Some commands allowed, TACACS+ configured wrong?

Unanswered Question
Jul 3rd, 2008

I have a test switch and TACACS+ server to try setting up TACACS+ before putting it in to production. We have 3 persons on our network team and want to make it easier to manage device access if one of us leaves. Also to have a limited account for the person that would be filling the open position for a trial period. My issue is mainly with the config file for the server I think. Also I am not 100% sure on a few AAA commands which I have read about and applied to the switch.

The "test" user can only do show ip or so I thought. It denies all other "show" commands but for some reason "show run" still will work. If any one could give me some tips on my configuration that would be greatly appreciated.

Thank you,

Kyle

##### TACACS+ Configured #####

user = test {

member = limited

login = des "encrypted password"

enable = des "encrypted password"

name = "tester"

}

user = admin {

config omitted

}

group = admin {

default service = permit

}

group = limited {

default service = deny

cmd = show {

permit "ip .*"

deny .*

}

}

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (9 ratings)
Loading.
Jagdeep Gambhir Thu, 07/03/2008 - 12:33

On the NAS, issue debug aaa authorization and debug tacacs.

Issue show run command,

Now see if NAS is sending command " show run " to the tacacs for authorization.

Regards,

~JG

Regards,

~JG

lifeforce4 Mon, 07/07/2008 - 05:45

I have the debugging enabled, "tail" the two files tac_plus.log and tac_plus.acct in /var/log/. When I issue any commands it goes to the tacacs server and either allows or blocks the command. The command "show run" is still being allowed. Also there is no debugging info being displayed when I run the commands.

If its using tacacs to block all the commands besides the ones permitted and debugging is on why would it not show that?

Thanks,

Kyle

##### TACACS+ Configured #####

user = test {

member = limited

login = des "encrypted password"

enable = des "encrypted password"

name = "tester"

}

user = admin {

config omitted

}

group = admin {

default service = permit

}

group = limited {

default service = deny

cmd = show {

permit "ip .*"

permit "debugging .*"

deny .*

}

cmd = debug {

permit .*

}

}

Jagdeep Gambhir Mon, 07/07/2008 - 06:48

Kyle,

There is a know bug is some IOS where it does not send authorization status of command "show run". Rest other commands are sent to acs but not show run.

Which IOS running on that device ? You may need to upgrade.

Regards,

~JG

Do rate helpful posts

lifeforce4 Mon, 07/07/2008 - 07:21

The ISO is 12.2(25r) c3560-ipservices-mx.122-25.SEB4.bin is there a location on cisco's site for viewing known bugs? Viewing the running config might not be a problem I need to consult the other members of our networking team.

Thank you,

Kyle

Jagdeep Gambhir Mon, 07/07/2008 - 09:28

You can search it using bug tool. As you said i also think that viewing it, should not be a issue as they will not able to issue any other command.

Regards,

~JG

Do rate helpful posts

cisco24x7 Tue, 07/08/2008 - 03:33

I think there is something wrong with your tac_plus configuration.

I am using version c2960-lanbasek9-mz.122-25.SEE4.bin and

I have NO such issue. See below.

Here is my tac_plus configuration:

[[email protected] root]# more /etc/tacacs/tac_plus.cfg

accounting file = /var/log/tac_plus.log

key = zFgGkIooIsZ.Q

user = cciesec {

member = admin

name = "rancid user"

login = des xxxxxxx

}

user = $cciesec$ {

member = admin

name = "rancid user"

login = des yyyyyyy

}

user = test {

member = limited

login = des xxxxxxx

name = "tester"

}

user = $test$ {

member = limited

login = des xxxxxx

name = "tester"

}

group = limited {

default service = deny

cmd = show {

permit "ip .*"

permit "debugging .*"

deny .*

}

cmd = debug {

permit .*

}

cmd = exit { permit .* }

cmd = enable { permit .* }

}

group = admin {

default service = permit

}

[[email protected] root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

C

*****************

User Access Verification

Username: test

Password:

C2960>en

Password:

C2960#sh run

Command authorization failed.

C2960#sh ver

Command authorization failed.

C2960#

When I log in with an "admin" account, I can do just about

everything:

[[email protected] root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

C

*****************

User Access Verification

Username: cciesec

Password:

C2960>en

Password:

C2960#conf t

Enter configuration commands, one per line. End with CNTL/Z.

C2960(config)#end

C2960#exit

Connection closed by foreign host.

[[email protected] root]#

As you can see, even when the user has level 15 privilege, I can still restrict

what he/she can do, as desmonstrated with account "test". That's the beauty

with tacacs authorization.

Jagdeep Gambhir Tue, 07/08/2008 - 04:57

Life force is using IOS ver c3560-ipservices-mx.122-25.SEB4

Where in you are using

c2960-lanbasek9-mz.122-25.SEE4.bi

Both codes are different.

cisco24x7 Tue, 07/08/2008 - 05:31

But this IOS version is the same with the

exception that I have enterprise edition where

as life force has standard edition, correct?

I can see other features may be different but

I would think that tacacs would be the same

right?

Jagdeep Gambhir Tue, 07/08/2008 - 07:03

There is a huge difference between SE and EE codes. Extra feature can result in change in behavior of existing feature set.

Other then codes we also have different hardware feature here.

The biggest difference is the 3560 does L3 while the 2960 is a L2 device only..

2960 only supports static ACL policies for authorization.

You need to have the ACL defined statically on the switch for it to apply to a user session based on successful authentication.

On 3560/3750, we support downloadable ACLs for authorization. AAA can tell the switch what ACL to apply which gets craeted dynamically on the switch. So there is less provisioing, and more automation and

intelligence.

Private VLAN is another security feature available on 3560 (not on 2960)

3560 supports more NAC features than 2960.

lifeforce4 Tue, 07/08/2008 - 07:21

Wow I did not even catch that he was talking about a 2960 instead of 3560. This is one thing that makes me worry about implementing tacacs on the whole network. with 270+ NAS connected im sure a few will have some bugs with the ISO installed on them and AAA.

Thanks,

Kyle

cisco24x7 Tue, 07/08/2008 - 08:33

I can say that I do not have issues with IOS

version 12.2(15)T17 and 12.3(12) on Cisco 2621

and 3640 routers, in addition what I described

in 2960.

with "test" user

C2621>en

Password:

C2621#conf t

Command authorization failed.

^

% Invalid input detected at '^' marker.

C2621#

with "admin" user

C2621>en

Password:

C2621#conf t

Enter configuration commands, one per line. End with CNTL/Z.

C2621(config)#exit

C2621#

IOS image tested:

c2600-ik9o3s3-mz.122-15.T17.bin

c2600-ik9o3s3-mz.123-19.bin

lifeforce4 Tue, 07/08/2008 - 08:57

Thank you for the testing, I dont doubt it works on those IOS versions you have. but you have seen my configuration and it should work... yet it does not. I will try it out on a different switch with a different IOS just to make sure its not the config setup. but the IOS it self.

Thanks,

Kyle

lifeforce4 Wed, 07/09/2008 - 08:12

Yes it has to be the IOS version because I just put the same AAA commands on another switch and here is the outcome.

### Switch output ###

User Access Verification

Username: test

Password:

TestSwitch01>en

Password:

TestSwitch01#show run

Command authorization failed.

###################

User Access Verification

Username: admin

Password:

TestSwitch01>en

Password:

TestSwitch01#show ver

Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2004 by cisco Systems, Inc.

Compiled Mon 19-Apr-04 20:58 by yenanh

Image text-base: 0x80010000, data-base: 0x805A8000

c2950-i6q4l2-mz.121-20.EA1a.bin

### End ###

Its fine because we will be updating all our devices with the latest IOS very soon so I would hope maybe we wont run in to a bug like this. I'll make sure if we do that it gets reported to cisco for fixing.

Thanks,

Kyle

lifeforce4 Tue, 07/08/2008 - 05:51

It has to be with the IOS version because here is the config for tacacs and my testing results for loging on the swith with both accounts.

Thanks,

Kyle

### start tac_plus.conf ###

key = testkey

accounting file = /var/log/tac_plus.acct

default authentication = file /etc/passwd

#~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~,

# Users Accounts |

#~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~'

user = test {

member = limited

login = cleartext "logtest"

enable = cleartext "entest"

name = "tester"

}

user = $test$ {

member = limited

login = cleartext "logtest"

enable = cleartext "entest"

name = "tester"

}

user = admin {

member = admin

login = cleartext "logadmin"

enable = cleartext "enadmin"

name = "admin"

}

user = $admin$ {

member = admin

login = cleartext "logadmin"

enable = cleartext "enadmin"

name = "admin"

}

#~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~,

# Group Accounts |

#~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~'

group = admin {

default service = permit

}

group = limited {

default service = deny

cmd = show {

permit "ip .*"

permit "debugging .*"

deny "run*"

deny .*

}

cmd = debug {

permit .*

}

cmd = exit {

permit .*

}

cmd = enable {

permit .*

}

}

### end tac_plus.conf ###

### start test account login ###

User Access Verification

Username: test

Password:

testSW>en

Password:

testSW#show vlan bri

Command authorization failed.

testSW#show run

Building configuration...

Current configuration : 9108 bytes

!

! Last configuration change at 09:49:51 EST Mon Jul 7 2008 by admin

! NVRAM config last updated at 09:55:19 EST Thu Jun 12 2008 by admin

!

version 12.2

!

output omitted

### end test account login ###

### start admin account login ###

User Access Verification

Username: admin

Password:

testSW>en

Password:

testSW#conf t

Enter configuration commands, one per line. End with CNTL/Z.

testSW(config)#end

testSW#

### end admin account login ###

Actions

This Discussion