AAA commad authorization
Dudes
We had problem in replicatiing database to secondary ACS (4.2) server, Somehow I've managed to fix the issue by changing firewall inspection and shared secret.Now I've got new issue with "command authorization failed" after successfull authentication, This happends only when we bring secondary server service up, Not all the AAA clients having issues but for some for strange reason. Has anyone come across these sort of issue, Pls let me know what shall I do to fix this issue that I can not keep secondary server down for long time.
Thanks in advance
Rajesh
SCCP (skinny) inspection will break ACS 4.x/3.x database replication since both SCCP and replication use TCP/2000.
What reason does ACS give to reject the authorization requests?
Similar Messages
-
AAA command authorization in ACE
How do we enable AAA command authorization in the ACE module on 6500 switch.i dont find any aaa authorization commands in it .
Kind regards
UllasHi,
See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. It sounds like you're being put into Network-Monitor role by default. Quote from the manual:
"The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."
There are postings in this and other Cisco fora about exactly how to set these values (which depends on your RADIUS server implementation).
HTH
Cathy -
AAA Local Authorization....
Hello all. Hopefully, this will prove to be an easy question with a simple answer!
I want to configure local username/passwords on my router, with different privilege levels. For example username admin is only allowed to access privilege level 1 commands, and username engineer is allowed to enter all comands (level 15). However, when I test this via console or telnet, both go into user mode to start with (Router>) and I can enter enable mode on both username logins by entering the enable password (Router#). Therefore, both username's have the same access rights (to all commands) even though they have different privilege levels. I thought the privilege level 1 account would not be allowed to issue level15 commands?
Can anyone point me in the right direction.....
aaa new-model
aaa authentication login default local
aaa authorization commands 1 default local
aaa authorization commands 15 default local
enable secret test
username admin privilege 1 password cisco1
username engineer privilege 15 password cisco2
Thanks.Just typing enable defaults to enable 15
Careful look at the following commands should answer your question
Router6>enable ?
<0-15> Enable level
Router6(config)#enable password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) 'enable' password
level Set exec level password
Router6(config)#enable password le
Router6(config)#enable password level ?
<1-15> Level number
Victor -
I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.
Current commands
aaa authentication ssh console CSACS-TACACS+
aaa authentication http console CSACS-TACACS+
Entered commands
aaa authentication enable console CSACS-TACACS+
aaa authorization command CSACS-TACACS+Douglas,
Try the following configuration:
aaa authentication ssh console CSACS-TACACS+
aaa authentication http console CSACS-TACACS+
aaa authentication enable console CSACS-TACACS+
With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.
Remember to keep another session open in privilege mode before testing "
aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report. -
I have an ACS 4.0 device. In the shell command authorization set section, you have the ability to define permitted or denied commands (show) and arguments (running-config). I am limiting users to a specific set of commands. One of the commands is 'exit'. To my knowledge, 'exit' does not have any arguments. If I add 'exit' as a permitted command but enter nothing for the argument section, I get authorization failed at the router. If I select 'permit unmatched args' (for exit), authorization is successful. I would prefer to not select 'permit unmatched args'. Is there an argument for 'exit' that I am not aware of?
It worked thanks. The ACS servers gives me an error saying the correct format is permit or deny followed by an argument, but the 'permit' has been saved and is working.
Thanks again. -
ASDM (ASA9.1) won't fully initiated when configured AAA command authorization
ASA doesn't have any local account, all authentications is done via AAA.
On AAA, we have two "groups" both assigned to privilege_15, one group (A) can issue all commands, another group (B) only can issue command sets we defined.
Group A can login to ASDM without any problems.
Group B can pass the login pop up, then start to load ASDM window, at the bottom it does show login user has privilede 15, then it's stopped at "parsing running configuration..." asd login screen pops up again, and I cannot pass it.
I suspect it's somewhere in permisssion, can someone help? thanks.
Leo SongHello,
There are some commands that are required in order to load the ASDM
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command blocks
Make sure you have them
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
ISG issue on AAA prepaid authorization
Hello,
I'm currently working on a FTTH project and I configured a 7204VXR (NPE-G1) along with a 12.2(31)SB2 version of IOS, in order to use Cisco ISG functionnalities. My cisco config file is in attachment.
We have the following architecture:up
-
Exclude specific user from aaa authorization commands
Hi there,
I am trying to find a solution to exclude specific users from being authorized (AAA command authorization) when entering commands on the switch/router.
We use an AAA setup with Cisco ACS. On the devices we use:
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
is it possible, to exclude an user, say User1, from being command authorized?
In other words, when User1 logs on the switch/router, the switch/router shouldn't check the ACS if User1 is authorized to use this command.
We tried this with method lists in combination with ACL's on the VTY's:
line VTY 0
access-class 1 in
line VTY 1
access-class 2 in
Let's say, User1 always logs in from a specific IP, which is mentioned in access-list 2, the switch would use the method mentioned within the line vty 1.
But apparently, when a remote connection is being established, the switch/router uses the first VTY which is available, instead of watching which ACL can be matched to the source IP from the User.
Does anyone have some tips/tricks how to handle this?
Maybe a custom attribute from the ACS?
Kind RegardsIf that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands.
Thank you for rating helpful posts! -
Question about usage of aaa accounting commands
Hi everyone,
I have the problem that Cisco routers and switches do not send some accounting command
information to ACS.
Accounting commands do not send to ACS are "show log" and "show version".
Accounting commands send to ACS are "show runn", "conf t" and "debug"
The configuration of routers and switches is the following
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host xxx.xxx.xxx.xxx key yyyy
I think the commands do not send to ACS are privilege level 1 command and the commands
send to ACS are privilege level 15 command.
So I need to additional aaa accounting command below to get routers and switches send level 1
command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
so need to configure "aaa accounting commands 1" for level 1 commands.
aaa accounting commands 1 default start-stop group tacacs+
Is my understanding correct ?
Your information would be greatly appreciated.
Best regards,Hi,
plese do this and the router will send
everything to the ACS server, except
whatever you are doing to the router in http:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication VTY
ip http authentication aaa exec-authorization VTY
tacacs-server host 192.168.15.10 key 7 1446405858517C
tacacs-server directed-request
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line aux 0
session-timeout 35791
exec-timeout 35791 23
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication notac
transport input all
line vty 0
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
David
CCIE Security -
Nexus, command authorization using TACACS.
Hello.
Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
Thanks.
Regards.
AndreaHi Andrea,
We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
username admin password role network-admin ; local admin user
feature tacacs+ ; enable the tacacs feature
tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
server ;define tacacs server IP
use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
source-interface mgmt0 ; ...and send them from the mgmt interface
aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local ; use tacacs for config command authorization
aaa authorization commands default group tacacs local ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs
Hope that works for you!
(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
Rob... -
Goals:
1) have AAA authenticate, authorize, log all commands the users have entered;
2) don't use the default aaa keyword to avoid unexpected behavior;
I could not find any papers dealing with the issues in a single configuration and not using default methods. I have come up with this:
aaa new-modelaaa group server tacacs+ TacGroup1 server-private 192.168.1.1 key mysharedkey!aaa authentication login TacAuth group TacGroup1aaa authorization commands 0 TacPerm group TacGroup1aaa authorization commands 1 TacPerm group TacGroup1aaa authorization commands 15 TacPerm group TacGroup1aaa accounting commands 0 TacAcc start-stop group TacGroup1aaa accounting commands 1 TacAcc start-stop group TacGroup1aaa accounting commands 15 TacAcc start-stop group TacGroup1!line vty 10login authentication TacAuthaccounting commands 0 TacAccaccounting commands 1 TacAccaccounting commands 15 TacAccauthorization commands 0 TacPermauthorization commands 1 TacPermauthorization commands 15 TacPerm
Assuming I'm not lacking somethig critical, what more do I need to get this working?
Additionally, why do I need to reference accouting/authorization levels under line vty when they are referenced in the respective methods in the global conf mode?What does the method name TacPerm refer to?
This must refer to the method configured in the previous command
aaa authentication login TacAuth group TacGroup1
The defined method is TacAuth. This word must be used with the auth command:
aaa authorization commands 0 TacAuth group TacGroup1.
and
authorization commands 0 TacPerm
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
Aaa configuration for steelhead and F5 loadbalancers?
Hi all,
I was trying to configure aaa authentication/authorization/accounting in steelhead and F5 loadbalnacers.
Any resouce or help to accomplish this task will be highly apreciated. Thanks!
Abehttp://support.f5.com/kb/en-us/solutions/public/8000/800/sol8811.html
Also have you tried looking at F5's website and or posting in their forums as well? -
AAA auth with ip http server not working
Hi all,
I am unable to get ip http server to authenticate against tacacs. attached is the debug output when logging in with the user "mark".
Router config:
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication login ALREADY-IN none
aaa authentication login web group tacacs+ local enable
aaa authorization exec web group tacacs+ local if-authenticated
aaa session-id common
ip http server
ip http authentication aaa login-authentication web
ip http authentication aaa exec-authorization web
the priv-lvl 15 attribute is being sent, but IP HTTP Auth fails.. any ideas why?
Cheers,
Mark
Update: Fixed it! I believe the access-enable autocommand was the cause!Hi,
I have seen that additional attributes such as "access-enable timeout 1920" would not allow http authentication to work with certain IOS versions.
Regards,
Vivek -
Hi,
I have problem authenticating ciscoworks 3.2 to Cisco Nexus, i get this log
" %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ciscow from x.x.x.x - login[4857] "
I am using snmp v2.
I have also notice that nexus does not except symboles in the community string, why ?
thankshi, i was checking the logs on nexus and i found
2011 Apr 25 07:34:53 test %SYSLOG-3-SYSTEM_MSG: Syslog could not be send to server(172.16.1.1) : No such file or directory
What does it mean? in acs i can see that it is not authenticating
Date
Time Message-Type User-Name Group-Name Caller-ID Network Access Profile Name Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address Filter Information PEAP/EAP-FAST-Clear-Name EAP Type EAP Type Name Reason Access Device Network Device Group
04/24/2011
10:27:29
Authen failed
ciscow
Network Group
172.16.1.1
(Default)
CS password invalid
3002
172.16.1.232
test
pool
but i am able to use my username and password which is configured on acs server ( i am able to login to nexus using my credentials from acs server)
o/p of some show commands
test# sh aaa accounting
default: group ACS
test# sh aaa authentication
default: group ACS
console: group ACS
test# sh aaa authorization
pki-ssh-cert: local
pki-ssh-pubkey: local
AAA command authorization:
test# sh aaa groups
radius
ACS
show run
tacacs-server key 7 "xxxx"
tacacs-server host 172.16.1.230 key 7 "xxxx"
aaa group server tacacs+ ACS
server 172.16.1.230
source-interface Vlan1
aaa authentication login default group ACS
aaa authentication login console group ACS
aaa accounting default group ACS
tacacs-server directed-request
logging server 172.16.1.1
logging server 172.16.1.230
i hope this will help u to identify my issue
thanks -
I am trying to configure a 3750 switch for AAA? Telnet and SSH work fine but CNA and HTTP is not working. Both SSH and Telnet need to authenticate using RADIUS but CNA/HTTP needs to authenticate using a local account because the local administrator only uses the CNA for management and the admins in TACACS use CLI. Here is what I have so far.
aaa new-model
aaa authentication login default local group tacacs+
aaa authentication login con line
aaa authentication login http_auth local enable
aaa authorization config-commands
aaa authorization exec default local group tacacs+
aaa authorization exec http_auth local
aaa authorization commands 1 default local group tacacs+
aaa authorization commands 15 http_auth local
aaa authorization network default local group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication http_auth
ip http authentication aaa exec-authorization http_auth
ip http authentication aaa command-authorization 15 http_auth
tacacs-server host X.X.X.X
tacacs-server directed-request
tacacs-server key 7 XXXXX
The debugs show the connection authenticating correctly.
170536: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170537: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170538: 48w1d: AAA/BIND(000003FA): Bind i/f
170539: 48w1d: AAA/AUTHEN/LOGIN (000003FA): Pick method list 'http_auth'
170540: 48w1d: AAA/AUTHOR (0x3FA): Pick method list 'http_auth'
170541: 48w1d: HTTP: Priv level authorization success priv_level: 15
170542: 48w1d: HTTP: Priv level granted 15
170543: 48w1d: AAA/BIND(000003FB): Bind i/f
170544: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170545: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170546: 48w1d: AAA/BIND(000003FC): Bind i/f
170547: 48w1d: AAA/AUTHEN/LOGIN (000003FC): Pick method list 'http_auth'
170548: 48w1d: AAA/AUTHOR (0x3FC): Pick method list 'http_auth'
170549: 48w1d: HTTP: Priv level authorization success priv_level: 15
170550: 48w1d: HTTP: Priv level granted 15
170551: 48w1d: AAA/BIND(000003FD): Bind i/f
170552: 48w1d: AAA: parse name=tty0 idb type=-1 tty=-1
170553: 48w1d: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
170554: 48w1d: AAA/MEMORY: create_user (0x632D26C) user='granto-mark' ruser='Switch' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1 initial_task_id='0', vrf= (id=0)
170555: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): Port='tty0' list='' service=CMD
170556: 48w1d: AAA/AUTHOR/CMD: tty0 (1941738464) user='granto-mark'
170557: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV service=shell
170558: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd=show
170559: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd-arg=version
170560: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd-arg=<cr>
170561: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): found list "default"
170562: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): Method=LOCAL
170563: 48w1d: AAA/AUTHOR (1941738464): Post authorization status = PASS_ADD
170564: 48w1d: AAA/MEMORY: free_user (0x632D26C) user='granto-mark' ruser='Switch' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1
170565: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170566: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170567: 48w1d: AAA/BIND(000003FE): Bind i/f
170568: 48w1d: AAA/AUTHEN/LOGIN (000003FE): Pick method list 'http_auth'
170569: 48w1d: AAA/AUTHOR (0x3FE): Pick method list 'http_auth'
170570: 48w1d: HTTP: Priv level authorization success priv_level: 15
170571: 48w1d: HTTP: Priv level granted 15
170572: 48w1d: AAA/BIND(000003FF): Bind i/f
170573: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170574: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170575: 48w1d: AAA/BIND(00000400): Bind i/f
170576: 48w1d: AAA/AUTHEN/LOGIN (00000400): Pick method list 'http_auth'
170577: 48w1d: AAA/AUTHOR (0x400): Pick method list 'http_auth'
170578: 48w1d: HTTP: Priv level authorization success priv_level: 15
170579: 48w1d: HTTP: Priv level granted 15
170580: 48w1d: AAA/BIND(00000401): Bind i/f
Any help would be appriciated.
Thanks,
RobertGood day.
Have you made any progress? I currently have an issue similar to yours with the IOS upgrade. Please see the link below to my discussion.
Sincerely,
Marc
https://supportforums.cisco.com/message/3562335#3562335
Maybe you are looking for
-
Error when connecting to the RDSH with WebApps
I have a Server with RDGW, RDCB, RDWA. Then I have an other Server with RDSH installed. I published some Apps from the RDSH. When I logon now, I can see the WebApps on the Website. If I start a WebApp, I get the connection Information: Publisher: RDG
-
Unix "rename" Terminal command available in OS X?
Hello, I have a couple of different cameras/phones that deliver their photos as DSC00001.jpg DSC00002.jpg DSC00003.jpg etc. I want to be able to rename these files such that "DSC" is replaced by the camera or phone that took the shot. The "rename" co
-
How many minutes of video can you fit on a bluray (avchd) dvd-5?
so im trying to burn a bluray (avchd) video on a dvd-5 and it doesnt say anywhere how many minutes this new feature supports... anyone? thanks!
-
Error download Employee Benefit Application
I am attempting to download the Employee Benefit Sample Application found at http://otn.o racle.com/sample_code/products/ias/content.html But is get the following error message: Page not found. (Error Document 404) This website is an ever-changing co
-
I just downloaded episode 3 of Top of the Lake and there is no audio for dialogue. How can this be fixed?