Tacacs+ Authenticating the Enable Password

dhackenberg · ‎12-09-2013

I have the following configuration on my switch and it works correctly:

aaa group server tacacs+ tacacs_serv

server 192.168.70.20

aaa authentication login tac_auth group tacacs_serv local

line vty 0 15

login authentication tac_auth

transport input ssh

The configuration above works correctly, my username/pwd are authenticated via Tacacs+ and the "enable" password is confirmed via the local database on the switch.

When I make the following changes attempeing to have Tacacs validate the username/pwd as well as the "enable" password I cannot log into the switch at all.

aaa group server tacacs+ tacacs_serv

server 192.168.70.20

aaa authentication login default group tacacs_serv local

aaa authentication enable default group tacacs_serv enable

line vty 0 15

login authentication default

transport input ssh

The switch is running 12.2(44)SE6. The username/pwd are in the local database of the Linux server. The Enable password is configured in two places within the tac_plus.conf file:

host = 192.168.70.15 {

prompt = "Enter your Username and Password. Username: "

enable = cleartext "password"

}

AND

user = $enab15$ {

login = cleartext "password"

Any help would be appreciated.

Thanks

svashish · ‎12-09-2013

Dear David ,

Please post debug aaa authentication

frm the configuration you have posted it seems your switch side configuration is correct and there could be something missing on the tacacs server side .

http://my.safaribooksonline.com/book/networking/cisco-ios/0596527225/tacacsplus/i47039__heada__4_8

If you choose to use TACACS+ to authenticate your enable password as well, then you will need to define a special enable user called $enabl15$ . The following example creates this enable account by using the password happy. After you define this username, the TACACS+ server will be able to handle authentication requests for the enable password:

user = $enab15$ {
    login = cleartext happy
}

Thanks

sharad

dhackenberg · ‎12-10-2013

Thanks for your help. I have tried creating the special user you mentioned (enabl15 and enabl15). I did it both ways since ther was a typo. Neither work. Below is the output from the command debug aaa authentication:

Dec 10 15:08:43.155: AAA: parse name=tty0 idb type=-1 tty=-1

Dec 10 15:08:43.155: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

Dec 10 15:08:43.155: AAA/MEMORY: create_user (0x1F3BA50) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

Dec 10 15:08:43.155: AAA/AUTHEN/START (1044210600): port='tty0' list='' action=LOGIN service=ENABLE

Dec 10 15:08:43.155: AAA/AUTHEN/START (1044210600): using "default" list

Dec 10 15:08:43.155: AAA/AUTHEN/START (1044210600): Method=tacacs_serv (tacacs+)

Dec 10 15:08:43.155: TAC+: send AUTHEN/START packet ver=192 id=1044210600

Dec 10 15:08:43.457: TAC+: ver=192 id=1044210600 received AUTHEN status = GETPASS

Dec 10 15:08:43.457: AAA/AUTHEN (1044210600): status = GETPASS

% Error in authentication.

I am testing this on a 2960, running 12.2(44)SE6. Could this be a bug?

edwjames · ‎12-10-2013

Hi David,

% Error in authentication

at enable authentication usually means that the privilege level (maximum) is not 15.

Cause, when you type in "enable" it's actually "enable 15"

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

dhackenberg · ‎12-10-2013

Below is the config of the enabl15 user in the Tacacs config file:

user = $enabl15$ {

login = cleartext 802.11boingo

priv-lvl = 15

}

I did at you suggestion add the priv_lvl line. It did not change the result.

Below is the most recent debug:

CCG-WLA-TEST-SWT-1>ena

Password:

Dec 10 15:41:55.857: AAA: parse name=tty0 idb type=-1 tty=-1

Dec 10 15:41:55.857: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

Dec 10 15:41:55.857: AAA/MEMORY: create_user (0x1E6AA88) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

Dec 10 15:41:55.865: AAA/AUTHEN/START (3771241761): port='tty0' list='' action=LOGIN service=ENABLE

Dec 10 15:41:55.865: AAA/AUTHEN/START (3771241761): using "default" list

Dec 10 15:41:55.865: AAA/AUTHEN/START (3771241761): Method=tacacs_serv (tacacs+)

Dec 10 15:41:55.865: TAC+: send AUTHEN/START packet ver=192 id=-523725535

Dec 10 15:41:56.167: TAC+: ver=192 id=-523725535 received AUTHEN status = GETPASS

Dec 10 15:41:56.167: AAA/AUTHEN (3771241761): status = GETPASS

% Error in authentication.

Thanks again...

edwjames · ‎12-10-2013

Hi David,

if you notice the debug:

Dec 10 15:41:55.857: AAA/MEMORY: create_user (0x1E6AA88) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

So enable authentication being done for testuser, so the privilege should also be inside the user: testuser.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

dhackenberg · ‎12-10-2013

I added the priv-lvl to enable15:

user = $enabl15$ {

login = cleartext 802.11boingo

priv-lvl = 15

It is also in the testuser config:

user = testuser {

login = PAM

member = admin

service = exec

priv-lvl = 15

}

It is also in the group config:

group = admin {

# group members who don't have their own login password will be

# looked up in /etc/passwd

#login = file /etc/passwd

login = PAM

# group members who have no expiry date set will use this one

#expires = "Jan 1 1997"

# only allow access to specific routers

acl = default

# Needed for the router to make commands available to user (subject

# to authorization if so configured on the router

service = exec {

priv-lvl = 15

#default service = permit

}

Below is the latest debug:

CCG-WLA-TEST-SWT-1>ena

Password:

Dec 10 16:06:45.755: AAA: parse name=tty0 idb type=-1 tty=-1

Dec 10 16:06:45.755: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

Dec 10 16:06:45.755: AAA/MEMORY: create_user (0x1F3CB4C) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): port='tty0' list='' action=LOGIN service=ENABLE

Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): using "default" list

Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): Method=tacacs_serv (tacacs+)

Dec 10 16:06:45.755: TAC+: send AUTHEN/START packet ver=192 id=-1121100826

Dec 10 16:06:46.057: TAC+: ver=192 id=-1121100826 received AUTHEN status = GETPASS

Dec 10 16:06:46.057: AAA/AUTHEN (3173866470): status = GETPASS

% Error in authentication.

edwjames · ‎12-10-2013

Hi David,

So here is the thing, I know how to set maximum and default privilege levels on the ACS( Cisco Access control system)

Eg:

The same way, it would be different in the tac_plus server that you are using.

The configuration you have used is I suppose for default privilege level which will not help in our scenario.

Now, I am not sure of how to configure maximum privilege on the tac_plus side.

I do have a suggestion if you are interested in skipping the enable authentication mode and doing the authorization based on privilege levels.

Let me know if you are, then I can suggest you that config on the IOS side.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed