Basic question for TACACS

Unanswered Question
Oct 8th, 2008

Hi All,

I have some issues with TACACS authentication. Do the ACL created for SNMP affect the tacacs authentication if a permit statement is not given for the tacacs server ip.

Regards,

Piyush

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
piyush_singh Wed, 10/08/2008 - 07:13

The initial config that i did was working fine for authentication:

aaa new-model

aaa group server tacacs+ tacgroup

server 172.30.xx.xx

server 172.30.yy.yy

!

aaa authentication login default group tacgroup enable

aaa authentication enable default group tacgroup enable

aaa authorization console

aaa authorization exec default group tacgroup if-authenticated

!

ip tacacs source-interface Vlan34

!

snmp-server community xxxxxxxxxx

tacacs-server host 172.30.xx.xx

tacacs-server host 172.30.yy.yy

tacacs-server directed-request

tacacs-server key 7 060506324F41

!

line con 0

session-timeout 5

exec-timeout 5 0

password 7 11481D0029021E0201

transport output telnet ssh

line vty 0 4

session-timeout 5

exec-timeout 5 0

password 7 13441317351C11242E

transport input telnet ssh

transport output telnet ssh

line vty 5 15

transport input lat pad mop udptn telnet rlogin ssh nasi acercon

!

!

But after adding :

logging 172.17.30.75

access-list 10 permit 10.70.0.202

access-list 16 permit 172.17.30.190

access-list 16 permit 172.17.30.139

access-list 16 permit 172.17.30.141

access-list 16 permit 172.17.30.140

access-list 16 permit 10.0.30.32

access-list 16 permit 10.0.160.14

access-list 16 permit 10.0.160.15

access-list 16 permit 10.0.160.12

access-list 16 permit 10.0.160.18

access-list 16 permit 10.0.160.20

access-list 16 permit 172.17.30.75

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps bgp state-changes all

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps hsrp

snmp-server enable traps syslog

snmp-server enable traps cpu threshold

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server host 172.17.30.75 xxxxxxxxxx

After adding this i lost connection of my devices 1 by one. It gives % Authentication fail on trying to telnet or on console.

Do i need to add ACS SE ip in this ACL.

Regards,

Piyush

craig.eyre Wed, 10/08/2008 - 08:00

Hi,

What do you see in your failed attempts log on your ACS?

Where are your ACL's applied to? I don't see a permit for 172.30.XX.XX which are your tacacs server ip's? If your access lists are applied to your management interface that could be causing it.

Craig

Richard Burts Wed, 10/08/2008 - 10:37

Craig

When you talk about access list applied to the management interfaces are you talking about using access-class or about something else? If access-class were configured to use this access list it would prevent connection. If there is an error message it would be about connection failed and not authentication failed, which is what is described.

Piyush

I agree with Craig that we need to know more about how the access lists are applied. It would be helpful if you would post the complete config. But to answer your main question, no configuring snmp should not impact the operation of TACACS.

HTH

Rick

craig.eyre Wed, 10/08/2008 - 11:18

Hey Rick,

I was thinking more along the lines of an access list on vlan 1 if his switch was sending its tacacs info to the ACS with that interface. I can't see from the config posted where the access lists are applied to, so was trying to narrow a few things out.

Craig

piyush_singh Thu, 10/09/2008 - 13:43

This particular acl is not applied on any interface its applied onto snmp

snmp-server community XXXXXXXX RO 16

& the ip for ACS server is not permitted in that particular acl.

Craig,

I m not getting any logs generated for this onto ACS server ie in failed attempts.

Rick,

Its not giving connection failed but when i try to telnet from command prompt or try from console it directly gives me % Authorization failed. It doesn't even ask's me for the username & password on both.

It was all working fine previously but after this acl addition it started creating problem & also when i disconnect the ACS from network it doesn't asks for fallback password also. It gives the same error on console & telnet.

Due to this i need to do password recovery to get access to devices.

Thanks in advance for your suggestions.

Regards,

Piyush

Richard Burts Thu, 10/09/2008 - 17:16

Piyush

Configuring the access list on the snmp-server command should have absolutely no effect on the device sending tacacs requests.

If you are not getting any records in the ACS logs, especially in the failed attempts report then it suggests that something is preventing the requests from getting to the ACS server. Has anything changed on the device (any new interface, any change in interface addresses)?

Perhaps it would be helpful to run debug for aaa authentication, aaa authorization, and maybe for TACACS.

[note] the original post described it as a problem with authentication. But the error of "% Authorization failed" is clearly an error in authorization and not in authentication.

HTH

Rick

Vasiliy Rudomanov Thu, 11/08/2012 - 03:43

Hi,

Please explain me how I can grant only several command into configuration mode with TACACS+?

I found example of tac_plus.conf file where I can grant "configuration terminal", but it is hard to find how to grant only "access-list" command but no "ip route".

craig.eyre Thu, 11/08/2012 - 07:46

Vasiliy,

If I read it correctly, you want to allow an authenticated user to ONLY be able to configure access lists. You need to setup shell command authorization sets on your ACS server and apply it to either a user or a group of users. I would deny unmatched commands and then allow each command needed. Something like below.

configure ---------------------------------------- permit terminal

access-list ------------------------------------- "check box" allow unmatched args (this will allow all extensions of that command)

Then you will have to allow a few others commands as the user will have to ba able to apply it to an interface or snmp or whereever they need to.

I hope this helps.

Craig

Vasiliy Rudomanov Thu, 11/08/2012 - 23:12

Craig, I appreciate your answer!

However, I use open-source tac_plus unix application instead of Cisco ACS server, so my config fle tac_plus.conf looks like this:

------------------

       group = operator {

           default service = deny

           cmd = show {

                permit .*

           }

           cmd = "configure" {

                permit terminal

                deny .*

           }

           cmd = "access-list" {

                permit .*

           }

            service = exec {

                priv-lvl = 15

           }

       }

        user = test {

         member = operator

         login = des $1$MG$something

        }

-----------------

And what I got: while I allowed "configuration terminal" command, my user can do any commands inside configuration mode.

Would you help me with this? How I should edit my configuration file?

I very appreciate any help. Thank you very much!

craig.eyre Fri, 11/09/2012 - 07:39

Vasiliy,

I'm sorry I'm not very familiar with that tacacs software but at a glance it could be an issue with you giving the user exec with privilege level 15 (allows all commands on a cisco device).

I'm not sure how to fix it but I'm sure someone on the forum will know.

Best of luck.

Craig

Actions

This Discussion