AAA authentication problemssss

Answered Question
Nov 15th, 2013
User Badges:

Hi,

When I use below aaa  commands, and try to authenticate, I am able to authenticate against TACACS+, but further then when I do "sh run" I get message "Command authorization failed." Please advise.


Test-Switch#sh run

Command authorization failed.


aaa new-model
aaa authentication login NETWORK_ACCESS group tacacs+ local enable
aaa authentication enable default group tacacs+ enable


aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ none


aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+


tacacs-server host IP-Address key String

line vty 0 4
transport input telnet ssh
login authentication NETWORK_ACCESS
exec-timeout 10

BUT as soon, I just change the aaa configuration as below I am able to run sh run commands as usual without any error.


aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs local

aaa authentication enable default none

aaa authentication login default group tacacs+ line

aaa authentication login no_tacacs line


aaa authorization console

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec no_tacacs local if-authenticated

aaa authorization commands 0 no_tacacs none

aaa authorization commands 1 no_tacacs none

aaa authorization commands 15 no_tacacs none


aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa session-id common


Please advise, Thanks. its urgent

Correct Answer by Richard Burts about 3 years 9 months ago

To aproach the issue from a slightly different perspective - your original set of commands instruct the router to send authorization request to TACACS for every level 15 command, which includes show run. Your TACACS server was not configured to authorize your use of show run and so your attempt to show run was rejected.


Your revised set of commands does not send authorizaiton requests to TACACS for level 15 commands (or for other level of commands for that matter) and so there is no issue here with doing show run.


As far as I can tell your revised set of commands is saying do not do any authorization for commands. You could achieve this result just as easily (and with less complication in your configuration) if you just remove aaa authorization command lines from your config.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
prswami Sat, 11/16/2013 - 00:12
User Badges:

hi,


It's because of the following config:


aaa authorization commands 0 no_tacacs none

aaa authorization commands 1 no_tacacs none

aaa authorization commands 15 no_tacacs none


The NAS sees it as it has to authorize the exec commands for privilege level 0,1 till 15 to a group of server called "no_tacacs".


If you have defined the "no_tacacs" server group on the NAS, then it must be sending out the command authorization packets to the servers defined in the group.


If there is no command set associated with the rule configured on the TACACS shell profile on the ACS or if it does not have the "show running-config" command permitted, your user will definately fail the command authorization.


Please enable "debug tacacs authorization" or "debug aaa authorization" to check which server is the request being sent to and on that server check if the corresponding rule contains the "show running-config" command permitted.


Thanks,


Prateek

Correct Answer
Richard Burts Sat, 11/16/2013 - 08:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

To aproach the issue from a slightly different perspective - your original set of commands instruct the router to send authorization request to TACACS for every level 15 command, which includes show run. Your TACACS server was not configured to authorize your use of show run and so your attempt to show run was rejected.


Your revised set of commands does not send authorizaiton requests to TACACS for level 15 commands (or for other level of commands for that matter) and so there is no issue here with doing show run.


As far as I can tell your revised set of commands is saying do not do any authorization for commands. You could achieve this result just as easily (and with less complication in your configuration) if you just remove aaa authorization command lines from your config.


HTH


Rick

rizwan555 Sun, 11/17/2013 - 07:38
User Badges:

Thanks Richard for making me understand..that ACS need configurations to allow authentication of commands. As soon as i have configured ACS Group Setup ->"Shell Command Authrization Set" -> Assign a Shell Command Authorization set for any network Device-> ReadWriteAccess. ACS is then able to authenticate all commands.


I am using below Final Script for Full Access, ReadOnlyAccess & Limited access users; as this script is more clear and accurate;


aaa new-model
aaa authentication login NETWORK_ACCESS group tacacs+ local enable
aaa authentication enable default group tacsacs+ enable


aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ none


aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+


If anyone get stuck with ACS Shell Command Authorization Sets on IOS, below is very useful document;


http://www.cisco.com/en/US/products/sw/secursw/ps2086

/products_configuration_example09186a00808d9138.shtml#asso1


Richard please furher confirm that my final script is good enough secure or not ?

Richard Burts Sun, 11/17/2013 - 18:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Your final script look good to me and should help provide security for your devices. Thank you for the link to the helpful document. And thank you for marking this question as answered. I am glad that my response was helpful to you.


HTH


Rick

Actions

This Discussion