cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
954
Views
0
Helpful
7
Replies

authorization problem after upgrade IOS

s.nasedkin
Level 1
Level 1

Was working config on cluster member (WS-C2960-24-S) ios ver c2960-lanlite-mz.122-37.EY

aaa new-model

aaa authentication login default local group radius

aaa authorization exec default group radius if-authenticated none

aaa accounting exec default start-stop group radius

which allow a normal authorization from cluster-commander and direct connect to device via radius authorization.

after upgrade to c2960-lanlite-mz.122-50.SE.bin I got a error when i try logon via cluster commander. On debug I see as switch send authorization request to radius server with my username& password as "cisco" and got reject from serv.

Can this situation solved by additional config or I need fallback to previos ios ?

7 Replies 7

Leo Laohoo
Hall of Fame
Hall of Fame

The 12.2(50) has a number of very-basic bugs. I'd recommend you downgrade to 12.2(46)SE IOS.

Made downgrade to 12.2.(46). This didn't solve my problem. Any other suggestion ? Or only down grade to .37 release ?

Have you tried removing the AAA statements and putting them back in?

I tried. Didn't work.

Leo Laohoo
Hall of Fame
Hall of Fame

I take that back. Why don't you upgrade to the new 12.2(50)SE1 IOS?

gnijs
Level 4
Level 4

Check your TACACS server configuration.

Are you using "single-connection" option ?

ip tacacs server x.x.x.x key yyyyy single-connection

If so, remove the single-connection option.

I have also run into "authorization failure" errors after an upgrade.

1) there is a bug known for TACACS when the switch received "unknown" TLV values.

When i removed the "single-connection" option, the problem went away.

2) We have also dug a bit further, and it also seemed to be related to the "device group" the device was assigned to in ACNS. When the switch was not defined in any group (default, just discovered) it didn't work. After the switch was assigned to the proper group, it worked.

mvg,

Geert

Why I need configure parameter for tacacs server if I don't using it ?

I debug situation and make conclusion a new ios doesn't right correct handle authorization process.

For example on IOS 12.2(37)EY we receive:

Apr 18 19:27:58: CLUSTER_MEMBER_12: AAA/MEMORY: free_user (0x1B24D5C) user='sergey' ruser='NULL' port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA: parse name=tty3 idb type=-1 tty=-1

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/MEMORY: create_user (0x19B0948) user='sergey' ruser='NULL' ds0=0 port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Port='tty3' list='' service=EXEC

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR/EXEC: tty3 (184998216) user='sergey'

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): send AV service=shell

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): send AV cmd*

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): found list "default"

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Method=LOCAL

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR/LOCAL: no entry for sergey

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR (184998216): Post authorization status = ERROR

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Method=radius (radius)

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR (184998216): Post authorization status = ERROR

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Method=IF_AUTHEN

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR (184998216): Post authorization status = PASS_ADD

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR/EXEC: Authorization successful

and on IOS 12.2(50)SE1 receive:

00:18:37: %SYS-CLUSTER_MEMBER_15-5-CONFIG_I: Configured from console by sergey on vty0 (10.0.0.16)

00:18:40: CLUSTER_MEMBER_15: AAA/BIND(00000008): Bind i/f

00:18:40: CLUSTER_MEMBER_15: AAA: parse name=tty3 idb type=-1 tty=-1

00:18:40: CLUSTER_MEMBER_15: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

00:18:40: CLUSTER_MEMBER_15: AAA/MEMORY: create_user (0x24C517C) user='sergey' ruser='NULL' ds0=0 port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)

00:18:40: CLUSTER_MEMBER_15: AAA/AUTHOR (0x8): Pick method list 'default'

00:18:45: CLUSTER_MEMBER_15: AAA/AUTHOR/EXEC(00000008): Authorization FAILED

00:18:47: CLUSTER_MEMBER_15: AAA/MEMORY: free_user (0x24C517C) user='sergey' ruser='NULL' port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: