TACACS auth working via SSH, but not HTTP (ACS 5.1 / 3560)

David Varnum · ‎08-27-2010

Experts,

My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+. I don't even get a log in ACS when attempting to authenticate via HTTPS.

Here is my AAA config, followed by a debug:

aaa new-model
aaa authentication login ACCESS group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec ACCESS group tacacs+
aaa authorization commands 1 Priv1 group tacacs+ none
aaa authorization commands 15 Priv15 group tacacs+ none
aaa authorization network ACCESS group tacacs+
aaa accounting exec ACCESS start-stop group tacacs+
aaa accounting commands 0 ACCESS start-stop group tacacs+
aaa accounting commands 1 ACCESS start-stop group tacacs+
aaa accounting commands 15 ACCESS start-stop group tacacs+
aaa session-id common

ip http authentication aaa login-authentication ACCESS
ip http authentication aaa exec-authorization ACCESS
ip http authentication aaa command-authorization 1 Priv1
ip http authentication aaa command-authorization 15 Priv15

ip http secure-server

no ip http server

tacacs-server host X.X.X.X key 7
tacacs-server timeout 3
tacacs-server directed-request

Debug:

47w4d: HTTP AAA Login-Authentication List name: ACCESS
47w4d: HTTP AAA Exec-Authorization List name: ACCESS
47w4d: HTTP: Authentication failed for level 15

Shell authorization profiles are working in ACS when SSHing to devices (Priv1 and Priv15), and I can't figure out why its not working for HTTPS.

Any ideas?

Javier Henderson · ‎08-30-2010

Can you turn on "debug tacacs" on the router, collect the output, and post it here please?

David Varnum · ‎08-30-2010

Thank you for your response, here is the debug from the 3560:

BC-3560-48-6-1-1#
48w0d: HTTP AAA Login-Authentication List name: ACCESS
48w0d: HTTP AAA Exec-Authorization List name: ACCESS
48w0d: TPLUS: Queuing AAA Authentication request 0 for processing
48w0d: TPLUS: processing authentication start request id 0
48w0d: TPLUS: Authentication start packet created for 0(varnumd)
48w0d: TPLUS: Using server 10.10.0.16
48w0d: TPLUS(00000000)/0/NB_WAIT/458EDA8: Started 3 sec timeout
48w0d: TPLUS(00000000)/0/NB_WAIT: socket event 2
48w0d: TPLUS(00000000)/0/NB_WAIT: wrote entire 27 bytes request
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: Would block while reading
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 16 bytes data)
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read entire 28 bytes response
48w0d: TPLUS(00000000)/0/458EDA8: Processing the reply packet
48w0d: TPLUS: Received authen response status GET_PASSWORD (8)
48w0d: TPLUS: Queuing AAA Authentication request 0 for processing
48w0d: TPLUS: processing authentication continue request id 0
48w0d: TPLUS: Authentication continue packet generated for 0
48w0d: TPLUS(00000000)/0/WRITE/4332F88: Started 3 sec timeout
48w0d: TPLUS(00000000)/0/WRITE: wrote entire 30 bytes request
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 6 bytes data)
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read entire 18 bytes response
48w0d: TPLUS(00000000)/0/4332F88: Processing the reply packet
48w0d: TPLUS: Received authen response status PASS (2)
48w0d: TPLUS: Queuing AAA Authorization request 0 for processing
48w0d: TPLUS: processing authorization request id 0
48w0d: TPLUS: Inappropriate protocol: 25
48w0d: TPLUS: Sending AV service=shell
48w0d: TPLUS: Sending AV cmd*
48w0d: TPLUS: Authorization request created for 0(varnumd)
48w0d: TPLUS: Using server 10.10.0.16
48w0d: TPLUS(00000000)/0/NB_WAIT/4332E18: Started 3 sec timeout
48w0d: TPLUS(00000000)/0/NB_WAIT: socket event 2
48w0d: TPLUS(00000000)/0/NB_WAIT: wrote entire 46 bytes request
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: Would block while reading
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read 0 bytes
48w0d: TPLUS(00000000)/0/READ/4332E18: timed out
48w0d: TPLUS: Inappropriate protocol: 25
48w0d: TPLUS: Sending AV service=shell
48w0d: TPLUS: Sending AV cmd*
48w0d: TPLUS: Authorization request created for 0(varnumd)
48w0d: TPLUS(00000000)/0/READ/4332E18: timed out, clean up
48w0d: TPLUS(00000000)/0/4332E18: Processing the reply packet
48w0d: HTTP: Authentication failed for level 15

bking1982 · ‎11-11-2011

I am having the same issue with the same debug. Did you ever get any resolution to this? If you look at the "Passed" authentications in ACS, it logs the attempt as Passed, but still fails to login. Thanks.

Javier Henderson · ‎11-14-2011

48w0d: TPLUS(00000000)/0/4332E18: Processing the reply packet

48w0d: HTTP: Authentication failed for level 15

Note that it says that authentication failed for level 15. Is the shell profile being hit configured to grant privilege level 15?

David Varnum · ‎11-14-2011

I never figured out the issue and ended up moving on to other projects, but I'm definitely interested in picking this back up.

Javier, yes the shell profile being hit is configured to grant priv level 15. This works fine via SSH and telnet. What's strange is my ACS logs show successful authentication. If I look at the actual log, I can see myself match the appropriate ID Store, shell profile, ID group, ID policy, Group Mapping, and Authorization policy, with success.

I'm curious if something is misconfigured on the switch side, can you take a look at the posted config, particularly the http configuration? I know over SSH and telnet my shell profiles work fine, just not HTTP. I'll do some more digging since I haven't looked at this in over a year and let you know if I resolve the issue.

Javier Henderson · ‎11-14-2011

Dave,

The switch configuration looks fine. Can you look at the traffic between the switch and ACS using a tool like wireshark, to see the contents of the reply packet from ACS, to see if priv-lvl=15 is included?

Also, when you look at the details of the authentication and authorization on ACS, does it show that it's sending priv-level=15?

bking1982 · ‎11-14-2011

I found this bug and it looks like it has not been fixed yet.

The Bug ID is CSCtq94595.

HTTP AAA Authentication does not work any more after upgrade to 12.2.58S.

Symptom: HTTP AAA Authentication does not work with IOS version 12.2.58SE1

Conditions: HTTP AAA authentication with local DB

Workaround: None

1st Found-In

15.2(1)TPI17

12.2(58)SE2

15.0(1)SE

12.2(58)SE1

Fixed-In

Release-Pending

David Varnum · ‎11-14-2011

I'm running 12.2(50)SE on my 3560, where I am experiencing the issue.

One thing I noticed on the 3560 was I could successfully login via http://x.x.x.x/level/1, but not http://x.x.x.x/level/15, even though both logs show success authentication and authorization.

I decided to try a 2960 running 12.2(53r)SE, and HTTP auth worked! Same exact configuration, just a different switch, slightly different IOS revision. I'm going to try and upgrade my 3560 to this version of code during our maintenance window this week and see if it works. I hope this really is just a bug in particular versions of code, good find.