authorization problem after upgrade IOS

Unanswered Question

Was working config on cluster member (WS-C2960-24-S) ios ver c2960-lanlite-mz.122-37.EY


aaa new-model

aaa authentication login default local group radius

aaa authorization exec default group radius if-authenticated none

aaa accounting exec default start-stop group radius


which allow a normal authorization from cluster-commander and direct connect to device via radius authorization.


after upgrade to c2960-lanlite-mz.122-50.SE.bin I got a error when i try logon via cluster commander. On debug I see as switch send authorization request to radius server with my username& password as "cisco" and got reject from serv.


Can this situation solved by additional config or I need fallback to previos ios ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Leo Laohoo Mon, 04/13/2009 - 15:50
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

The 12.2(50) has a number of very-basic bugs. I'd recommend you downgrade to 12.2(46)SE IOS.

Leo Laohoo Wed, 04/15/2009 - 14:41
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Have you tried removing the AAA statements and putting them back in?

Leo Laohoo Thu, 04/16/2009 - 20:38
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

I take that back. Why don't you upgrade to the new 12.2(50)SE1 IOS?

gnijs Fri, 04/17/2009 - 09:58
User Badges:
  • Bronze, 100 points or more

Check your TACACS server configuration.

Are you using "single-connection" option ?


ip tacacs server x.x.x.x key yyyyy single-connection



If so, remove the single-connection option.

I have also run into "authorization failure" errors after an upgrade.


1) there is a bug known for TACACS when the switch received "unknown" TLV values.

When i removed the "single-connection" option, the problem went away.


2) We have also dug a bit further, and it also seemed to be related to the "device group" the device was assigned to in ACNS. When the switch was not defined in any group (default, just discovered) it didn't work. After the switch was assigned to the proper group, it worked.


mvg,

Geert

Why I need configure parameter for tacacs server if I don't using it ?


I debug situation and make conclusion a new ios doesn't right correct handle authorization process.


For example on IOS 12.2(37)EY we receive:


Apr 18 19:27:58: CLUSTER_MEMBER_12: AAA/MEMORY: free_user (0x1B24D5C) user='sergey' ruser='NULL' port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA: parse name=tty3 idb type=-1 tty=-1

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/MEMORY: create_user (0x19B0948) user='sergey' ruser='NULL' ds0=0 port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Port='tty3' list='' service=EXEC

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR/EXEC: tty3 (184998216) user='sergey'

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): send AV service=shell

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): send AV cmd*

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): found list "default"

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Method=LOCAL

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR/LOCAL: no entry for sergey

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR (184998216): Post authorization status = ERROR

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Method=radius (radius)

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR (184998216): Post authorization status = ERROR

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Method=IF_AUTHEN

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR (184998216): Post authorization status = PASS_ADD

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR/EXEC: Authorization successful





and on IOS 12.2(50)SE1 receive:

00:18:37: %SYS-CLUSTER_MEMBER_15-5-CONFIG_I: Configured from console by sergey on vty0 (10.0.0.16)

00:18:40: CLUSTER_MEMBER_15: AAA/BIND(00000008): Bind i/f

00:18:40: CLUSTER_MEMBER_15: AAA: parse name=tty3 idb type=-1 tty=-1

00:18:40: CLUSTER_MEMBER_15: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

00:18:40: CLUSTER_MEMBER_15: AAA/MEMORY: create_user (0x24C517C) user='sergey' ruser='NULL' ds0=0 port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)

00:18:40: CLUSTER_MEMBER_15: AAA/AUTHOR (0x8): Pick method list 'default'

00:18:45: CLUSTER_MEMBER_15: AAA/AUTHOR/EXEC(00000008): Authorization FAILED

00:18:47: CLUSTER_MEMBER_15: AAA/MEMORY: free_user (0x24C517C) user='sergey' ruser='NULL' port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15




Actions

This Discussion