04-13-2009 04:44 AM - edited 03-06-2019 05:08 AM
Was working config on cluster member (WS-C2960-24-S) ios ver c2960-lanlite-mz.122-37.EY
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default group radius if-authenticated none
aaa accounting exec default start-stop group radius
which allow a normal authorization from cluster-commander and direct connect to device via radius authorization.
after upgrade to c2960-lanlite-mz.122-50.SE.bin I got a error when i try logon via cluster commander. On debug I see as switch send authorization request to radius server with my username& password as "cisco" and got reject from serv.
Can this situation solved by additional config or I need fallback to previos ios ?
04-13-2009 03:50 PM
The 12.2(50) has a number of very-basic bugs. I'd recommend you downgrade to 12.2(46)SE IOS.
04-15-2009 12:15 AM
Made downgrade to 12.2.(46). This didn't solve my problem. Any other suggestion ? Or only down grade to .37 release ?
04-15-2009 02:41 PM
Have you tried removing the AAA statements and putting them back in?
04-15-2009 08:29 PM
I tried. Didn't work.
04-16-2009 08:38 PM
I take that back. Why don't you upgrade to the new 12.2(50)SE1 IOS?
04-17-2009 09:58 AM
Check your TACACS server configuration.
Are you using "single-connection" option ?
ip tacacs server x.x.x.x key yyyyy single-connection
If so, remove the single-connection option.
I have also run into "authorization failure" errors after an upgrade.
1) there is a bug known for TACACS when the switch received "unknown" TLV values.
When i removed the "single-connection" option, the problem went away.
2) We have also dug a bit further, and it also seemed to be related to the "device group" the device was assigned to in ACNS. When the switch was not defined in any group (default, just discovered) it didn't work. After the switch was assigned to the proper group, it worked.
mvg,
Geert
04-18-2009 07:37 AM
Why I need configure parameter for tacacs server if I don't using it ?
I debug situation and make conclusion a new ios doesn't right correct handle authorization process.
For example on IOS 12.2(37)EY we receive:
Apr 18 19:27:58: CLUSTER_MEMBER_12: AAA/MEMORY: free_user (0x1B24D5C) user='sergey' ruser='NULL' port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15
Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA: parse name=tty3 idb type=-1 tty=-1
Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/MEMORY: create_user (0x19B0948) user='sergey' ruser='NULL' ds0=0 port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)
Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Port='tty3' list='' service=EXEC
Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR/EXEC: tty3 (184998216) user='sergey'
Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): send AV service=shell
Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): send AV cmd*
Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): found list "default"
Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Method=LOCAL
Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR/LOCAL: no entry for sergey
Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR (184998216): Post authorization status = ERROR
Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Method=radius (radius)
Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR (184998216): Post authorization status = ERROR
Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Method=IF_AUTHEN
Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR (184998216): Post authorization status = PASS_ADD
Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR/EXEC: Authorization successful
and on IOS 12.2(50)SE1 receive:
00:18:37: %SYS-CLUSTER_MEMBER_15-5-CONFIG_I: Configured from console by sergey on vty0 (10.0.0.16)
00:18:40: CLUSTER_MEMBER_15: AAA/BIND(00000008): Bind i/f
00:18:40: CLUSTER_MEMBER_15: AAA: parse name=tty3 idb type=-1 tty=-1
00:18:40: CLUSTER_MEMBER_15: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
00:18:40: CLUSTER_MEMBER_15: AAA/MEMORY: create_user (0x24C517C) user='sergey' ruser='NULL' ds0=0 port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)
00:18:40: CLUSTER_MEMBER_15: AAA/AUTHOR (0x8): Pick method list 'default'
00:18:45: CLUSTER_MEMBER_15: AAA/AUTHOR/EXEC(00000008): Authorization FAILED
00:18:47: CLUSTER_MEMBER_15: AAA/MEMORY: free_user (0x24C517C) user='sergey' ruser='NULL' port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: