Solved: Tacacs+ authorization failed

Cheng Chen · ‎11-12-2013

Dear All:

We have a trouble about the Tacace Authorization was not working on the small part of the 2960 switch ,if I show run int f0/1、show authentication sessions int f0/1 on the Switch of 2960 ,the log display "% Authorization failed.",but the other commards and other type of network device are works fine.it very strange. there are 2960 version and ACS version as follow:

1. 2960: 15.0(2)SE2、12.2(55)SE5、12.2(55)SE6

2.ACS:Release 4.2(1) Build 15 Patch 10

I believe acs server failure of certainly,but in the acs I can't find any error message and tacacs logging ,is that a bug? thx!

this is debuging:

authorization failed

.Oct 21 15:28:54.416 China: AAA: parse name=tty2 idb type=-1 tty=-1

.Oct 21 15:28:54.416 China: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

.Oct 21 15:28:54.416 China: AAA/MEMORY: create_user (0x3B80FFC) user='ABCD' ruser='WHN00S8' ds0=0 port='tty2' rem_addr='192.168.10.10' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) key=DCCAA7AF

.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): Port='tty2' list='' service=CMD

.Oct 21 15:28:54.416 China: AAA/AUTHOR/CMD: tty2 (2700905137) user='ABCD'

.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV service=shell

.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV cmd=show

.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV cmd-arg=running-config

.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV cmd-arg=interface

.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV cmd-arg=FastEthernet

.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV cmd-arg=0/1

.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV cmd-arg=<cr>

.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): found list "default"

.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): Method=tacacs+ (tacacs+)

.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): user=ABCD

.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV service=shell

.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV cmd=show

.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV cmd-arg=running-config

.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV cmd-arg=interface

.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV cmd-arg=FastEthernet

.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV cmd-arg=0/1

.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV cmd-arg=<cr>

.Oct 21 15:28:59.566 China: AAA/AUTHOR (2700905137): Post authorization status = ERROR

.Oct 21 15:28:59.566 China: tty2 AAA/AUTHOR/CMD (2700905137): Method=LOCAL

.Oct 21 15:28:59.566 China: AAA/AUTHOR/LOCAL: no entry for ABCD

.Oct 21 15:28:59.566 China: AAA/AUTHOR (2700905137): Post authorization status = ERROR

.Oct 21 15:28:59.566 China: tty2 AAA/AUTHOR/CMD (2700905137): Method=NOT_SET

.Oct 21 15:28:59.566 China: tty2 AAA/AUTHOR/CMD (2700905137): no methods left to try

.Oct 21 15:28:59.566 China: AAA/AUTHOR (2700905137): Post authorization status = ERROR

.Oct 21 15:28:59.566 China: AAA/MEMORY: free_user (0x3B80FFC) user='ABCD' ruser='WHN00S8' port='tty2' rem_addr='192.168.10.10' authen_type=ASCII service=NONE priv=15

Normal:

.Oct 21 15:50:22.142 China: AAA: parse name=tty2 idb type=-1 tty=-1

.Oct 21 15:50:22.142 China: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

.Oct 21 15:50:22.142 China: AAA/MEMORY: create_user (0x3B81044) user='ABCD' ruser='WHN00S8' ds0=0 port='tty2' rem_addr='192.168.10.10' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) key=9718AC2E

.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): Port='tty2' list='' service=CMD

.Oct 21 15:50:22.142 China: AAA/AUTHOR/CMD: tty2 (3465703407) user='ABCD'

.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): send AV service=shell

.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): send AV cmd=show

.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): send AV cmd-arg=running-config

.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): send AV cmd-arg=<cr>

.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): found list "default"

.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): Method=tacacs+ (tacacs+)

.Oct 21 15:50:22.142 China: AAA/AUTHOR/TAC+: (3465703407): user=ABCD

.Oct 21 15:50:22.142 China: AAA/AUTHOR/TAC+: (3465703407): send AV service=shell

.Oct 21 15:50:22.142 China: AAA/AUTHOR/TAC+: (3465703407): send AV cmd=show

.Oct 21 15:50:22.142 China: AAA/AUTHOR/TAC+: (3465703407): send AV cmd-arg=running-config

.Oct 21 15:50:22.142 China: AAA/AUTHOR/TAC+: (3465703407): send AV cmd-arg=<cr>

.Oct 21 15:50:22.369 China: AAA/AUTHOR (3465703407): Post authorization status = PASS_ADD

.Oct 21 15:50:22.369 China: AAA/MEMORY: free_user (0x3B81044) user='ABCD' ruser='WHN00S8' port='tty2' rem_addr='192.168.10.10' authen_type=ASCII service=NONE priv=15

Richard Burts · ‎11-17-2013

It is difficult to tell from the logs what the problem is. Perhaps we could give better advice if you would post configuration (at least the aaa portion) of the switch having a problem and from a switch that is working fine.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎11-17-2013

It is difficult to tell from the logs what the problem is. Perhaps we could give better advice if you would post configuration (at least the aaa portion) of the switch having a problem and from a switch that is working fine.

HTH

Rick

HTH

Rick

Cheng Chen · ‎11-18-2013

Thanks Rick,there are our all devices standard configuration about aaa section, as a result of ACS 4.2 was end of support ，we can't open a case with cisco ,it's very rascally,but I can found some important message from the "ACS→System Configuration→Support":

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 <<< RECEIVED FROM CLIENT:WHN_Office TYPE=AUTHOR, SEQ=1, FLAGS=1

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 SESSIONID 108458144 (0x676f0a0), DATALEN 143 (0x8f)

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 type=AUTHOR, priv_lvl=15, authen=1

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 METHOD=none

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 SVC=0 USER_LEN=7 PORT_LEN=4 REM_ADDR_LEN=14 ARG_CNT=7

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 USER=TXW7401

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 PORT=tty1

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 REM_ADDR=172.31.132.246

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[0](size=13)=service=shell

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[1](size=8)=cmd=show

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[2](size=22)=cmd-arg=running-config

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[3](size=17)=cmd-arg=interface

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[4](size=20)=cmd-arg=FastEthernet

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[5](size=11)=cmd-arg=0/1

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[6](size=12)=cmd-arg=

TCS 11/14/2013 14:47:09 I 0043 6768 0x0 END >>>

TCS 11/14/2013 14:47:09 I 0043 4880 0x82ee <<< PACKET TO CLIENT:WHN_Office TYPE:AUTHOR/PASS_ADD, SEQ 2, FLAGS 1

TCS 11/14/2013 14:47:09 I 0043 4880 0x82ee SESSIONID 108458144 (0x676f0a0), DATALEN 6 (0x6)

TCS 11/14/2013 14:47:09 I 0043 4880 0x82ee type=AUTHOR/REPLY status=1 (AUTHOR/PASS_ADD)

TCS 11/14/2013 14:47:09 I 0043 4880 0x82ee msg_len=0, data_len=0 arg_cnt=0

TCS 11/14/2013 14:47:09 I 0043 4880 0x82ee End >>>

base on these above messages,acs received messages from client ,it had authenticated the commands and authorized. but the switch display authorization failed.

aaa section：

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication login console local

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

thanks!

chencheng

Jatin Katyal · ‎11-17-2013

Where exactly are you looking for logs? Did you check under reports and activities > tacacs administration.

Also, please provide the output of "show run | in aaa" and "show run | begin line"

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Cheng Chen · ‎11-18-2013

Hi Sir:

In the acs server ,I can found authorize passd commad only from tacacs administrator,but the failed logs was not in here. thanks!

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication login console local

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

line con 0

exec-timeout 30 0

login authentication console

line aux 0

exec-timeout 30 0

transport input all

line vty 0 4

access-class 30 in

exec-timeout 30 0

transport input telnet

line vty 5 15

access-class 10 in

exec-timeout 30 0

transport input telnet

Richard Burts · ‎11-18-2013

chencheng

It is surprising that the logs from the server show that it did authorize the command but that the switch is showing failure. Is this happening consistently all the time or is it an occasional problem?

I wonder if it is significant that the switch is not logging authorization error but is indicating "post authorization"

China: AAA/AUTHOR (2700905137): Post authorization status = ERROR

I do have one suggestion for you to try. Would you change this line

aaa authorization commands 15 default group tacacs+ local

and make it like this

aaa authorization commands 15 default group tacacs+ if-authenticated

HTH

Rick

HTH

Rick

Cheng Chen · ‎11-18-2013

HeHe，Yes，It's surprising. this log happened on a few swtich of 2960,and the other device working fine.but I'm sure that it was acs out of the fault.by the way,I'm adopt your suggestings and try again .if the issue solve ,I will be inform you.thanks!

chencheng