Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1772
Views
0
Helpful
2
Replies

ACS 3.0 & TACACS+ download ACL to a 2621 router

asarlo
Level 1
Level 1

‎01-08-2004 01:11 PM - edited ‎03-10-2019 07:37 AM

Hello,

I want to download an ACL for a user that connect to a router. I configure the TACACS+ settings (check the shell(exec) and Access Control List. Then in the router I define an access control list 10. I see that the Acl is downloaded but it seems that it isn't applied, because it permit every traffic. I'm attaching the configuration for the 2621 :

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Prueba

!

boot-start-marker

boot-end-marker

!

enable secret xxx

!

username anacelia privilege 15 password xxxxx

memory-size iomem 10

aaa new-model

!

!

aaa authentication login UsrGestion group tacacs+ local

aaa authentication login Consola local

aaa authentication enable default line group tacacs+

aaa authorization exec UsrGestion group tacacs+

aaa authorization commands 0 UsrGestion group tacacs+

aaa authorization commands 7 UsrGestion group tacacs+

aaa authorization commands 15 UsrGestion group tacacs+

aaa authorization network UsrGestion group tacacs+

aaa accounting delay-start

aaa accounting update newinfo

aaa accounting exec UsrGestion start-stop group tacacs+

aaa accounting commands 1 UsrGestion start-stop group tacacs+

aaa accounting commands 7 UsrGestion start-stop group tacacs+

aaa accounting commands 15 UsrGestion start-stop group tacacs+

aaa accounting network UsrGestion start-stop group tacacs+

aaa accounting connection UsrGestion start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface Serial0/0

no ip address

!

interface FastEthernet0/1

ip address 10.254.3.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

!

no ip http server

no ip http secure-server

ip classless

!

!

access-list 10 deny 10.254.3.5

access-list 10 deny 10.254.3.1

access-list 100 deny icmp any host 10.254.3.5

access-list 100 deny ip any any

!

tacacs-server host 10.254.3.5

tacacs-server directed-request

tacacs-server key xxxx

!

!

!

!

!

line con 0

password xxxx

login authentication Consola

line aux 0

line vty 0 4

authorization exec UsrGestion

accounting commands 15 UsrGestion

accounting exec UsrGestion

login authentication UsrGestion

line vty 5 15

authorization exec UsrGestion

accounting commands 15 UsrGestion

accounting exec UsrGestion

login authentication UsrGestion

!

!

!

end

I tried with both acls : 10 & 100.

The debugs shows :

*Mar 1 05:23:49.278: TPLUS(00000046)/0/READ: socket event 1

*Mar 1 05:23:49.278: TPLUS(00000046)/0/READ: read entire 25 bytes response

*Mar 1 05:23:49.278: TPLUS(00000046)/0/82D66B44: Processing the reply packet

*Mar 1 05:23:49.278: TPLUS: Processed AV acl=10

*Mar 1 05:23:49.282: TPLUS: received authorization response for 70: PASS

*Mar 1 05:23:49.286: AAA/AUTHOR/EXEC(00000046): processing AV cmd=

*Mar 1 05:23:49.286: AAA/AUTHOR/EXEC(00000046): processing AV acl=10

*Mar 1 05:23:49.286: AAA/AUTHOR/EXEC(00000046): Authorization successful

*Mar 1 05:23:50.614: AAA: parse name=tty66 idb type=-1 tty=-1

*Mar 1 05:23:50.614: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0

port=66 channel=0

*Mar 1 05:23:50.614: AAA/MEMORY: create_user (0x82FA2B04) user='Adm1' ruser='NU

LL' ds0=0 port='tty66' rem_addr='10.254.3.100' authen_type=ASCII service=ENABLE

priv=15 initial_task_id='0', vrf= (id=0)

*Mar 1 05:23:52.406: AAA/MEMORY: free_user (0x82FA2B04) user='Adm1' ruser='NULL

' port='tty66' rem_addr='10.254.3.100' authen_type=ASCII service=ENABLE priv=15

vrf= (id=0)

What could be happening ?

Thanks!

Anacelia

Labels:
0 Helpful
2 Replies 2

sirpa_k
Level 1
Level 1

‎01-13-2004 06:50 AM

Just try deleting the configuration and configure it again, this might work sometimes.

0 Helpful

nihal.akbulut
Level 1
Level 1

‎01-14-2004 06:42 AM

hi,

as I see you defined acl 10 on router but you didn't apply it to any interface. So the acl doesn't affect any traffic. you have apply the acl 10 to an interface ( which you have to control traffic).

hope this helps..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents