Probleem getting SDM to work with tacacs (using ACS)

Unanswered Question
Oct 12th, 2005
User Badges:

I'm having a problem getting in SDM through tacacs (acs 3.3) Logging in via CLI (tacacs) works fine. When i put http authentication to local all works fine, I'm using the following sttings:


!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication ppp default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

!

ip http authentication aaa login-authentication default

ip http secure-server

!

!

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key XXXXXX

!



debug tacacs gives me the following when i'm trying to log into sdm --> included in the attachment




according to the output

user authentication (login/pass) goes fine


In tacacs i'm not getting any useful logging (no failed attempts, no accounting or administration output)


acs usersettings:


advanced tacacs+ settings:

max privilige = 15

tacacs+ settings:

shell exec = checked


googling and searching for 2 days now, but no luck yet


any help would be greatly appreciated!


gr,


Dennis







  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Wed, 10/12/2005 - 08:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dennis


I am not clear about what the problem is. Looking at the debug output that you posted I wonder about the lines around the entry about inapproproate protocol:

*Oct 12 13:16:25.539: TPLUS: Inappropriate protocol: 24


but other than this the debug output looks like the login should have worked. I see a PASS for authentication and a PASS for authorization.


I wonder what would happen if you changed the config from:

ip http authentication aaa login-authentication default

to:

ip http authentication tacacs


HTH


Rick

dkrijgsman Wed, 10/12/2005 - 10:56
User Badges:

Hi Rick


"ip http authentication tacacs" isn't a option. The "inappropriate protocol 24" i also noticed, but other successfull cli logins did have the same output.


However I finally found the problem. Earlier i found this topic:


http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.ee96430/2


Here they give the tacacs user privilige level 15 en check "exec" in de tacacs+ setting, as it seems that SDM needs privilige level 15 to get started!?. I didn't notice this earlier, so once i gave my test user privilige level 15 i got in using tacacs.


This however leads me to the second problem: restricting users using tacacs in SDM. Since 12.3(7)T IOS has the option of using Role Based CLI access:


http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_white_paper09186a00801ee18d.shtml


So now i'm trying to get tacacs to match a user to a parser view defined on the router (using the aaa attribute "cli-view_name"), just to put a lock on the privilige level 15 i have to define to get logged in into SDM in the first place. :(


Goal: finding a appropriate wat to give customers minimal access to a device using SDM en only allowing specific information to be viewed.


SDM has some pre-defined views such as "sdm_monitor" but these all have to much priviliges.


It i'll take me some research to get this working :)


Thnx


Dennis


Actions

This Discussion