07-03-2007 07:06 AM - edited 03-10-2019 03:15 PM
Hi,
We were configuring the AAA to use one of the TACACS server for authentication,authorization and accounting purpose. When we did the same, the command executed response become slow and even some times gives a message authorization failed. We thought, there should be useful information on the TACACS server to debug the same, but we were not able to find any message like that. The below is the config added and when we remove the configuration of AAA the login response and the command execution are good. We checked the path to reach from this router to TACACS server and seems good with no packet loss. Your asssistance would be really appreciated.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
!
tacacs-server host <ip address> timeout 5
tacacs-server directed-request
tacacs-server key <key>
Regards
Anantha Subramanian Natarajan
07-03-2007 07:23 AM
Hi Anantha,
So you are getting "authorization failed" message and NOT "Command authorization failed " ?
Is it CAT3750 ? what is the IOS ver running on the box ?
Regards,
~JG
07-03-2007 08:28 AM
Hi JG,
Thanks for the response. Yes, the "% Authorization failed." is the message(frequent but not always).
The box is 7609 and the IOS running is 122-33.SRA2 (s72033-adventerprisek9_wan-mz.122-33.SRA2.bin).
Thanks
Regards
Anantha Subramanian Natarajan
07-03-2007 10:56 AM
Anantha,
On ACS, have you enabled "Single Connect TACACS+" for 7609 ? If yes, then disable it.
Also do you get this message during a specific configuration or its random.
eg. This error pops up only when you try to make any changes on the interfaces
Regards,
~JG
07-09-2007 08:07 AM
Hi JG,
Thanks for the reply.
Actually, I am not sure whether on our TACACS server,the single connect TACACS+ is enabled or not but I am just curious as the other router having same platform with same configuration details connecting to the same TACACS server is working fine.
The error message appears frequently and atleast not specific to some command. Infact every other time, it gives the error.
Our TACACS and SNMP engineer is suggesting to chenage the IOS as it seems have some identified bug related to the SNMP and hopefully we are planning to do the same.
Meantime , if you can know something more precise or any suggestions would be hugely appreciated.
Thanks
Regards
Anantha Subramanian Natarajan
07-09-2007 08:45 AM
Hi Anantha,
This error can also come if the connection between acs and router breaks.
Can you try a constant ping to ACS and see if there is any timeouts ? Just need to eliminate network issues.
Also on the router enable single-connection for that tacacs server:
tacacs-server host 172.18.173.112 single-connection
tacacs-server directed-request
tacacs-server key cisco
It is a better way to proceed when you are doing command authorization on a 7200. This way there will be one TCP connection, therefore eliminating the out of order packet and duplicate packet issue, and eliminating some strain on the ACS server.
Let me know how that goes !
All the best !
Regards,
~JG
07-09-2007 11:06 AM
Hi JG,
Sorry, I didn't gave the whole picture .. We did test the connectivity(Ping from the router(sourcing loopback used for TACACS) to the TACACS server and didn't had any timeouts.
We just tried the commands suggested and unfortunately seems the same.
Really appreciated for the help so far and would be changing the IOS.
Thanks
Regards
Anantha Subramanian Natarajan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: