11-12-2013 08:40 PM - edited 03-10-2019 09:05 PM
Dear All:
We have a trouble about the Tacace Authorization was not working on the small part of the 2960 switch ,if I show run int f0/1、show authentication sessions int f0/1 on the Switch of 2960 ,the log display "% Authorization failed.",but the other commards and other type of network device are works fine.it very strange. there are 2960 version and ACS version as follow:
1. 2960: 15.0(2)SE2、12.2(55)SE5、12.2(55)SE6
2.ACS:Release 4.2(1) Build 15 Patch 10
I believe acs server failure of certainly,but in the acs I can't find any error message and tacacs logging ,is that a bug? thx!
this is debuging:
authorization failed
.Oct 21 15:28:54.416 China: AAA: parse name=tty2 idb type=-1 tty=-1
.Oct 21 15:28:54.416 China: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
.Oct 21 15:28:54.416 China: AAA/MEMORY: create_user (0x3B80FFC) user='ABCD' ruser='WHN00S8' ds0=0 port='tty2' rem_addr='192.168.10.10' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) key=DCCAA7AF
.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): Port='tty2' list='' service=CMD
.Oct 21 15:28:54.416 China: AAA/AUTHOR/CMD: tty2 (2700905137) user='ABCD'
.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV service=shell
.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV cmd=show
.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV cmd-arg=running-config
.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV cmd-arg=interface
.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV cmd-arg=FastEthernet
.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV cmd-arg=0/1
.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): send AV cmd-arg=<cr>
.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): found list "default"
.Oct 21 15:28:54.416 China: tty2 AAA/AUTHOR/CMD (2700905137): Method=tacacs+ (tacacs+)
.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): user=ABCD
.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV service=shell
.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV cmd=show
.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV cmd-arg=running-config
.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV cmd-arg=interface
.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV cmd-arg=FastEthernet
.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV cmd-arg=0/1
.Oct 21 15:28:54.416 China: AAA/AUTHOR/TAC+: (2700905137): send AV cmd-arg=<cr>
.Oct 21 15:28:59.566 China: AAA/AUTHOR (2700905137): Post authorization status = ERROR
.Oct 21 15:28:59.566 China: tty2 AAA/AUTHOR/CMD (2700905137): Method=LOCAL
.Oct 21 15:28:59.566 China: AAA/AUTHOR/LOCAL: no entry for ABCD
.Oct 21 15:28:59.566 China: AAA/AUTHOR (2700905137): Post authorization status = ERROR
.Oct 21 15:28:59.566 China: tty2 AAA/AUTHOR/CMD (2700905137): Method=NOT_SET
.Oct 21 15:28:59.566 China: tty2 AAA/AUTHOR/CMD (2700905137): no methods left to try
.Oct 21 15:28:59.566 China: AAA/AUTHOR (2700905137): Post authorization status = ERROR
.Oct 21 15:28:59.566 China: AAA/MEMORY: free_user (0x3B80FFC) user='ABCD' ruser='WHN00S8' port='tty2' rem_addr='192.168.10.10' authen_type=ASCII service=NONE priv=15
Normal:
.Oct 21 15:50:22.142 China: AAA: parse name=tty2 idb type=-1 tty=-1
.Oct 21 15:50:22.142 China: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
.Oct 21 15:50:22.142 China: AAA/MEMORY: create_user (0x3B81044) user='ABCD' ruser='WHN00S8' ds0=0 port='tty2' rem_addr='192.168.10.10' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) key=9718AC2E
.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): Port='tty2' list='' service=CMD
.Oct 21 15:50:22.142 China: AAA/AUTHOR/CMD: tty2 (3465703407) user='ABCD'
.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): send AV service=shell
.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): send AV cmd=show
.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): send AV cmd-arg=running-config
.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): send AV cmd-arg=<cr>
.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): found list "default"
.Oct 21 15:50:22.142 China: tty2 AAA/AUTHOR/CMD (3465703407): Method=tacacs+ (tacacs+)
.Oct 21 15:50:22.142 China: AAA/AUTHOR/TAC+: (3465703407): user=ABCD
.Oct 21 15:50:22.142 China: AAA/AUTHOR/TAC+: (3465703407): send AV service=shell
.Oct 21 15:50:22.142 China: AAA/AUTHOR/TAC+: (3465703407): send AV cmd=show
.Oct 21 15:50:22.142 China: AAA/AUTHOR/TAC+: (3465703407): send AV cmd-arg=running-config
.Oct 21 15:50:22.142 China: AAA/AUTHOR/TAC+: (3465703407): send AV cmd-arg=<cr>
.Oct 21 15:50:22.369 China: AAA/AUTHOR (3465703407): Post authorization status = PASS_ADD
.Oct 21 15:50:22.369 China: AAA/MEMORY: free_user (0x3B81044) user='ABCD' ruser='WHN00S8' port='tty2' rem_addr='192.168.10.10' authen_type=ASCII service=NONE priv=15
Solved! Go to Solution.
11-17-2013 06:06 PM
It is difficult to tell from the logs what the problem is. Perhaps we could give better advice if you would post configuration (at least the aaa portion) of the switch having a problem and from a switch that is working fine.
HTH
Rick
11-17-2013 06:06 PM
It is difficult to tell from the logs what the problem is. Perhaps we could give better advice if you would post configuration (at least the aaa portion) of the switch having a problem and from a switch that is working fine.
HTH
Rick
11-18-2013 04:07 AM
Thanks Rick,there are our all devices standard configuration about aaa section, as a result of ACS 4.2 was end of support ,we can't open a case with cisco ,it's very rascally,but I can found some important message from the "ACS→System Configuration→Support":
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 <<< RECEIVED FROM CLIENT:WHN_Office TYPE=AUTHOR, SEQ=1, FLAGS=1
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 SESSIONID 108458144 (0x676f0a0), DATALEN 143 (0x8f)
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 type=AUTHOR, priv_lvl=15, authen=1
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 METHOD=none
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 SVC=0 USER_LEN=7 PORT_LEN=4 REM_ADDR_LEN=14 ARG_CNT=7
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 USER=TXW7401
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 PORT=tty1
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 REM_ADDR=172.31.132.246
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[0](size=13)=service=shell
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[1](size=8)=cmd=show
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[2](size=22)=cmd-arg=running-config
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[3](size=17)=cmd-arg=interface
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[4](size=20)=cmd-arg=FastEthernet
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[5](size=11)=cmd-arg=0/1
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 arg[6](size=12)=cmd-arg=
TCS 11/14/2013 14:47:09 I 0043 6768 0x0 END >>>
TCS 11/14/2013 14:47:09 I 0043 4880 0x82ee <<< PACKET TO CLIENT:WHN_Office TYPE:AUTHOR/PASS_ADD, SEQ 2, FLAGS 1
TCS 11/14/2013 14:47:09 I 0043 4880 0x82ee SESSIONID 108458144 (0x676f0a0), DATALEN 6 (0x6)
TCS 11/14/2013 14:47:09 I 0043 4880 0x82ee type=AUTHOR/REPLY status=1 (AUTHOR/PASS_ADD)
TCS 11/14/2013 14:47:09 I 0043 4880 0x82ee msg_len=0, data_len=0 arg_cnt=0
TCS 11/14/2013 14:47:09 I 0043 4880 0x82ee End >>>
base on these above messages,acs received messages from client ,it had authenticated the commands and authorized. but the switch display authorization failed.
aaa section:
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
thanks!
chencheng
11-17-2013 11:27 PM
Where exactly are you looking for logs? Did you check under reports and activities > tacacs administration.
Also, please provide the output of "show run | in aaa" and "show run | begin line"
~BR
Jatin Katyal
**Do rate helpful posts**
11-18-2013 04:13 AM
Hi Sir:
In the acs server ,I can found authorize passd commad only from tacacs administrator,but the failed logs was not in here. thanks!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
line con 0
exec-timeout 30 0
login authentication console
line aux 0
exec-timeout 30 0
transport input all
line vty 0 4
access-class 30 in
exec-timeout 30 0
transport input telnet
line vty 5 15
access-class 10 in
exec-timeout 30 0
transport input telnet
11-18-2013 05:16 AM
chencheng
It is surprising that the logs from the server show that it did authorize the command but that the switch is showing failure. Is this happening consistently all the time or is it an occasional problem?
I wonder if it is significant that the switch is not logging authorization error but is indicating "post authorization"
China: AAA/AUTHOR (2700905137): Post authorization status = ERROR
I do have one suggestion for you to try. Would you change this line
aaa authorization commands 15 default group tacacs+ local
and make it like this
aaa authorization commands 15 default group tacacs+ if-authenticated
HTH
Rick
11-18-2013 06:30 AM
HeHe,Yes,It's surprising. this log happened on a few swtich of 2960,and the other device working fine.but I'm sure that it was acs out of the fault.by the way,I'm adopt your suggestings and try again .if the issue solve ,I will be inform you.thanks!
chencheng
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: