Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1375
Views
0
Helpful
3
Replies

Command authorization error when using aaa cache

khof
Level 1
Level 1

‎02-07-2007 11:56 AM - edited ‎03-10-2019 02:58 PM

Hi,

I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:

% tty2 Unknown authorization method 6 set for list command

The command is then always authorized against the tacacs server.

The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.

I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.

Deleting the cache entry and using only the tacacs group the error message disappears.

Any suggestions?

Thanks.

Frank

======

config

======

aaa new-model

!

aaa group server tacacs+ group_tacacs

server 10.10.10.10

server 10.10.10.11

cache expiry 12

cache authorization profile admin_user

cache authentication profile admin_user

!

aaa authentication login default cache group_tacacs group group_tacacs local

aaa authentication enable default cache group_tacacs group group_tacacs enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default cache group_tacacs group group_tacacs local

aaa authorization commands 15 default cache group_tacacs group group_tacacs local

aaa accounting exec default start-stop group group_tacacs

aaa cache profile admin_user

profile admin no-auth

!

aaa session-id common

...

tacacs-server host 10.10.10.10 single-connection

tacacs-server host 10.10.10.11 single-connection

tacacs-server directed-request

tacacs-server key 7 <removed>

============

debug output

============

ap#

Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f

Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL

Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin

Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o

Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'

Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=

Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15

Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful

ap#

Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1

Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD

Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"

Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command

Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)

Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin

Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell

Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show

Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config

Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>

Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD

Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE

priv=15 vrf= (id=0)

Labels:
0 Helpful
3 Replies 3

sbilgi
Level 5
Level 5

‎02-13-2007 12:22 PM

These are event logs which show that these are just informational messages of sev 6.

Try removing the cache related commands and add the following commands,

aaa authen login default group < group name > local

and aaa authorization exec default group local

0 Helpful

Vivek Santuka
Cisco Employee
Cisco Employee
In response to sbilgi

‎02-14-2007 06:40 AM

Hi,

I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.

Regards,

Vivek

0 Helpful

khof
Level 1
Level 1
In response to Vivek Santuka

‎02-14-2007 07:13 AM

Hi Vivek,

I have almost expected to see this answer. Then I have to go another way to finish this task.

Thanks.

Frank

0 Helpful
Customers Also Viewed These Support Documents