12-10-2010 06:30 AM - edited 03-10-2019 05:38 PM
Hi everyone,
i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).
Now I try to configure a loopback or Vlan interface, which should not be allowed.
COMMANDS IMPLEMENTED:
aaa authorization config-commands
aaa authorization commands 0 vty group tacacs+ none
aaa authorization commands 1 vty group tacacs+ none
aaa authorization commands 15 vty group tacacs+ none
line vty 0 15
authorization commands 0 vty
authorization commands 1 vty
authorization commands 15 vty
COMMAND AND OUTPUT FROM TESTING:
SWITCH(config)#int vlan 2
Command authorization failed.
DEBUG AAA AUTHORIZATION:
SWITCH#
Dec 7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1
Dec 7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
Dec 7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=
'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD
Dec 7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>
Dec 7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL
Dec 7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r
em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15
As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.
RESULT:
SWITCH#sh run int vlan 2
Building configuration...
Current configuration : 38 bytes
!
interface Vlan2
no ip address
end
QUESTION:
I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.
But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.
Is this me not understandig the basic concept of AAA or is this some other problem?
The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).
The Tacacs runs Cisco Secure ACS4.2.0.124
Thanks,
Tom
Solved! Go to Solution.
12-13-2010 01:13 PM
Hi Tom,
this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
hth
Herbert
12-13-2010 01:13 PM
Hi Tom,
this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
hth
Herbert
12-14-2010 06:35 AM
Hi Herbert,
thanks for your reply. Looks like I used the wrong keywords while looking thru the Bugtoolkit
Regards,
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide