cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1855
Views
5
Helpful
2
Replies

AAA authorization fails, but still command is executed...

thblake07
Level 1
Level 1

Hi everyone,

i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).

Now I try to configure a loopback or Vlan interface, which should not be allowed.

COMMANDS IMPLEMENTED:


aaa authorization config-commands
aaa authorization commands 0 vty group tacacs+ none
aaa authorization commands 1 vty group tacacs+ none
aaa authorization commands 15 vty group tacacs+ none

line vty 0 15
authorization commands 0 vty
authorization commands 1 vty
authorization commands 15 vty

COMMAND AND OUTPUT FROM TESTING:

SWITCH(config)#int vlan 2
Command authorization failed.

DEBUG AAA AUTHORIZATION:

SWITCH#

Dec  7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1

Dec  7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0

Dec  7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=

'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD

Dec  7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>

Dec  7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL

Dec  7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r

em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15


As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.

RESULT:

SWITCH#sh run int vlan 2
Building configuration...

Current configuration : 38 bytes
!
interface Vlan2
no ip address
end

QUESTION:

I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.

But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.

Is this me not understandig the basic concept of AAA or is this some other problem?

The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).

The Tacacs runs Cisco Secure ACS4.2.0.124

Thanks,

Tom

1 Accepted Solution

Accepted Solutions

Herbert Baerten
Cisco Employee
Cisco Employee

Hi Tom,

this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .

The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."

As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.

You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.

hth

Herbert

View solution in original post

2 Replies 2

Herbert Baerten
Cisco Employee
Cisco Employee

Hi Tom,

this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .

The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."

As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.

You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.

hth

Herbert

Hi Herbert,

thanks for your reply. Looks like I used the wrong keywords while looking thru the Bugtoolkit

Regards,

Tom

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: