Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

authorization problem after upgrade IOS

Was working config on cluster member (WS-C2960-24-S) ios ver c2960-lanlite-mz.122-37.EY

aaa new-model

aaa authentication login default local group radius

aaa authorization exec default group radius if-authenticated none

aaa accounting exec default start-stop group radius

which allow a normal authorization from cluster-commander and direct connect to device via radius authorization.

after upgrade to c2960-lanlite-mz.122-50.SE.bin I got a error when i try logon via cluster commander. On debug I see as switch send authorization request to radius server with my username& password as "cisco" and got reject from serv.

Can this situation solved by additional config or I need fallback to previos ios ?

7 REPLIES
Hall of Fame Super Gold

Re: authorization problem after upgrade IOS

The 12.2(50) has a number of very-basic bugs. I'd recommend you downgrade to 12.2(46)SE IOS.

New Member

Re: authorization problem after upgrade IOS

Made downgrade to 12.2.(46). This didn't solve my problem. Any other suggestion ? Or only down grade to .37 release ?

Hall of Fame Super Gold

Re: authorization problem after upgrade IOS

Have you tried removing the AAA statements and putting them back in?

New Member

Re: authorization problem after upgrade IOS

I tried. Didn't work.

Hall of Fame Super Gold

Re: authorization problem after upgrade IOS

I take that back. Why don't you upgrade to the new 12.2(50)SE1 IOS?

Bronze

Re: authorization problem after upgrade IOS

Check your TACACS server configuration.

Are you using "single-connection" option ?

ip tacacs server x.x.x.x key yyyyy single-connection

If so, remove the single-connection option.

I have also run into "authorization failure" errors after an upgrade.

1) there is a bug known for TACACS when the switch received "unknown" TLV values.

When i removed the "single-connection" option, the problem went away.

2) We have also dug a bit further, and it also seemed to be related to the "device group" the device was assigned to in ACNS. When the switch was not defined in any group (default, just discovered) it didn't work. After the switch was assigned to the proper group, it worked.

mvg,

Geert

New Member

Re: authorization problem after upgrade IOS

Why I need configure parameter for tacacs server if I don't using it ?

I debug situation and make conclusion a new ios doesn't right correct handle authorization process.

For example on IOS 12.2(37)EY we receive:

Apr 18 19:27:58: CLUSTER_MEMBER_12: AAA/MEMORY: free_user (0x1B24D5C) user='sergey' ruser='NULL' port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA: parse name=tty3 idb type=-1 tty=-1

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/MEMORY: create_user (0x19B0948) user='sergey' ruser='NULL' ds0=0 port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Port='tty3' list='' service=EXEC

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR/EXEC: tty3 (184998216) user='sergey'

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): send AV service=shell

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): send AV cmd*

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): found list "default"

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Method=LOCAL

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR/LOCAL: no entry for sergey

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR (184998216): Post authorization status = ERROR

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Method=radius (radius)

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR (184998216): Post authorization status = ERROR

Apr 18 19:27:59: CLUSTER_MEMBER_12: tty3 AAA/AUTHOR/EXEC (184998216): Method=IF_AUTHEN

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR (184998216): Post authorization status = PASS_ADD

Apr 18 19:27:59: CLUSTER_MEMBER_12: AAA/AUTHOR/EXEC: Authorization successful

and on IOS 12.2(50)SE1 receive:

00:18:37: %SYS-CLUSTER_MEMBER_15-5-CONFIG_I: Configured from console by sergey on vty0 (10.0.0.16)

00:18:40: CLUSTER_MEMBER_15: AAA/BIND(00000008): Bind i/f

00:18:40: CLUSTER_MEMBER_15: AAA: parse name=tty3 idb type=-1 tty=-1

00:18:40: CLUSTER_MEMBER_15: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

00:18:40: CLUSTER_MEMBER_15: AAA/MEMORY: create_user (0x24C517C) user='sergey' ruser='NULL' ds0=0 port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)

00:18:40: CLUSTER_MEMBER_15: AAA/AUTHOR (0x8): Pick method list 'default'

00:18:45: CLUSTER_MEMBER_15: AAA/AUTHOR/EXEC(00000008): Authorization FAILED

00:18:47: CLUSTER_MEMBER_15: AAA/MEMORY: free_user (0x24C517C) user='sergey' ruser='NULL' port='tty3' rem_addr='10.188.72.128' authen_type=ASCII service=LOGIN priv=15

423
Views
0
Helpful
7
Replies