Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
2
Replies

CAT: auth in clustered config

kazinvestbank
Level 1
Level 1

‎10-01-2008 03:03 AM - edited ‎03-06-2019 01:41 AM

Dear All,

have an issue here.

have a cluster of 3550 and 3560 catalysts running 12.2(44)se2 ios.

configured aaa and now can't access members with "Authorization failed" message.

from debugging realised that no username sent to connecting member switch, just blank.

have same config working well on another site with 12.2(42)

already smashed my head, please help.

Labels:
0 Helpful
2 Replies 2

aghaznavi
Level 5
Level 5

‎10-07-2008 08:50 AM

Authorization failed service. Looks like an authentication problem, but is an authorization failure.

Suggested Diagnostic Steps

To review AAA configuration, enter:

#show running-config

If aaa authorization exec command specifies method other than local, user fails shell access.

For example, aaa authorization exec default tacacs+ results in local user failing authorization.

For further information click this link.

http://www.cisco.com/en/US/docs/ios/internetwrk_solutions_guides/splob/guides/dial/aaasub/C262C6.html#wp1049952

0 Helpful

kazinvestbank
Level 1
Level 1
In response to aghaznavi

‎10-07-2008 06:44 PM

thanks for your response

evr is ok with aaa. now I have to do 'exec default local none' instead of just local.

the problem is that when I do rcommand <#> from commander switch where is no username sent to the member I connecting.

I think this is an issue with installed IOS, so I plan to upgrade all to 12.2(46) later and see what will change.

here is some examples:

=======================

config

----

aaa authentication login default local group tac_admin group rad_admin

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication dot1x default group rad_eap

aaa authorization exec default local none

aaa accounting network acct_methods start-stop group rad_acct

----

and debug

----

000273: 5d12h: CLUSTER_MEMBER_6: AAA/BIND(00000080): Bind i/f

000274: 5d12h: CLUSTER_MEMBER_6: AAA: parse name=tty6 idb type=-1 tty=-1

000275: 5d12h: CLUSTER_MEMBER_6: AAA: name=tty6 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=6 channel=0

000276: 5d12h: CLUSTER_MEMBER_6: AAA/MEMORY: create_user (0x2A7A368) user='' ruser='NULL' ds0=0 port='tty6' rem_addr='10.131.167.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)

000277: 5d12h: CLUSTER_MEMBER_6: AAA/AUTHOR (0x80): Pick method list 'default'

000278: 5d12h: CLUSTER_MEMBER_6: AAA SRV(00000080): process author req

000279: 5d12h: CLUSTER_MEMBER_6: AAA SRV(00000080): Author method=LOCAL

000280: 5d12h: CLUSTER_MEMBER_6: AAA SRV(00000080): protocol reply FAIL for Authorization

000281: 5d12h: CLUSTER_MEMBER_6: AAA SRV(00000080): Author method=NONE - PASS

000282: 5d12h: CLUSTER_MEMBER_6: AAA SRV(00000080): Return Authorization status=PASS

000283: 5d12h: CLUSTER_MEMBER_6: AAA/AUTHOR/EXEC(00000080): processing AV cmd=

000284: 5d12h: CLUSTER_MEMBER_6: AAA/AUTHOR/EXEC(00000080): Authorization successful

----

=======================

regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card