Command authorization issue.

Answered Question

Hello.

I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.

The shell command set that I'm using is a "permit unmatched commands".

Any idea?

Thanks.

Andrea

Correct Answer by Jatin Katyal about 3 years 9 months ago

What you're experiencing is a known defect:


CSCtg38468    cat4k/IOS: banner exec failed with blank characters



Symptom:

%PARSE_RC-4-PRC_NON_COMPLIANCE:

The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.


Conditions:

Problem happens, when AAA authorization is used together with TACACS+


Workaround:

Make sure there is no blank character at the begining of line in the banner message.


Problem Details: trying to configure banner exec with blank character at beginning of line failed.


This happens when configuring the banner exec via telnet/ssh !

When configuring the same banner exec via console-port, everything is fine.


Note the blank characters at beginning of each line. When removing those, banner exec works fine.


Again, this was working till IOS version 12.2(46)SG.

Beginning with 12.2(50)SG1 and up, the behaviour has changed.



~BR
Jatin Katyal

**Do rate helpful posts**

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jatin Katyal Sat, 07/06/2013 - 23:59
User Badges:
  • Cisco Employee,

1. Could you please provide the exact command you're executing on the IOS?

2. Screen shot of command authorization set from ACS > shared profile component.

3. Error you're seeing in reports and activity > tacacs administration section.

4. debug tacacs and debug authorization from the CLI.



~BR
Jatin Katyal

**Do rate helpful posts**

Hello Jatin, hello Ravi.

I'm able to reproduce this authorization issue with a 3750 stack running 12.2(55)SE1, IPSERVICEK9.

Another stack running 12.2(44)SE2 works fine.

All stacks run with the same AAA model.

I try to set MOTD but when bannet text starts with a blank the entry fails.


sw-bcve11(config)#banner motd ^

Enter TEXT message.  End with the character '^'

L'accesso a questo dispositivo e' consentito solo al personale autorizzato.

                 E' proibito ogni accesso non autorizzato

Command authorization failed.



      Access to this equipment is allowed only to authorized personnel.

Command authorization failed.

                        Unauthorized use is prohibited

Command authorization failed.



^

sw-bcve11(config)#


Removing all initial space resolves the issue.

Attached you can find command set (permit any command), T+ log and debugs.

Many many thanks for your help.

Regards.

Andrea

Correct Answer
Jatin Katyal Mon, 07/08/2013 - 08:29
User Badges:
  • Cisco Employee,

What you're experiencing is a known defect:


CSCtg38468    cat4k/IOS: banner exec failed with blank characters



Symptom:

%PARSE_RC-4-PRC_NON_COMPLIANCE:

The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.


Conditions:

Problem happens, when AAA authorization is used together with TACACS+


Workaround:

Make sure there is no blank character at the begining of line in the banner message.


Problem Details: trying to configure banner exec with blank character at beginning of line failed.


This happens when configuring the banner exec via telnet/ssh !

When configuring the same banner exec via console-port, everything is fine.


Note the blank characters at beginning of each line. When removing those, banner exec works fine.


Again, this was working till IOS version 12.2(46)SG.

Beginning with 12.2(50)SG1 and up, the behaviour has changed.



~BR
Jatin Katyal

**Do rate helpful posts**

Ravi Singh Sun, 07/07/2013 - 20:30
User Badges:
  • Cisco Employee,

The information you have provided is too less please provide the information requested by Jatin.

Actions

This Discussion