 'Deny'.
    And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
    For example: If we want user to be only able to access the following commads:
    login
    logout
    exit
    enable
    disable
    show
    Then the configuration should be:
    ------------------------Permit unmatched Args--
    login permit
    logout permit
    exit permit
    enable permit
    disable permit
    configure permit terminal
    interface permit ethernet
    permit 0
    show permit running-config
    in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
    [2] Press 'Submit'.
    [3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
    (cont...)

  • AAA Authorization with DAP

    When forcing a tunnel-group to authorize users against an AAA server-group with a corresponding ldap attribute-map in that AAA group, does that mapping of usergroup->group-policy get passed up to the DAP process?

    The document Common Problems in Debugging RADIUS, PAP and CHAP has more information on the debug outputs.
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093f4b.shtml#radnpap

  • Per-device/per-user AAA authorization with Freeradius

    Hi Folks
    I'm using a Freeradius with local username database (no LDAP) for authentication.(working well)
    I have various network devices in my network, and I would like to have custom authorization per user per device :
    I would like to have 2 types of network admins, and 2 types of network devices, with the following rules :
    -"Core devices" must be granted privilege level 15 for "Core admins"
    -"Access devices" must be granted privilege level 15 for "Access admins" and "Core admins"
    -"Core devices" must be granted privilege level 1 for "Access admins".
    -There is now way "Access admins" can access to configuration mode on "Core devices" with enable command.
    Any help and config example for freeradius and cisco side are very welcome
    thanks
    olivier

    Hello Olivier,
    I would like to suggest you to go to the below link . This document describes the procedure for Per-device user authentication.
    http://wiki.freeradius.org/vendor/Cisco#Per-User-Privilege-Level
    Hope this may help you

  • 1130AG Access Point PoE Problem with Cat 3750G-24PS-E switch

    I am having a problem on the PoE negotiation of Catalyst 3750G-24PS-E and 1130AG Access point. I used straight and cross cable for physical connection since by default the auto mdix per port of the switch is enabled/on. I used CLI, CNA and Web Device Manager on both devices to isolate and troubleshoot the problem but still the PoE negotiation on both devices won't work out. But when I used the access point into other switch (CE500 PoE Switch), the access point is working properly. Does anyone can help me to distinguish what the problem really is? The IOS Version of 3750G switch is 12.2(25) SEE2 and the 1130AG access point IOS Version is 12.3(8)JEA.

    Hi Rob,
    Thanks for your reply. Yes, I tried shut/no shut on the switchport many times. I saw that the switch grant power inline on the port but the port still can't/won't provide any power to boot up the access point.
    Thanks,
    Nelmar

  • AAA Authorization + Switch Cluster = Fail?

    Hi, I had a Switch Cluster running with local authentication and authorization just fine (with aaa new-model). It's a stack of 3750-Xs and several 2960s, they've all been configured more or less the same way with a configuration template.
    I added AAA authentication and authorization and I can still reach each of the switches individually, but when I try to rcommand "x" from the cluster commander, I get:
    #rcommand 2
    % Authorization failed.
    One of the 2960s is a stack and when I run rcommand to that switch I get something different:
    #rcommand 1
    EBMIASWF1LB-01 tty1 is now available
    Press RETURN to get started.
    All other 2960s give me "% Authorization failed."
    3750s are running:
    Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
    2960Ses are running:
    Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
    2960s are running:
    Cisco IOS Software, C2960 Software (C2960-LANLITEK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
    I tried a debug aaa authentication and aaa authorization on the member (destination) 2960 switch and I got this:
    541120: Mar  7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/BIND(00004788): Bind i/f 
    541121: Mar  7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA: parse name=tty4 idb type=-1 tty=-1
    541122: Mar  7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA: name=tty4 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=4 channel=0
    541123: Mar  7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/MEMORY: create_user (0x29DA580) user='radiususer' ruser='NULL' ds0=0 port='tty4' rem_addr='10.183.182.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)
    541124: Mar  7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/AUTHOR (0x4788): Pick method list 'default'
    541125: Mar  7 2013 17:14:30.754 EST: CLUSTER_MEMBER_2: AAA/AUTHOR/EXEC(00004788): Authorization FAILED
    541126: Mar  7 2013 17:14:32.859 EST: CLUSTER_MEMBER_2: AAA/MEMORY: free_user (0x29DA580) user='radiususer' ruser='NULL' port='tty4' rem_addr='10.183.182.128' authen_type=ASCII service=LOGIN priv=15
    Debug on 2960S (stack) is the same.
    The radius server is a Microsoft NPS (IAS on 2012) and all switches have AAA configured the same:
    NPS is sending these AV Pairs:
    shell:priv-lvl=15
    Service-Type = Administrative
    Service-Type = NAS-Prompt-User
    Switches are configured like this:
    aaa new-model
    aaa group server radius RadiusAAA
    server x.x.x.x auth-port 1645 acct-port 1646
    server y.y.y.y auth-port 1645 acct-port 1646
    ip radius source-interface VlanXX
    deadtime 1
    aaa authentication login default group RadiusAAA local
    aaa authorization exec default group RadiusAAA if-authenticated local
    aaa session-id common
    ! etc etc
    radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 <radius key>
    radius-server host y.y.y.y auth-port 1645 acct-port 1646 key 7 <radius key>
    radius-server deadtime 1
    I've also tried moving around the
    aaa authorization exec default group RadiusAAA if-authenticated local
    to:
    aaa authorization exec default group RadiusAAA local if-authenticated
    But the results are the same... Telnet and SSH work great, but I'd like for the cluster to keep working!
    Any ideas?
    Thanks in advance for your help, I've spent a lot of time on this, and I don't even know if it's supported!
    Esteban

    Here is a good doc that explains different errors:
    http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml

  • Aaa authorization console

    Hi,
    i have the following config :
    aaa new-model
    aaa authentication login NO_LOGIN none
    aaa authentication login ADMINS group radius local
    aaa authentication login CONSOLE group radius local
    aaa authorization exec NO_AUTHOR none
    aaa authorization exec ADMINS group radius local
    aaa authorization exec CONSOLE group radius local
    enable secret cisco
    username cisco privilage 15 secret cisco
    line con 0
    password 7 05080F1C2243
    authorization exec CONSOLE
    login authentication CONSOLE
    line vty 0 4
    password 7 045802150C2E0C
    authorization exec ADMINS
    logging synchronous
    login authentication ADMINS
    line vty 5 15
    password 7 060506324F41
    authorization exec ADMINS
    logging synchronous
    login authentication ADMINS
    When i am tryin gto login to the switch from vty line i come directly to privillage mode, but when loging to console port i come to the exec mode (privilage 1) and i cant go further to the user privillage mode . each time i have to type a password (i type the enable one) and my access is denied.
    when issuing the command # aaa authorization console   (using telnet from other switch)
    the problem is solved.
    Can someone please explain why is this happening? i think after logging in with local account (with privillage 15) from console port i should get directly to privilage mode, or am i wrong ?

    aaa authorization console is a hidden command. We have to execute this command to enable authorization for console line. If you create a method list "aaa authorization exec CONSOLE group radius local" for console and try to apply it on line console 0, it will throw an error that without "aaa authorization console" all authorization commands for console is useless. You have to first enable authorization for console with the help of aaa authorization console.
    command refrence
    http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html#wp1024046
    Jatin Katyal
    - Do rate helpful posts -

  • AAA Authorization named authorization list

    Ladies and Gents,
    Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
    Cisco.com extract below
    When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
    Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
    My question is how do you define the Named Method List i.e. the none-default method list?
    I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
    Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
    Thanks in advance
    David

    Hi David,
    An example of a named AAA list might look something like this:
    aaa authorization exec TacExec group AAASrv local
    In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
    Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
    Below is a cut and paste from the AAA section on one of my devices:
    aaa new-model
    ip tacacs source-interface
    tacacs-server host 10.x.x.x key 7
    tacacs-server host 10.x.x.y key 7
    aaa group server tacacs+ TacSrvGrp
    server 10.x.x.x
    server 10.x.x.y
    aaa authentication login default local
    aaa authentication login TacLogin group TacSrvGrp local
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec default local
    aaa authorization exec TacAuth group TacSrvGrp local
    aaa authorization commands 0 default local
    aaa authorization commands 0 TacCommands0 group TacSrvGrp local
    aaa authorization commands 1 default local
    aaa authorization commands 1 TacCommands1 group TacSrvGrp local
    aaa authorization commands 15 default local
    aaa authorization commands 15 TacCommands15 group TacSrvGrp local
    aaa accounting exec default start-stop group TacSrvGrp
    aaa accounting commands 15 default start-stop group TacSrvGrp
    aaa session-id common
    Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
    line con 0
    exec-timeout 5 0
    line aux 0
    exec-timeout 5 0
    line vty 0 4
    exec-timeout 15 0
    authorization commands 0 TacCommands0
    authorization commands 1 TacCommands1
    authorization commands 15 TacCommands15
    authorization exec TacAuth
    login authentication TacLogin
    transport input ssh
    For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
    One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
    Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
    Hope this helps!

  • Command execution get very slow when AAA Authorization enable on ASR 1006

    Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it   take time to move to next command level) ...
    These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.
    Did any one face such issue , and how it is fix ...
    See the Show version for ASR
    Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Thu 24-Mar-11 23:32 by mcpre
    Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
    All rights reserved.  Certain components of Cisco IOS-XE software are
    licensed under the GNU General Public License ("GPL") Version 2.0.  The
    software code licensed under GPL Version 2.0 is free software that comes
    with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
    GPL code under the terms of GPL Version 2.0.  For more details, see the
    documentation or "License Notice" file accompanying the IOS-XE software,
    or the applicable URL provided on the flyer accompanying the IOS-XE
    software.
    ROM: IOS-XE ROMMON
    NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes
    Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes
    System returned to ROM by reload
    System restarted at 17:47:32 IST Thu Oct 4 2012
    System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"
    Last reload reason: EHSA standby down
    AAA Commands on ASR 1006
    aaa new-model
    aaa group server tacacs+ tacgroup
    server 10.48.128.10
    server 10.72.160.10
    ip vrf forwarding Mgmt-intf
    ip tacacs source-interface GigabitEthernet0
    aaa authentication login default group tacgroup local
    aaa authentication enable default group tacgroup enable
    aaa accounting exec default start-stop group tacgroup
    aaa accounting commands 1 default start-stop group tacgroup
    aaa accounting commands 15 default start-stop group tacgroup
    aaa accounting connection default start-stop group tacgroup
    aaa accounting system default start-stop group tacgroup
    aaa authorization commands 0 default group tacgroup none
    aaa authorization commands 1 default group tacgroup none
    aaa authorization commands 15 default group tacgroup none
    aaa session-id common
    tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166
    tacacs-server key 7 053B071C325B411B1D25464058

    I think your issue maybe related to your tacacs server. If you  re-order the two servers (typically a 5 second timer before failover  occurs) and see if that improves your performance:
    You  can try to debug the issue by referring to the command reference  guide....i.e. debug tacacs...you can also try to telnet to both ip  address to port 49 to see if the connection opens, in order to rule out  issues where a firewall or routing to one of the tacacs servers is  failing. I also noticed you have the shared secret and tacacs server  defined for one of the servers, is the sam present for the other server  that is in the server group?
    server 10.48.128.10
    server 10.72.160.10
    to
    server 10.72.160.10
    server 10.48.128.10
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Cisco AAA authentication with windows radius server

    Cisco - Windows Radius problems
    I need to created a limited access group through radius that I can have new network analysts log into
    and not be able to commit changes or get into global config.
    Here are my current radius settings
    aaa new-model
    aaa group server radius IAS
     server name something.corp
    aaa authentication login USERS local group IAS
    aaa authorization exec USERS local group IAS
    radius server something.corp
     address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
     key mypassword
    line vty 0 4
     access-class 1 in
     exec-timeout 0 0
     authorization exec USERS
     logging synchronous
     login authentication USERS
     transport input ssh
    When I log in to the switch, the radius server is passing the corrrect attriubute
    ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
    The switch is accepting it and putting you in the correct priv level.
    ***Radius-Test#sh priv
       Current privilege level is 7
    I am not sure why it logs you in with the prompt for  privileged EXEC mode when
    you are in priv level 7. This shows that even though it looks like your in priv exec
    mode, you are not.
    ***Radius-Test#sh run
                    ^
       % Invalid input detected at '^' marker.
       Radius-Test#
    Now this is where I am very lost.
    I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
    global config mode.
    ***Radius-Test#enable
       Radius-Test#
    Debug log -
    Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
    ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
    Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
    ***Radius-Test#sh priv
       Current privilege level is 15
       Radius-Test#
    I have tried to set
    ***privilege exec level 15 enable
    It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
    Even if I try to do
    ***privilege exec level 7 show running-config (or other variations)
    It will allow you to type sh run without errors, but it doest actually run the command.
    What am I doing wrong?
    I also want to get PKI working with radius.

    I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
    Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

  • Allow some show commands in AAA Authorization Set

    I'm working on creating AAA authorization sets for our environment and ran into a question!
    I'd like to be able to enable ALL show commands except 'show run'.  I would also like to enable 'show run interface'.  I've figured out how to enable all show commands and disable show run.  The problem I'm finding is that since 'show run interface' is a subset of 'show run' it seems to disable.  Even if I try to explicitly enable it.
    Is there a way to disable 'show run' but enable all other show commands and 'show run interface' with a AAA authorization set?
    ACS Version 4.1.
    Command set is configured:

    Changing it to 'deny running-config' does the exact same thing.  It looks like it's seeing the 'show running-config' then stoping on that before anything else.  I've tried adding 'permit run interface' in ACS and same thing.  Other AAA Authorization set commands work just fine.
    On the switch (its a 2960G-8TC-K) running 12.2(58)SE2.
    aaa group server tacacs+ SHS
    server 10.10.11.200
    aaa authentication login verifyme group TACACS+ local
    aaa authorization config-commands
    aaa authorization exec verifyme group TACACS+ local
    aaa authorization commands 0 default group TACACS+
    aaa authorization commands 1 default group TACACS+
    aaa authorization commands 15 default group TACACS+
    aaa accounting send stop-record authentication failure
    aaa accounting exec verifyme start-stop group TACACS+
    aaa accounting commands 15 default start-stop group TACACS+
    aaa accounting network verifyme start-stop group TACACS+
    aaa accounting system default start-stop group TACACS+
    aaa session-id common
    Debugs!
    Jun 21 11:07:39: AAA: parse name=tty0 idb type=-1 tty=-1
    Jun 21 11:07:39: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
    Jun 21 11:07:39: AAA/MEMORY: create_user (0x3A790DC) user='test' ruser='SGAVEJ01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Port='tty0' list='' service=CMD
    Jun 21 11:07:39: AAA/AUTHOR/CMD: tty0 (4105592267) user='test'
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV service=shell
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd=show
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=running-config
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=interface
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=GigabitEthernet
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=0/1
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD(4105592267): found list "default"
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Method=TACACS+ (tacacs+)
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): user=test
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV service=shell
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd=show
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=running-config
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=interface
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=GigabitEthernet
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=0/1
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=
    Jun 21 11:07:39: TAC+: Using default tacacs server-group "TACACS+" list.
    Jun 21 11:07:39: TAC+: Opening TCP/IP to 10.10.11.200/49 timeout=5
    Jun 21 11:07:39: TAC+: Opened TCP/IP handle 0x3A41210 to 10.10.11.200/49 using source 10.40.0.14
    Jun 21 11:07:39: TAC+: 10.10.11.200 (4105592267) AUTHOR/START queued
    Jun 21 11:07:39: TAC+: (4105592267) AUTHOR/START processed
    Jun 21 11:07:39: TAC+: (-189375029): received author response status = FAIL
    Jun 21 11:07:39: TAC+: Closing TCP/IP 0x3A41210 connection to 10.10.11.200/49
    Jun 21 11:07:39: AAA/AUTHOR (4105592267): Post authorization status = FAIL
    Jun 21 11:07:39: AAA/MEMORY: free_user (0x3A790DC) user='test' ruser='SGAVEJ01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

Maybe you are looking for

  • Cost Elements

    Hello, I was trying to understand the table COEP and I see the table has three currencies. You have value in transaction currency, value in  object currency and value in Co Area currency. Can someone tell me the difference between all these three cur

  • Safari Homepage Default Problem

    Even when I set up Safari preferences for my desired homepage, Safari does not default to it when I reboot.  Any solution to this?

  • Changing BorderPane contraints causes component to disappear

    Hello everyone, I have this short snippet that is giving me a headache, don't know if it's something i'm doing wrong but the behavior seems weird to me: import javafx.application.Application; import javafx.scene.Scene; import javafx.scene.control.But

  • Update for Extension Manager failed install

    Adobe Updater has an Update for Extension Manager 6.0.5 that has failed to install on both my computers multiple times. Has any experienced this? Is this update essential?

  • Question mark key does not work..... starnge

    right, every key but the question mark seems to be working fine. One thing I know, this is an internal malfunction. I connected another keyboard via usb and the same problem persists. Anyone experience this weirdness before(question mark) eg p.s. eve