×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

You posted this Discussion

AAA Authorization Problem

Unanswered Question
Jul 13th, 2012
User Badges:

I have 2 3750 stacks, both of which are very similar. Both are running 12.2(55) SE3.


When I add the following command to one of the switches however it results in an authorization failure message when logging in from the console. Logging in to VTY is fine.

The other has been in place and working for some time.


                  

aaa authorization exec default group radius if-authenticated


The full AAA commands are listed below. I have used this config on numerous 3560's and as mentioned above on a 3750 too. It seems that on 3750's I add it to it causes the authorization issue.



aaa new-model

aaa authentication login default group radius enable

aaa authentication login CONSOLE_LOGIN enable

aaa authorization exec default group radius if-authenticated

aaa session-id common


ip access-list extended REMOTE_ACCESS

  permit ip 192.168.30.192 0.0.0.31 any

  permit ip 192.168.31.192 0.0.0.31 any


ip radius source-interface Vlan1


line con 0

  exec-timeout 20 0

  logging synchronous

  login authentication CONSOLE_LOGIN

line vty 0 15

  access-class REMOTE_ACCESS in

  exec-timeout 10 0

  logging synchronous



Can anybody assist in where I'm going wrong?


Thanks,

Neil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Fri, 07/13/2012 - 09:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Neil


It is my understanding that if Radius does not authenticate the user then Radius can not authorize for the user since authentication and authorization are done together in Radius. Since your aaa CONSOLE_LOGIN authenticates locally and not with Radius I believe that this is your problem. Perhaps you could try configuring it like this and see if it works better

aaa authentication login CONSOLE_LOGIN group radius enable


HTH


Rick

[email protected].. (not verified) Mon, 07/16/2012 - 00:58
User Badges:

Rick,


Thanks for this, whilst this works, sadly it's not quite what I'm trying to achieve and have achieved on additional switches.


What I'm trying to implement, is RADIUS authentication for VTY and enable password for console logins.

You suggested command works, in the sense it makes the console login RADIUS too.


As mentioned, this is implemented on a 3750 of the same IOS - which seems very bizzare.


Cheers,

Neil

Richard Burts Mon, 07/16/2012 - 04:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Neil


This is odd and I wish that I had a better explanation. In reading your original post I thought that it should work for a couple of reasons but since you indicate that it was not working I was trying to suggest something that would work. If my work around does not accomplish what you need then we need to go back to try something else.


In general IOS devices do not do authorization on the console connection. So I am surprised that you are getting an authorization error on the console. So I would ask that you check and verify that there are no commands in the config that specify authorization on the console. Perhaps you could post the output of show run | include author


And in general I would expect that specifying if-authenticated in the command

aaa authorization exec default group radius if-authenticated

would allow it to work. I remember working with a router (quite a while back) where if-authenticated did not work as it should. A code upgrade fixed the problem for me then. And so I might suggest that you try a different version of code on the switch where you are having the problem.


HTH


Rick

[email protected].. (not verified) Mon, 07/16/2012 - 07:11
User Badges:

Thanks Rick.


There are no authorization commands in the config. I have included 'auth' rather than 'author'...

      


aaa authentication login default group radius enable

aaa authentication login CONSOLE_LOGIN enable


I currently have removed the command that causes the console authorization failure, which is:


aaa authorization exec default group radius if-authenticated


The implication of this is that the logging onto the switch is working as intended with the exception that once you have logged in using RADIUS to VTY, you need to then enable.


I have tried on later code and the result is the same. I haven't tried on earlier code, as sadly this stack is going into prod tonight with the above work around.


I appreciate your help, and if there's anything else you could suggest, I'm all ears!


Neil

Actions

This Discussion

Related Content