Unauthorized admin access on VPN 3030.

Answered Question
Sep 4th, 2008
User Badges:

Hi,


ACS 4.1

2x 3030 Concentrators ver 4.7


I am having problems with admin access to our backup VPN c3030 via TACACS.


Scenario: We have one live and one backup c3030. They will be configured to VRRP failover in the event of a failure on the live c3030. The live c3030 is enabled on TACACS and all access is fine.


As per the cisco doc here :


http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080093fe0.shtml


...privilege level is set to 15 on the admin user on the c3030 and also on the TACACS group, as I said - all is working fine on the live c3030.


I have now added the backup c3030 to the same TACACS Network Device Group and configured the c3030 with the exact same ACS configuration as the live c3030. We can login to the backup c3030 via TACACS, we just can't access the admin section and get the "You do not have sufficient authorization to access the specified page." error.


This has been puzzling me for quite some time, there is nothing I can find on the web and short of wiping the backup c3030 and starting again I'm not that sure there is anything we can do?


Hopefully someone out there has come across this problem?


Cheers.


Correct Answer by Premdeep Banga about 8 years 8 months ago

What I wanted to make sure was, when we are trying to log into VPNC(backup), in Pass logs we are getting NAS IP address as the Private interface IP on ACS reports. Is it is, then it is good.


This might sound weird, if you have multiple local user on VPNC with "same" privilege level, change them to different privilege level, and keep admin as 15. And then try again. I think you should have console access, to do it ?


Regards,

Prem


Please rate if it helps!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Premdeep Banga Thu, 09/04/2008 - 04:05
User Badges:
  • Gold, 750 points or more

Dont know if VRRP is causing something, I'll look for it but haven't heard of such a thing.


can you check your ACS logs, Pass/Fail, as what do you get when you try to access your backup VPNC 3030 ?


Regards,

Prem


Please rate if it helps!

ukcomms Thu, 09/04/2008 - 04:19
User Badges:

Hi Prem, many thanks for the quick response!


VRRP is not enabled on both the 3030's at this stage as I wanted to make sure full admin access is available before enabling.


Typically, the ACS log does not show much. The initial login shows as being passed and there are no listings against the authorisation failure.


Cheers.



Correct Answer
Premdeep Banga Thu, 09/04/2008 - 04:37
User Badges:
  • Gold, 750 points or more

What I wanted to make sure was, when we are trying to log into VPNC(backup), in Pass logs we are getting NAS IP address as the Private interface IP on ACS reports. Is it is, then it is good.


This might sound weird, if you have multiple local user on VPNC with "same" privilege level, change them to different privilege level, and keep admin as 15. And then try again. I think you should have console access, to do it ?


Regards,

Prem


Please rate if it helps!

ukcomms Thu, 09/04/2008 - 05:42
User Badges:

Hi Prem,


Hhhm, the ACS reports "Public interface" under the "NAS-Port" column but the IP address # under "NAS-IP Address" is the actual private IP address. This is the same for both live and backup passed authentications. Is this correct?


Regarding the local users, there are 2 configured on each 3030. One is admin with the aaa level of 15. The other is a config grab tool that needs read access. This has no aaa level configured.


Cheers.



Premdeep Banga Thu, 09/04/2008 - 14:52
User Badges:
  • Gold, 750 points or more

Well, if your Primary VPNC is working the same way, I am not sure how to proceed further. I think there must be something different that we are missing. Is it possible to remove the TACACS server configuration from VPNC and revert authentication back to local.


And then try again ?


Regards,

Prem


Please rate if it helps!

ukcomms Fri, 09/05/2008 - 02:15
User Badges:

Hi Prem,


I decided to go through all the config again and have fixed the issue.


Going back to your post yesterday re; local users. Even though there are only 2 local users enabled, the old admin local user had the aaa level of 15 defined. I removed this and the backup VPNC is now behaving as is should.


Thanks for your time in looking at this.


Cheers.


Actions

This Discussion