AAA IOS HTTS Cmd Authorization

On my ACS SE 4.2 setup I have CMD Authorization set up and it works nice, Service Desk type cmds: show, clear, telnet, traceroute, exit and then another group with full access (all cmds permitted). both user groups have Priv. Levels = 15.
However, (there is always one) with SDM access via HTTPS it appears that all you need is Priv. Level 15 to run SDM and make any configuration changes.
With my current setup, a user in the NetDevOper group when Telnet'ed or SSH'ed has access to a few commands, i.e. clear crypto sessions.
If I change this group from Priv Level 15 to, say 14, then I will have to 'Demote' the Clear command to Priv Level 14 on each device so this group can do simple clear commands.
My other choice is to disable HTTP access altogether, which is what I am leaning towards.
Is there another option available?

Hi JG,
Thanks for your reply.
Do you know if there is a way to limit user access via HTTP(S) (SDM) so my Service Desk can use it, but cannot make configuration changes?
It appears to me that the IOS code for HTTP(S) (SDM) access is only checking to see if the user has Priv Level=15 and there is no other varibles being check.
If true, I will just disable HTTP(S) SDM access to the routers.
Thanks
Charlie

Similar Messages

3640 - AAA/AUTHOR: config command authorization not enabled

Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
I attach you the files with config and logs.
Thanks you in advance.

Yep! I'm really running 12.1!
I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
sh run | i aaa
aaa new-model
aaa authentication attempts login 5
aaa authentication banner ^C
aaa authentication fail-message ^C
aaa authentication login My-RADIUS group radius local
aaa accounting exec My-RADIUS start-stop group radius
aaa session-id common
Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
Let me know what other thoughts you may have.
Thanks
Nik

IOS XR Command authorization with ACS server

We have a newly implemented ASR 9010 and are trying to figure out how to best configure it with TACACS, as it is slightly different than IOS.
In ACS, we have two groups: Group 1 and Group 2
Group 1 allows full access in the shell command authorization set.
Group 2 allows limited access in the shell command set (basically just show commands).
Both groups can login fine (aaa authentication login default group <groupname> local)
Group 1 has full access to everything (group I am in).
Group 2 has NO access to anything (can't even perform show commands).
Group 2 CAN access other IOS devices and can perform the various show commands.
With regards to our authorization commands, we currently have it configured as:
aaa authorization commands default group <groupname> local
Why is it working for the one group, but not the other? I've read how IOS XR uses task Ids and other various things that I'm unfamiliar with. I'm mainly curious if I have to use those, if the authorized commands are configured in ACS.
Thanks!
Kyle

dont have enough info to give you a full conclusive answer Kyle, but some suspicions.
Task group not set right?
Command groups not defined properly in tacacs for command author.
if you only want show access, you can just use the task groups in XR with a read permission on any command for instance. no direct need to send every command down to tacacs (hate that slowness )
More info here:
https://supportforums.cisco.com/docs/DOC-15944
xander

Asa cmd authorization using acs

Hi all, i was trying to authorize the asa with acs 3.2 on priv lvl 7 using tacacs+,but the users were geting priv-lvl 15 only..
aaa-server aaa_serv protocol tacacs+
aaa-server aaa_serv host 10.0.0.10
key cisco123
aaa authentication serial console tac_serv
aaa authentication telnet console tac_serv
aaa authentication enable console tac_serv
aaa authorization command tac_serv
i had brought some commands also in priv 7 using privilege commandm but the problem is that when i try to login i am geting priv-lvl 15 only not 7.i had set in acs also in tacacs+ seting to assign priv lvl=7 only to the users .. but dnt knw why it is nt wrking ..

ASA does not have any authorization exec command so Priv Level does not work with ASA.
Max privilege(enable attrib. in ACS)works with ASA.
But if you implementing command authorization with ASA no need to configure max priv levels, let them all fall on priv level 15 and control access through command authorization.
2 main commands required for command authorization are
aaa authentication enable console tac_serv (this is because we do not have authorization exec in ASA so enable authentication is required for command auth to work)
aaa authorization command tac_serv

Restrict aaa access using command authorization windows acs3.6

i need to enable aaa users to shut and unshut interfaces but nothing else. i already have all the users and groups setup but when i modify the command auth set to include "configure" "permit term" they are given unrestricted access.
any help appreciated

On the router there's a:
aaa authorization config-commands
command, make sure you have that in. You then have to set up command authorization on the TACACS server to allow "interface permit any", "shutdown" and "no shutdown" commands.

Phones don't boot with certain ios switch cmds

During a new 4.1.3 call mgr install, 7961 phones hung during bootup. Had to remove the followimg cmds from the 3750 stacks to get them to boot:
Removed ip verify source from each interface
Removed ip arp inspection ?vlan info? from global config
Removed ip dhcp snooping ?vlan info? from global config
Since then, the phone loads have been upgraded to 8.0.4.sr1 and all seems well. I's like to tell customer that the new load fixed the problem, but I have yet to see anything about it in the release notes.
Has anyone run into this ?
Rob

I had a similar problem on 6509 switches with some 7.X.X phone load, but did not get a chance to upgrade the loads. Every new phone when connected to the network for the first time would get stuck in "Configuring IP".
Two workarounds:
1. "clear ip dhcp snooping binding"
2. Factory Reset the IP Phone

Command authorization error when using aaa cache

Hi,
I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
% tty2 Unknown authorization method 6 set for list command
The command is then always authorized against the tacacs server.
The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
Deleting the cache entry and using only the tacacs group the error message disappears.
Any suggestions?
Thanks.
Frank
======
config
======
aaa new-model
aaa group server tacacs+ group_tacacs
server 10.10.10.10
server 10.10.10.11
cache expiry 12
cache authorization profile admin_user
cache authentication profile admin_user
aaa authentication login default cache group_tacacs group group_tacacs local
aaa authentication enable default cache group_tacacs group group_tacacs enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default cache group_tacacs group group_tacacs local
aaa authorization commands 15 default cache group_tacacs group group_tacacs local
aaa accounting exec default start-stop group group_tacacs
aaa cache profile admin_user
profile admin no-auth
aaa session-id common
tacacs-server host 10.10.10.10 single-connection
tacacs-server host 10.10.10.11 single-connection
tacacs-server directed-request
tacacs-server key 7 <removed>
============
debug output
============
ap#
Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
ap#
Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
priv=15 vrf= (id=0)

Hi,
I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
Regards,
Vivek

AAA authorization not working

Hi,
Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.
When connected to console it worked- Authenticated and then supplied the enable password.
When telneted : it says "access approved" and "authorization failed"
Relevant switch configuration is as follows and also debug of aaa authorization.
+++++++++++++++++++++++++++++
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Switch
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group radius if-authenticated local
aaa authorization commands 15 default group radius if-authenticated local
enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/
username cisco privilege 15 password 7 05080F1C224233
vlan 10
vlan 120
ip subnet-zero
vtp mode transparent
spanning-tree extend system-id
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
no ip address
spanning-tree portfast
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/2
no ip address
interface Vlan1
no ip address
shutdown
interface Vlan120
ip address 10.12.8.70 255.255.255.240
ip default-gateway 10.12.8.65
ip classless
ip http server
radius-server host 192.168.38.169 auth-port 1812 acct-port 1813
radius-server host 10.12.1.142 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key cisco
line con 0
line vty 0 4
password 7 grrfcb7swe
transport input telnet
line vty 5 15
end
Debug output :
Switch#
21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:07: AAA/AUTHEN (2947331915): status = PASS
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------# authorization failed #
21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='10.12.7.71' authen_type=ASCII service=LOGIN priv=1
Switch#
Switch#
Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.
Please share the experience.
Thanks in advance,
Subodh

Hi Subodh,
I understand that you are trying to use command authorization using RADIUS.
aaa authorization commands 15 default group radius if-authenticated local
Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed on a router and which cannot.
Please refer the following link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.
Regards,
Karthik Chandran
*kindly rate helpful post*

Allow some show commands in AAA Authorization Set

I'm working on creating AAA authorization sets for our environment and ran into a question!
I'd like to be able to enable ALL show commands except 'show run'. I would also like to enable 'show run interface'. I've figured out how to enable all show commands and disable show run. The problem I'm finding is that since 'show run interface' is a subset of 'show run' it seems to disable. Even if I try to explicitly enable it.
Is there a way to disable 'show run' but enable all other show commands and 'show run interface' with a AAA authorization set?
ACS Version 4.1.
Command set is configured:

Changing it to 'deny running-config' does the exact same thing. It looks like it's seeing the 'show running-config' then stoping on that before anything else. I've tried adding 'permit run interface' in ACS and same thing. Other AAA Authorization set commands work just fine.
On the switch (its a 2960G-8TC-K) running 12.2(58)SE2.
aaa group server tacacs+ SHS
server 10.10.11.200
aaa authentication login verifyme group TACACS+ local
aaa authorization config-commands
aaa authorization exec verifyme group TACACS+ local
aaa authorization commands 0 default group TACACS+
aaa authorization commands 1 default group TACACS+
aaa authorization commands 15 default group TACACS+
aaa accounting send stop-record authentication failure
aaa accounting exec verifyme start-stop group TACACS+
aaa accounting commands 15 default start-stop group TACACS+
aaa accounting network verifyme start-stop group TACACS+
aaa accounting system default start-stop group TACACS+
aaa session-id common
Debugs!
Jun 21 11:07:39: AAA: parse name=tty0 idb type=-1 tty=-1
Jun 21 11:07:39: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Jun 21 11:07:39: AAA/MEMORY: create_user (0x3A790DC) user='test' ruser='SGAVEJ01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Port='tty0' list='' service=CMD
Jun 21 11:07:39: AAA/AUTHOR/CMD: tty0 (4105592267) user='test'
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV service=shell
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd=show
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=running-config
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=interface
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=GigabitEthernet
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=0/1
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD(4105592267): found list "default"
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Method=TACACS+ (tacacs+)
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): user=test
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV service=shell
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd=show
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=running-config
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=interface
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=GigabitEthernet
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=0/1
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=
Jun 21 11:07:39: TAC+: Using default tacacs server-group "TACACS+" list.
Jun 21 11:07:39: TAC+: Opening TCP/IP to 10.10.11.200/49 timeout=5
Jun 21 11:07:39: TAC+: Opened TCP/IP handle 0x3A41210 to 10.10.11.200/49 using source 10.40.0.14
Jun 21 11:07:39: TAC+: 10.10.11.200 (4105592267) AUTHOR/START queued
Jun 21 11:07:39: TAC+: (4105592267) AUTHOR/START processed
Jun 21 11:07:39: TAC+: (-189375029): received author response status = FAIL
Jun 21 11:07:39: TAC+: Closing TCP/IP 0x3A41210 connection to 10.10.11.200/49
Jun 21 11:07:39: AAA/AUTHOR (4105592267): Post authorization status = FAIL
Jun 21 11:07:39: AAA/MEMORY: free_user (0x3A790DC) user='test' ruser='SGAVEJ01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

AAA Authorization + Switch Cluster = Fail?

Hi, I had a Switch Cluster running with local authentication and authorization just fine (with aaa new-model). It's a stack of 3750-Xs and several 2960s, they've all been configured more or less the same way with a configuration template.
I added AAA authentication and authorization and I can still reach each of the switches individually, but when I try to rcommand "x" from the cluster commander, I get:
#rcommand 2
% Authorization failed.
One of the 2960s is a stack and when I run rcommand to that switch I get something different:
#rcommand 1
EBMIASWF1LB-01 tty1 is now available
Press RETURN to get started.
All other 2960s give me "% Authorization failed."
3750s are running:
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
2960Ses are running:
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
2960s are running:
Cisco IOS Software, C2960 Software (C2960-LANLITEK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
I tried a debug aaa authentication and aaa authorization on the member (destination) 2960 switch and I got this:
541120: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/BIND(00004788): Bind i/f
541121: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA: parse name=tty4 idb type=-1 tty=-1
541122: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA: name=tty4 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=4 channel=0
541123: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/MEMORY: create_user (0x29DA580) user='radiususer' ruser='NULL' ds0=0 port='tty4' rem_addr='10.183.182.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)
541124: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/AUTHOR (0x4788): Pick method list 'default'
541125: Mar 7 2013 17:14:30.754 EST: CLUSTER_MEMBER_2: AAA/AUTHOR/EXEC(00004788): Authorization FAILED
541126: Mar 7 2013 17:14:32.859 EST: CLUSTER_MEMBER_2: AAA/MEMORY: free_user (0x29DA580) user='radiususer' ruser='NULL' port='tty4' rem_addr='10.183.182.128' authen_type=ASCII service=LOGIN priv=15
Debug on 2960S (stack) is the same.
The radius server is a Microsoft NPS (IAS on 2012) and all switches have AAA configured the same:
NPS is sending these AV Pairs:
shell:priv-lvl=15
Service-Type = Administrative
Service-Type = NAS-Prompt-User
Switches are configured like this:
aaa new-model
aaa group server radius RadiusAAA
server x.x.x.x auth-port 1645 acct-port 1646
server y.y.y.y auth-port 1645 acct-port 1646
ip radius source-interface VlanXX
deadtime 1
aaa authentication login default group RadiusAAA local
aaa authorization exec default group RadiusAAA if-authenticated local
aaa session-id common
! etc etc
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 <radius key>
radius-server host y.y.y.y auth-port 1645 acct-port 1646 key 7 <radius key>
radius-server deadtime 1
I've also tried moving around the
aaa authorization exec default group RadiusAAA if-authenticated local
to:
aaa authorization exec default group RadiusAAA local if-authenticated
But the results are the same... Telnet and SSH work great, but I'd like for the cluster to keep working!
Any ideas?
Thanks in advance for your help, I've spent a lot of time on this, and I don't even know if it's supported!
Esteban

Here is a good doc that explains different errors:
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml

Aaa authorization with Funk SBR EE

Hello,
I do not get aaa authorization with Funk SBR EE to work.
On our cisco switches I configure:
aaa authentication default group radius local
aaa authorization exec default radius local
On the Funk radius server I return
service-type login
Cisco-AVPAIR shell:priv-lvl=15
Authorization always fails and the debug output shows:
1063433: 46w0d: CLUSTER_MEMBER_1: RADIUS: ustruct sharecount=1
1063434: 46w0d: CLUSTER_MEMBER_1: RADIUS: Initial Transmit tty3 id 60 [**radius-ip**}:1812, Access-Request, len 82
1063435: 46w0d: CLUSTER_MEMBER_1: Attribute 4 6 C3A976E2
1063436: 46w0d: CLUSTER_MEMBER_1: Attribute 5 6 00000003
1063437: 46w0d: CLUSTER_MEMBER_1: Attribute 61 6 00000005
1063438: 46w0d: CLUSTER_MEMBER_1: Attribute 1 9 66726974
1063439: 46w0d: CLUSTER_MEMBER_1: Attribute 31 17 3139352E
1063440: 46w0d: CLUSTER_MEMBER_1: Attribute 2 18 8772DAFD
1063441: 46w0d: CLUSTER_MEMBER_1: RADIUS: Received from id 60 [**radius-ip**]:1812, Access-Accept, len 87
1063442: 46w0d: CLUSTER_MEMBER_1: Attribute 25 67 53425232
1063443: 46w0d: CLUSTER_MEMBER_1: RADIUS: saved authorization data for user 111BFD8 at D4E310
1063444: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Port='tty3' list='' service=EXEC
1063445: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: tty3 (3848954035) user='username'
1063446: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV service=shell
1063447: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV cmd*
1063448: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): found list "default"
1063449: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Method=radius (radius)
1063450: 46w0d: CLUSTER_MEMBER_1: RADIUS: no appropriate authorization type for user.
1063451: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR (3848954035): Post authorization status = FAIL
1063452: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: Authorization FAILED
1063453: 46w0d: CLUSTER_MEMBER_1: AAA/MEMORY: free_user (0x111BFD8) user='username' ruser='' port='tty3' rem_addr='[**client-ip**]' authen_type=ASCII service=LOGIN priv=1
What do I need to add to the radius server to make it work?
--Joerg

The document Common Problems in Debugging RADIUS, PAP and CHAP has more information on the debug outputs.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093f4b.shtml#radnpap

AAA authorization fails, but still command is executed...

Hi everyone,
i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).
Now I try to configure a loopback or Vlan interface, which should not be allowed.
COMMANDS IMPLEMENTED:
aaa authorization config-commands
aaa authorization commands 0 vty group tacacs+ none
aaa authorization commands 1 vty group tacacs+ none
aaa authorization commands 15 vty group tacacs+ none
line vty 0 15
authorization commands 0 vty
authorization commands 1 vty
authorization commands 15 vty
COMMAND AND OUTPUT FROM TESTING:
SWITCH(config)#int vlan 2
Command authorization failed.
DEBUG AAA AUTHORIZATION:
SWITCH#
Dec 7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1
Dec 7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
Dec 7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=
'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD
Dec 7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>
Dec 7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL
Dec 7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r
em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15
As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.
RESULT:
SWITCH#sh run int vlan 2
Building configuration...
Current configuration : 38 bytes
interface Vlan2
no ip address
end
QUESTION:
I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.
But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.
Is this me not understandig the basic concept of AAA or is this some other problem?
The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).
The Tacacs runs Cisco Secure ACS4.2.0.124
Thanks,
Tom

Hi Tom,
this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
hth
Herbert

AAA authentication when logging into the router via the web browser

Hi group,
I am trying to get access the a cisco 2621 via http and authentication
via AAA but there is something I am not quite understand.
I am using the freeware TACACS+ server running on RedHat Linux
Enterprise Server 3.0. I setup the TACACS+ account for myself with
enable privilege on the TACACS+ box. This account, let call it,
ddt123, can telnet/ssh into the IOS router and the enable secret
is associated with this account as setup in TACACS+.
Here is my configuration looks like on the TACACS+ file:
[root@dca2-LinuxES tacacs]# more tac_plus.cfg
accounting file = /var/log/tac_plus.log
key = zFgGkIooIsZ.Q
user = ddt123 {
member = admin
name = "ddt 123"
login = cleartext "exec123"
user = $ddt123$ {
member = admin
name = "ddt 123"
login = cleartext "privi123"
group = admin {
default service = permit
[root@dca2-LinuxES tacacs]#
Here is my configuration on the IOS device:
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
tacacs-server host 192.168.15.10 key ***
ip http server
ip http authentication aaa login-authentication VTY
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
The question I have is that when I open the browser and enter http://router_IP_address,
the it prompts me for authetication, which password should I use, "exec123" or "privi123"?
Can someone explain to me how this work, and if it works at all? Thanks.
David

here is the "debug aaa authen" and "debug aaa author" on the router:
C2621#term mon
C2621#
Feb 25 23:11:33.967 UTC: AAA/AUTHOR/TAC+: (3081244823): send AV cmd-arg=monitor
Feb 25 23:11:33.971 UTC: AAA/AUTHOR/TAC+: (3081244823): send AV cmd-arg=
Feb 25 23:11:34.183 UTC: TAC+: (-1213722473): received author response status = PASS_ADD
Feb 25 23:11:34.187 UTC: AAA/AUTHOR (3081244823): Post authorization status = PASS_ADD
Feb 25 23:11:34.187 UTC: AAA/MEMORY: free_user (0x8276F8AC) user='ddt123' ruser='C2621' port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
Feb 25 2007 23:11:36 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(24127), 1 packet
Feb 25 2007 23:11:38 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(14840), 1 packet
Feb 25 23:11:39.248 UTC: AAA/AUTHEN/LOGIN (00000000): Pick method list 'VTY'
Feb 25 23:11:39.268 UTC: AAA/AUTHOR (00000000): Method=None for method list id=A0000003. Skip author
Feb 25 2007 23:11:40 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(36781), 1 packet
Feb 25 2007 23:11:41 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted udp 192.168.4.10(2537) -> 192.168.15.1(161), 1 packet
Feb 25 23:11:42.553 UTC: AAA/AUTHEN/LOGIN (00000000): Pick method list 'VTY'
Feb 25 2007 23:11:43 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(19535), 1 packetu
All possible debugging has been turned off
C2621#
Feb 25 23:11:46.552 UTC: AAA: parse name=tty66 idb type=-1 tty=-1
Feb 25 23:11:46.552 UTC: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0
Feb 25 23:11:46.552 UTC: AAA/MEMORY: create_user (0x8276AD88) user='ddt123' ruser='C2621' ds0=0 port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): Port='tty66' list='VTY' service=CMD
Feb 25 23:11:46.556 UTC: AAA/AUTHOR/CMD: tty66(1541751897) user='ddt123'
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV service=shell
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd=undebug
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd-arg=all
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd-arg=
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): found list "VTY"
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): Method=tacacs+ (tacacs+)
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): user=ddt123
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV service=shell
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd=undebug
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd-arg=all
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd-arg=
Feb 25 23:11:46.768 UTC: TAC+: (1541751897): received author response status = PASS_ADD
Feb 25 23:11:46.772 UTC: AAA/AUTHOR (1541751897): Post authorization status = PASS_ADD
Feb 25 23:11:46.772 UTC: AAA/MEMORY: free_user (0x8276AD88) user='ddt123' ruser='C2621' port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 vrf= (id=0)no
Feb 25 2007 23:11:47 UTC: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 976 packets
C2621#
David

AAA and CNA?

I am trying to configure a 3750 switch for AAA? Telnet and SSH work fine but CNA and HTTP is not working. Both SSH and Telnet need to authenticate using RADIUS but CNA/HTTP needs to authenticate using a local account because the local administrator only uses the CNA for management and the admins in TACACS use CLI. Here is what I have so far.
aaa new-model
aaa authentication login default local group tacacs+
aaa authentication login con line
aaa authentication login http_auth local enable
aaa authorization config-commands
aaa authorization exec default local group tacacs+
aaa authorization exec http_auth local
aaa authorization commands 1 default local group tacacs+
aaa authorization commands 15 http_auth local
aaa authorization network default local group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication http_auth
ip http authentication aaa exec-authorization http_auth
ip http authentication aaa command-authorization 15 http_auth
tacacs-server host X.X.X.X
tacacs-server directed-request
tacacs-server key 7 XXXXX
The debugs show the connection authenticating correctly.
170536: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170537: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170538: 48w1d: AAA/BIND(000003FA): Bind i/f
170539: 48w1d: AAA/AUTHEN/LOGIN (000003FA): Pick method list 'http_auth'
170540: 48w1d: AAA/AUTHOR (0x3FA): Pick method list 'http_auth'
170541: 48w1d: HTTP: Priv level authorization success priv_level: 15
170542: 48w1d: HTTP: Priv level granted 15
170543: 48w1d: AAA/BIND(000003FB): Bind i/f
170544: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170545: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170546: 48w1d: AAA/BIND(000003FC): Bind i/f
170547: 48w1d: AAA/AUTHEN/LOGIN (000003FC): Pick method list 'http_auth'
170548: 48w1d: AAA/AUTHOR (0x3FC): Pick method list 'http_auth'
170549: 48w1d: HTTP: Priv level authorization success priv_level: 15
170550: 48w1d: HTTP: Priv level granted 15
170551: 48w1d: AAA/BIND(000003FD): Bind i/f
170552: 48w1d: AAA: parse name=tty0 idb type=-1 tty=-1
170553: 48w1d: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
170554: 48w1d: AAA/MEMORY: create_user (0x632D26C) user='granto-mark' ruser='Switch' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1 initial_task_id='0', vrf= (id=0)
170555: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): Port='tty0' list='' service=CMD
170556: 48w1d: AAA/AUTHOR/CMD: tty0 (1941738464) user='granto-mark'
170557: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV service=shell
170558: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd=show
170559: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd-arg=version
170560: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd-arg=<cr>
170561: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): found list "default"
170562: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): Method=LOCAL
170563: 48w1d: AAA/AUTHOR (1941738464): Post authorization status = PASS_ADD
170564: 48w1d: AAA/MEMORY: free_user (0x632D26C) user='granto-mark' ruser='Switch' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1
170565: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170566: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170567: 48w1d: AAA/BIND(000003FE): Bind i/f
170568: 48w1d: AAA/AUTHEN/LOGIN (000003FE): Pick method list 'http_auth'
170569: 48w1d: AAA/AUTHOR (0x3FE): Pick method list 'http_auth'
170570: 48w1d: HTTP: Priv level authorization success priv_level: 15
170571: 48w1d: HTTP: Priv level granted 15
170572: 48w1d: AAA/BIND(000003FF): Bind i/f
170573: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170574: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170575: 48w1d: AAA/BIND(00000400): Bind i/f
170576: 48w1d: AAA/AUTHEN/LOGIN (00000400): Pick method list 'http_auth'
170577: 48w1d: AAA/AUTHOR (0x400): Pick method list 'http_auth'
170578: 48w1d: HTTP: Priv level authorization success priv_level: 15
170579: 48w1d: HTTP: Priv level granted 15
170580: 48w1d: AAA/BIND(00000401): Bind i/f
Any help would be appriciated.
Thanks,
Robert

Good day.
Have you made any progress? I currently have an issue similar to yours with the IOS upgrade. Please see the link below to my discussion.
Sincerely,
Marc
https://supportforums.cisco.com/message/3562335#3562335

ACS 5.3 Showing Clear Text Password in Authorization reports

Hello,
When a tacacs user is changing the local password on the router (for local user), the acs 5.3 is showing the new password in clear text in authorization reports/logs.
This behaviour is seen on acs 5.x, whereas acs 4.2 is showing encrypted password in the reports.
I have checked debugs on Router and it is sending password in clear text in Tacacs Authorization packet but encrypted password in Tacacs Accounting logs.
Debug tacacs accounting
debug aaa accounting
4w3d: TPLUS: Received accounting response with status PASS
4w3d: TPLUS: Queuing AAA Accounting request 208 for processing
4w3d: TPLUS: processing accounting request id 208
4w3d: TPLUS: Sending AV task_id=459
4w3d: TPLUS: Sending AV timezone=UTC
4w3d: TPLUS: Sending AV service=shell
4w3d: TPLUS: Sending AV priv-lvl=15
4w3d: TPLUS: Sending AV cmd=username sansehga privilege 15 password *****
4w3d: TPLUS: Accounting request created for 208(sanjay)
debug tacas authorization
debug aaa authorization
4w3d: AAA/MEMORY: create_user (0x851611DC) user='sanjay' ruser='R1' ds0=0
port='tty7' rem_addr='10.76.212.159' authen_type=ASCII service=NONE priv=15
initial_task_id='0', vrf= (id=0)
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): Port='tty7' list='' service=CMD
4w3d: AAA/AUTHOR/CMD: tty7(1390711548) user='sanjay'
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV service=shell
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd=username
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=sansehga
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=privilege
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=15
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=password
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=sehgal
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=<cr>
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): found list "default"
4w3d: tty7 AAA/AUTHOR/CMD(1390711548): Method=tacacs+ (tacacs+)
4w3d: AAA/AUTHOR/TAC+: (1390711548): user=sanjay
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV service=shell
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd=username
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=sansehga
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=privilege
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=15
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=password
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=sehgal
4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=<cr>
4w3d: AAA/AUTHOR (1390711548): Post authorization status = PASS_ADD
Please share if someone has found the fix to this problem.
Regards,
Akhtar

Thanks Tarik,
But it seems it did not help overall
Akhtar: Cisco needs long time to fix bugs unless it is P1 or P2 bug. Otherwise they'll do it at their leisure.
If you are not on latest patch already then upgrade. If you are already on the latest patch then wait for the next one. If your bug is not mentioned to be fixed on the resolved caveats don't panic. I've seen many bugs fixed but not mentioned in the release notes. What you need to do is to contact TAC so they contact the BU for your behalf to confirm if the bug is resolved or not.
Regards,
Amjad

AAA IOS HTTS Cmd Authorization

Similar Messages

Maybe you are looking for