AAA authorization fails, but still command is executed...

Answered Question
Dec 10th, 2010

Hi everyone,

i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).

Now I try to configure a loopback or Vlan interface, which should not be allowed.

COMMANDS IMPLEMENTED:


aaa authorization config-commands
aaa authorization commands 0 vty group tacacs+ none
aaa authorization commands 1 vty group tacacs+ none
aaa authorization commands 15 vty group tacacs+ none

line vty 0 15
authorization commands 0 vty
authorization commands 1 vty
authorization commands 15 vty

COMMAND AND OUTPUT FROM TESTING:

SWITCH(config)#int vlan 2
Command authorization failed.

DEBUG AAA AUTHORIZATION:

SWITCH#

Dec  7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1

Dec  7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0

Dec  7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=

'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD

Dec  7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>

Dec  7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL

Dec  7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r

em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15


As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.

RESULT:

SWITCH#sh run int vlan 2
Building configuration...

Current configuration : 38 bytes
!
interface Vlan2
no ip address
end

QUESTION:

I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.

But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.

Is this me not understandig the basic concept of AAA or is this some other problem?

The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).

The Tacacs runs Cisco Secure ACS4.2.0.124

Thanks,

Tom

I have this problem too.
0 votes
Correct Answer by hebaerte about 3 years 4 months ago

Hi Tom,

this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .

The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."

As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.

You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.

hth

Herbert

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Correct Answer
hebaerte Mon, 12/13/2010 - 13:13

Hi Tom,

this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .

The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."

As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.

You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.

hth

Herbert

thblake07 Tue, 12/14/2010 - 06:35

Hi Herbert,

thanks for your reply. Looks like I used the wrong keywords while looking thru the Bugtoolkit

Regards,

Tom

Actions

Login or Register to take actions

This Discussion

Posted December 10, 2010 at 6:30 AM
Stats:
Replies:2 Avg. Rating:5
Views:876 Votes:0
Shares:0

Related Content

Discussions Leaderboard