01-08-2004 01:11 PM - edited 03-10-2019 07:37 AM
Hello,
I want to download an ACL for a user that connect to a router. I configure the TACACS+ settings (check the shell(exec) and Access Control List. Then in the router I define an access control list 10. I see that the Acl is downloaded but it seems that it isn't applied, because it permit every traffic. I'm attaching the configuration for the 2621 :
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Prueba
!
boot-start-marker
boot-end-marker
!
enable secret xxx
!
username anacelia privilege 15 password xxxxx
memory-size iomem 10
aaa new-model
!
!
aaa authentication login UsrGestion group tacacs+ local
aaa authentication login Consola local
aaa authentication enable default line group tacacs+
aaa authorization exec UsrGestion group tacacs+
aaa authorization commands 0 UsrGestion group tacacs+
aaa authorization commands 7 UsrGestion group tacacs+
aaa authorization commands 15 UsrGestion group tacacs+
aaa authorization network UsrGestion group tacacs+
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting exec UsrGestion start-stop group tacacs+
aaa accounting commands 1 UsrGestion start-stop group tacacs+
aaa accounting commands 7 UsrGestion start-stop group tacacs+
aaa accounting commands 15 UsrGestion start-stop group tacacs+
aaa accounting network UsrGestion start-stop group tacacs+
aaa accounting connection UsrGestion start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface Serial0/0
no ip address
!
interface FastEthernet0/1
ip address 10.254.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
no ip http server
no ip http secure-server
ip classless
!
!
access-list 10 deny 10.254.3.5
access-list 10 deny 10.254.3.1
access-list 100 deny icmp any host 10.254.3.5
access-list 100 deny ip any any
!
tacacs-server host 10.254.3.5
tacacs-server directed-request
tacacs-server key xxxx
!
!
!
!
!
line con 0
password xxxx
login authentication Consola
line aux 0
line vty 0 4
authorization exec UsrGestion
accounting commands 15 UsrGestion
accounting exec UsrGestion
login authentication UsrGestion
line vty 5 15
authorization exec UsrGestion
accounting commands 15 UsrGestion
accounting exec UsrGestion
login authentication UsrGestion
!
!
!
end
I tried with both acls : 10 & 100.
The debugs shows :
*Mar 1 05:23:49.278: TPLUS(00000046)/0/READ: socket event 1
*Mar 1 05:23:49.278: TPLUS(00000046)/0/READ: read entire 25 bytes response
*Mar 1 05:23:49.278: TPLUS(00000046)/0/82D66B44: Processing the reply packet
*Mar 1 05:23:49.278: TPLUS: Processed AV acl=10
*Mar 1 05:23:49.282: TPLUS: received authorization response for 70: PASS
*Mar 1 05:23:49.286: AAA/AUTHOR/EXEC(00000046): processing AV cmd=
*Mar 1 05:23:49.286: AAA/AUTHOR/EXEC(00000046): processing AV acl=10
*Mar 1 05:23:49.286: AAA/AUTHOR/EXEC(00000046): Authorization successful
*Mar 1 05:23:50.614: AAA: parse name=tty66 idb type=-1 tty=-1
*Mar 1 05:23:50.614: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0
port=66 channel=0
*Mar 1 05:23:50.614: AAA/MEMORY: create_user (0x82FA2B04) user='Adm1' ruser='NU
LL' ds0=0 port='tty66' rem_addr='10.254.3.100' authen_type=ASCII service=ENABLE
priv=15 initial_task_id='0', vrf= (id=0)
*Mar 1 05:23:52.406: AAA/MEMORY: free_user (0x82FA2B04) user='Adm1' ruser='NULL
' port='tty66' rem_addr='10.254.3.100' authen_type=ASCII service=ENABLE priv=15
vrf= (id=0)
What could be happening ?
Thanks!
Anacelia
01-13-2004 06:50 AM
Just try deleting the configuration and configure it again, this might work sometimes.
01-14-2004 06:42 AM
hi,
as I see you defined acl 10 on router but you didn't apply it to any interface. So the acl doesn't affect any traffic. you have apply the acl 10 to an interface ( which you have to control traffic).
hope this helps..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: