Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA authorization fails, but still command is executed...

Hi everyone,

i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).

Now I try to configure a loopback or Vlan interface, which should not be allowed.

COMMANDS IMPLEMENTED:


aaa authorization config-commands
aaa authorization commands 0 vty group tacacs+ none
aaa authorization commands 1 vty group tacacs+ none
aaa authorization commands 15 vty group tacacs+ none

line vty 0 15
authorization commands 0 vty
authorization commands 1 vty
authorization commands 15 vty

COMMAND AND OUTPUT FROM TESTING:

SWITCH(config)#int vlan 2
Command authorization failed.

DEBUG AAA AUTHORIZATION:

SWITCH#

Dec  7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1

Dec  7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0

Dec  7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=

'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD

Dec  7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"

Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2

Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>

Dec  7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL

Dec  7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r

em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15


As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.

RESULT:

SWITCH#sh run int vlan 2
Building configuration...

Current configuration : 38 bytes
!
interface Vlan2
no ip address
end

QUESTION:

I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.

But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.

Is this me not understandig the basic concept of AAA or is this some other problem?

The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).

The Tacacs runs Cisco Secure ACS4.2.0.124

Thanks,

Tom

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: AAA authorization fails, but still command is executed...

Hi Tom,

this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .

The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."

As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.

You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.

hth

Herbert

2 REPLIES
Cisco Employee

Re: AAA authorization fails, but still command is executed...

Hi Tom,

this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .

The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."

As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.

You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.

hth

Herbert

New Member

Re: AAA authorization fails, but still command is executed...

Hi Herbert,

thanks for your reply. Looks like I used the wrong keywords while looking thru the Bugtoolkit

Regards,

Tom

1027
Views
5
Helpful
2
Replies