AAA Authorization Problem

Report Inappropriate Content · ‎07-13-2012

I have 2 3750 stacks, both of which are very similar. Both are running 12.2(55) SE3.

When I add the following command to one of the switches however it results in an authorization failure message when logging in from the console. Logging in to VTY is fine.

The other has been in place and working for some time.

aaa authorization exec default group radius if-authenticated

The full AAA commands are listed below. I have used this config on numerous 3560's and as mentioned above on a 3750 too. It seems that on 3750's I add it to it causes the authorization issue.

aaa new-model
aaa authentication login default group radius enable
aaa authentication login CONSOLE_LOGIN enable
aaa authorization exec default group radius if-authenticated
aaa session-id common
ip access-list extended REMOTE_ACCESS
  permit ip 192.168.30.192 0.0.0.31 any
  permit ip 192.168.31.192 0.0.0.31 any
ip radius source-interface Vlan1
line con 0
  exec-timeout 20 0
  logging synchronous
  login authentication CONSOLE_LOGIN
line vty 0 15
  access-class REMOTE_ACCESS in
  exec-timeout 10 0
  logging synchronous

Can anybody assist in where I'm going wrong?

Thanks,

Neil

Richard Burts · ‎07-13-2012

Neil

It is my understanding that if Radius does not authenticate the user then Radius can not authorize for the user since authentication and authorization are done together in Radius. Since your aaa CONSOLE_LOGIN authenticates locally and not with Radius I believe that this is your problem. Perhaps you could try configuring it like this and see if it works better

aaa authentication login CONSOLE_LOGIN group radius enable

HTH

Rick

HTH

Rick

Report Inappropriate Content · ‎07-16-2012

Rick,

Thanks for this, whilst this works, sadly it's not quite what I'm trying to achieve and have achieved on additional switches.

What I'm trying to implement, is RADIUS authentication for VTY and enable password for console logins.

You suggested command works, in the sense it makes the console login RADIUS too.

As mentioned, this is implemented on a 3750 of the same IOS - which seems very bizzare.

Cheers,

Neil

Richard Burts · ‎07-16-2012

Neil

This is odd and I wish that I had a better explanation. In reading your original post I thought that it should work for a couple of reasons but since you indicate that it was not working I was trying to suggest something that would work. If my work around does not accomplish what you need then we need to go back to try something else.

In general IOS devices do not do authorization on the console connection. So I am surprised that you are getting an authorization error on the console. So I would ask that you check and verify that there are no commands in the config that specify authorization on the console. Perhaps you could post the output of show run | include author

And in general I would expect that specifying if-authenticated in the command

aaa authorization exec default group radius if-authenticated

would allow it to work. I remember working with a router (quite a while back) where if-authenticated did not work as it should. A code upgrade fixed the problem for me then. And so I might suggest that you try a different version of code on the switch where you are having the problem.

HTH

Rick

HTH

Rick

Report Inappropriate Content · ‎07-16-2012

Thanks Rick.

There are no authorization commands in the config. I have included 'auth' rather than 'author'...

aaa authentication login default group radius enable

aaa authentication login CONSOLE_LOGIN enable

I currently have removed the command that causes the console authorization failure, which is:

aaa authorization exec default group radius if-authenticated

The implication of this is that the logging onto the switch is working as intended with the exception that once you have logged in using RADIUS to VTY, you need to then enable.

I have tried on later code and the result is the same. I haven't tried on earlier code, as sadly this stack is going into prod tonight with the above work around.

I appreciate your help, and if there's anything else you could suggest, I'm all ears!

Neil