02-25-2007 03:22 PM - edited 03-10-2019 03:00 PM
Hi group,
I am trying to get access the a cisco 2621 via http and authentication
via AAA but there is something I am not quite understand.
I am using the freeware TACACS+ server running on RedHat Linux
Enterprise Server 3.0. I setup the TACACS+ account for myself with
enable privilege on the TACACS+ box. This account, let call it,
ddt123, can telnet/ssh into the IOS router and the enable secret
is associated with this account as setup in TACACS+.
Here is my configuration looks like on the TACACS+ file:
[root@dca2-LinuxES tacacs]# more tac_plus.cfg
accounting file = /var/log/tac_plus.log
key = zFgGkIooIsZ.Q
user = ddt123 {
member = admin
name = "ddt 123"
login = cleartext "exec123"
}
user = $ddt123$ {
member = admin
name = "ddt 123"
login = cleartext "privi123"
}
group = admin {
default service = permit
}
[root@dca2-LinuxES tacacs]#
Here is my configuration on the IOS device:
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
tacacs-server host 192.168.15.10 key ***
ip http server
ip http authentication aaa login-authentication VTY
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
----
The question I have is that when I open the browser and enter http://router_IP_address,
the it prompts me for authetication, which password should I use, "exec123" or "privi123"?
Can someone explain to me how this work, and if it works at all? Thanks.
David
02-25-2007 03:23 PM
here is the "debug aaa authen" and "debug aaa author" on the router:
C2621#term mon
C2621#
Feb 25 23:11:33.967 UTC: AAA/AUTHOR/TAC+: (3081244823): send AV cmd-arg=monitor
Feb 25 23:11:33.971 UTC: AAA/AUTHOR/TAC+: (3081244823): send AV cmd-arg=
Feb 25 23:11:34.183 UTC: TAC+: (-1213722473): received author response status = PASS_ADD
Feb 25 23:11:34.187 UTC: AAA/AUTHOR (3081244823): Post authorization status = PASS_ADD
Feb 25 23:11:34.187 UTC: AAA/MEMORY: free_user (0x8276F8AC) user='ddt123' ruser='C2621' port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
Feb 25 2007 23:11:36 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(24127), 1 packet
Feb 25 2007 23:11:38 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(14840), 1 packet
Feb 25 23:11:39.248 UTC: AAA/AUTHEN/LOGIN (00000000): Pick method list 'VTY'
Feb 25 23:11:39.268 UTC: AAA/AUTHOR (00000000): Method=None for method list id=A0000003. Skip author
Feb 25 2007 23:11:40 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(36781), 1 packet
Feb 25 2007 23:11:41 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted udp 192.168.4.10(2537) -> 192.168.15.1(161), 1 packet
Feb 25 23:11:42.553 UTC: AAA/AUTHEN/LOGIN (00000000): Pick method list 'VTY'
Feb 25 2007 23:11:43 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(19535), 1 packetu
All possible debugging has been turned off
C2621#
Feb 25 23:11:46.552 UTC: AAA: parse name=tty66 idb type=-1 tty=-1
Feb 25 23:11:46.552 UTC: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0
Feb 25 23:11:46.552 UTC: AAA/MEMORY: create_user (0x8276AD88) user='ddt123' ruser='C2621' ds0=0 port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): Port='tty66' list='VTY' service=CMD
Feb 25 23:11:46.556 UTC: AAA/AUTHOR/CMD: tty66(1541751897) user='ddt123'
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV service=shell
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd=undebug
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd-arg=all
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd-arg=
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): found list "VTY"
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): Method=tacacs+ (tacacs+)
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): user=ddt123
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV service=shell
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd=undebug
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd-arg=all
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd-arg=
Feb 25 23:11:46.768 UTC: TAC+: (1541751897): received author response status = PASS_ADD
Feb 25 23:11:46.772 UTC: AAA/AUTHOR (1541751897): Post authorization status = PASS_ADD
Feb 25 23:11:46.772 UTC: AAA/MEMORY: free_user (0x8276AD88) user='ddt123' ruser='C2621' port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 vrf= (id=0)no
Feb 25 2007 23:11:47 UTC: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 976 packets
C2621#
David
02-26-2007 02:52 AM
Hi David,
Login to http requires privilege level 15.
You will need to add the following in the user's profile :-
service = exec {
priv-lvl = 15
}
Regards,
Vivek
02-26-2007 08:00 AM
Hi Vivek,
Here is my config of the TACACS+ file:
user = cciesec {
member = admin
name = "ccie security"
login = cleartext "123456"
service = exec { priv-lvl = 15 }
expires = "Dec 31 2007"
}
user = $cciesec$ {
member = admin
name = "ccie security"
global = cleartext "cciesec1"
service = exec { priv-lvl = 15 }
expires = "Dec 31 2007"
}
group = admin {
default service = permit
}
I now can http://router-IP and login with
cciesec account but I have to use the "exec"
password. In other words, it works with
"123456" but NOT "cciesec1". Worse, I now
can telnet/ssh into the router and when I
issue "cciesec/123456" and it takes directly
into "enable" mode.
What I would like to accomplish is to have
user cciesec logging into the router via the
web browser but he has to use the password
"cciesec1" because that is his unique enable
password. Furthermore, when cciesec telnet
or ssh into the router, I want him to be able
to login as "cciesec/123456" and that will
take him on the "exec" prompt. After that,
cciesec has to use "cciesec1" to go into
privilege mode. Is that doable?
One other thing, when I use cciesec to log
into the router via the browser, I am not
seeing in the tacacs log. How do I enable
accounting for user(s) logging into the
router via the browser.
Thanks.
David
02-27-2007 07:31 AM
Hi,
Http connection requires level 15 login. Which means you will have to push the priv-lvl attribute. HTTP authentication will never prompt for the enable password.
Also when you push the priv-lvl 15 it will effect the shell by allowing users directly into the privilege mode.
There is no workaround that I can think of.
Also as far as I know we cannot account for http sessions.
Regards,
Vivek
02-27-2007 07:48 AM
Vivek,
I don't quite understand. If I can log into
the router via http but I can not get accounting
of what user(s) do via http, where is the
accounting piece? Isn't that a security risk?
Should cisco fix this?
Thanks
David
02-28-2007 06:42 AM
David,
I guess it makes a good feature request.
Regards,
Vivek
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: