AAA w/RSA: "no appropriate authorization type..."

Answered Question
Jan 16th, 2008
User Badges:
  • Bronze, 100 points or more

I have set up a router and a switch for AAA using an RSA RADIUS server. Both are RSA "Agent Hosts" with identical setups. Router (2621XM/EntServ Version 12.4(18)) and switch (3560-24PS/IPBase-12.2(25)SEB2) have identical AAA configs, and RADIUS/RSA is fine as far as the PASSCODE being accepted. But the switch doesn't let me in:


**********************

Username: <xxxx>

Password:

PASSCODE Accepted


% Authorization failed.


**************************


When I do "deb radius authentication" on each, the outputs are the same up to the last 2 lines. The router that works says:

000055: .Jan 16 12:22:51 EST: RADIUS(00000005): Received from id 1645/3

000056: .Jan 16 12:22:51 EST: RADIUS/DECODE: Reply-Message fragments, 19, total 19 bytes


But the switch says:

000284: Jan 16 12:20:47 EST: RADIUS: saved authorization data for user 3030220 at 3034440

000285: Jan 16 12:20:47 EST: RADIUS: no appropriate authorization type for user.


The only other difference I can think of is that I use ssh to the router and telent for the switch (IPBase apparently no habla "crypto", I could use a different IOS I think.


Any clue? TIA


Paul


Correct Answer by cisco24x7 about 9 years 6 months ago

If I were you, I would "disable" authorization

on the catalyst 3560. I haven an identical

setup like yours on mine Catalyst 2960 and it

works just fine. See below:


[[email protected] root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

C

*****************



User Access Verification


Username: test4

Password:



Enter your new PIN, containing 4 to 8 digits,

or

to cancel the New PIN procedure:



Please re-enter new PIN:




Wait for the code on your card to change, then log in with the new PIN


Enter PASSCODE:


C2960#sh ver

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE4, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Mon 16-Jul-07 02:53 by myl

Image text-base: 0x00003000, data-base: 0x00CC0000


ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)SEE1, RELEASE SOFTWARE (fc1)


C2960 uptime is 2 weeks, 6 days, 14 hours, 10 minutes

System returned to ROM by power-on

System restarted at 23:20:30 GMT Wed Dec 26 2007

System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"



This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.


A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email to

[email protected].


cisco WS-C2960G-24TC-L (PowerPC405) processor (revision B0) with 61440K/4088K bytes of memory.

Processor board ID FOC1036X0F1

Last reset from power-on

2 Virtual Ethernet interfaces

24 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.


64K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:19:55:1B:D6:00

Motherboard assembly number : 73-10015-05

Power supply part number : 341-0098-02

Motherboard serial number : FOC10352NF2

Power supply serial number : AZS103402ZF

Model revision number : B0

Motherboard revision number : B0

Model number : WS-C2960G-24TC-L

System serial number : FOC1036X0F1

Top Assembly Part Number : 800-26673-02

Top Assembly Revision Number : C0

Version ID : V02

CLEI Code Number : COM3G00BRA

Hardware Board Revision Number : 0x01



Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 24 WS-C2960G-24TC-L 12.2(25)SEE4 C2960-LANBASEK9-M



Configuration register is 0xF


C2960#sh run | inc aaa

aaa new-model

aaa authentication login test group radius local

aaa authentication login test1 group tacacs+ local

aaa authentication login notac local

aaa authentication dot1x default group radius

aaa session-id common

C2960#


CCIE Security


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
cisco24x7 Wed, 01/16/2008 - 10:34
User Badges:
  • Silver, 250 points or more

If I were you, I would "disable" authorization

on the catalyst 3560. I haven an identical

setup like yours on mine Catalyst 2960 and it

works just fine. See below:


[[email protected] root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

C

*****************



User Access Verification


Username: test4

Password:



Enter your new PIN, containing 4 to 8 digits,

or

to cancel the New PIN procedure:



Please re-enter new PIN:




Wait for the code on your card to change, then log in with the new PIN


Enter PASSCODE:


C2960#sh ver

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE4, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Mon 16-Jul-07 02:53 by myl

Image text-base: 0x00003000, data-base: 0x00CC0000


ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)SEE1, RELEASE SOFTWARE (fc1)


C2960 uptime is 2 weeks, 6 days, 14 hours, 10 minutes

System returned to ROM by power-on

System restarted at 23:20:30 GMT Wed Dec 26 2007

System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"



This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.


A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email to

[email protected].


cisco WS-C2960G-24TC-L (PowerPC405) processor (revision B0) with 61440K/4088K bytes of memory.

Processor board ID FOC1036X0F1

Last reset from power-on

2 Virtual Ethernet interfaces

24 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.


64K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:19:55:1B:D6:00

Motherboard assembly number : 73-10015-05

Power supply part number : 341-0098-02

Motherboard serial number : FOC10352NF2

Power supply serial number : AZS103402ZF

Model revision number : B0

Motherboard revision number : B0

Model number : WS-C2960G-24TC-L

System serial number : FOC1036X0F1

Top Assembly Part Number : 800-26673-02

Top Assembly Revision Number : C0

Version ID : V02

CLEI Code Number : COM3G00BRA

Hardware Board Revision Number : 0x01



Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 24 WS-C2960G-24TC-L 12.2(25)SEE4 C2960-LANBASEK9-M



Configuration register is 0xF


C2960#sh run | inc aaa

aaa new-model

aaa authentication login test group radius local

aaa authentication login test1 group tacacs+ local

aaa authentication login notac local

aaa authentication dot1x default group radius

aaa session-id common

C2960#


CCIE Security


PAUL TRIVINO Wed, 01/16/2008 - 11:29
User Badges:
  • Bronze, 100 points or more

Outstanding - thanks! That did it. Interesting that the switch (maybe IPBase image?) is so significantly different. OTOH maybe I don't need it on the router either, I got the suggestion from another NetPro user to use:


line vty 0 4

privilege level 15


to get to Enabled mode, which works fine too.


Much grass!


Paul

Actions

This Discussion