Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tacacs+ authorization not working

i have the following issue:

i can authenticate to my tacacs+ server, but authorization is not working

i have cross referenced the config with other routers but this one doesn't seem to work

i can login, so authentication works, then i do a "show run" or "whatever command" and it says "authorization failed" plus a long time wait

here the tacacs+ and aaa debugging

170325: Apr 23 09:52:12.907 Asd: TAC+: Opening TCP/IP to 10.60.12.88/49 timeout=5

170326: Apr 23 09:52:17.906 Asd: TAC+: TCP/IP open to 10.60.12.88/49 failed -- Connection timed out; remote host not responding

170327: Apr 23 09:52:17.906 Asd: AAA/AUTHOR (1505455504): Post authorization status = ERROR

170328: Apr 23 09:52:17.906 Asd: tty194 AAA/AUTHOR/CMD(1505455504): Method=LOCAL

170329: Apr 23 09:52:17.906 Asd: AAA/AUTHOR/LOCAL: no entry for username111

170330: Apr 23 09:52:17.906 Asd: AAA/AUTHOR (1505455504): Post authorization status = ERROR

170331: Apr 23 09:52:17.906 Asd: tty194 AAA/AUTHOR/CMD(1505455504): Method=NOT_SET

170332: Apr 23 09:52:17.906 Asd: tty194 AAA/AUTHOR/CMD(1505455504): no methods left to try

170333: Apr 23 09:52:17.906 Asd: AAA/AUTHOR (1505455504): Post authorization status = ERROR

170334: Apr 23 09:52:17.906 Asd: AAA/MEMORY: free_user (0x634E9E8C) user='user111' ruser='routername' port='tty194' rem_addr='1.1.1.1' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

170335: Apr 23 09:54:00.288 Asd: AAA: parse name=tty194 idb type=-1 tty=-1

170336: Apr 23 09:54:00.288 Asd: AAA: name=tty194 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=194 channel=0

170337: Apr 23 09:54:00.288 Asd: AAA/MEMORY: create_user (0x636AC9FC) user='username111' ruser='routername' ds0=0 port='tty194' rem_addr='1.1.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

170338: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): Port='tty194' list='' service=CMD

170339: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/CMD: tty194(3078002889) user='username111'

170340: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): send AV service=shell

170341: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): send AV cmd=show

170342: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): send AV cmd-arg=running-config

170343: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): send AV cmd-arg=<cr>

170344: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): found list "default"

170345: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): Method=ACS (tacacs+)

170346: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): user=username111

170347: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): send AV service=shell

170348: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): send AV cmd=show

170349: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): send AV cmd-arg=running-config

170350: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): send AV cmd-arg=<cr>

170351: Apr 23 09:54:00.288 Asd: TAC+: Using default tacacs server-group "ACS" list.

170352: Apr 23 09:54:00.288 Asd: TAC+: Opening TCP/IP to 10.60.12.88/49 timeout=5

170354: Apr 23 09:54:05.291 Asd: TAC+: TCP/IP open to 10.60.12.88/49 failed -- Connection timed out; remote host not responding

170355: Apr 23 09:54:05.291 Asd: TAC+: Opening TCP/IP to 10.60.12.88/49 timeout=5

170356: Apr 23 09:54:10.291 Asd: TAC+: TCP/IP open to 10.60.12.88/49 failed -- Connection timed out; remote host not responding

170357: Apr 23 09:54:10.291 Asd: AAA/AUTHOR (3078002889): Post authorization status = ERROR

170358: Apr 23 09:54:10.291 Asd: tty194 AAA/AUTHOR/CMD(3078002889): Method=LOCAL

170359: Apr 23 09:54:10.291 Asd: AAA/AUTHOR/LOCAL: no entry for username111

170360: Apr 23 09:54:10.291 Asd: AAA/AUTHOR (3078002889): Post authorization status = ERROR

170361: Apr 23 09:54:10.291 Asd: tty194 AAA/AUTHOR/CMD(3078002889): Method=NOT_SET

170362: Apr 23 09:54:10.291 Asd: tty194 AAA/AUTHOR/CMD(3078002889): no methods left to try

170363: Apr 23 09:54:10.291 Asd: AAA/AUTHOR (3078002889): Post authorization status = ERROR

i can ping both tacacs+ servers from within their vrf, using the source interface, so connectivity is good, no firewalls in between

authentication works, just authorization not, with a large timeout

any ideas?

sh ver

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.3(8)T8, RELEASE SOFTWARE (fc1)

key is also good as i can authenticate

tacacs+ server also is set to accept from the correct ip address, i.e. the source address of the interface on the router

16 REPLIES

Tacacs+ authorization not working

hi,

can you post your show run | i aaa output?

double check the Group Setup settings on your ACS/TACACS+ server. make sure you've permitted the commands/arguments for the user/group.

New Member

Tacacs+ authorization not working

aaa new-model
!
!
aaa group server tacacs+ ACS
server-private server 1 key 7 x
server-private server 2 key 7 x
ip vrf forwarding yadayada
ip tacacs source-interface FastEthernet0/0.50
!
aaa authentication login default group ACS local
aaa authentication login NO_AUTHEN none
aaa authorization console
aaa authorization exec default group ACS local
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 default group ACS local
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default stop-only group ACS
aaa accounting commands 15 default stop-only group ACS
aaa session-id common

it's acs version 3.1

Tacacs+ authorization not working

could you add the below and try again:

aaa authorization exec default group tacacs+

New Member

Tacacs+ authorization not working

it has locked me out now

i get a direct authorization failed when i login with either my username or that of my colleague    

Tacacs+ authorization not working

170352: Apr 23 09:54:00.288 Asd: TAC+: Opening TCP/IP to 10.60.12.88/49 timeout=5

170354: Apr 23 09:54:05.291 Asd: TAC+: TCP/IP open to 10.60.12.88/49 failed -- Connection timed out; remote host not

Try to use the local database of the equipment in order to login.

After using the user from the local database paste :

show ip vrf

show ip route vrf yadayada

show run int FastEthernet0/0.50

ping vrf yadayada 10.60.12.88

Dan

New Member

Tacacs+ authorization not working

i tried this

the router is connected to our core

i tried the pinging to both tacacs servers from within the vrf and fa0/0.50 as source interface

this works

Tacacs+ authorization not working

hi,

AAA can be very tricky. you should've perform this on a maintenance window if this is a production router. only way to recover is to do a reboot. be sure that at least 1 user always has full rights.

New Member

Tacacs+ authorization not working

i know.. it's a testrouter.. im gonna go to the DC to try access it with console cable, had to go there anyway

is a reload only option?

or is the console not subject to acs?

i stopped the acs server:

my username -> authentication failed

colleage username -> authorization failed

tacacs server back running:

my username -> direct authorization failed on login prompt

colleague -> direct authorization failed on login prompt

i checked both users in acs and they are set up exactly the same

Tacacs+ authorization not working

hi,

a reboot will do.

the console line is also subjected to AAA authentication if you've set it up:

line con 0

login auth ACS

could you post the AAA config on the devices that are working properly?

Tacacs+ authorization not working

Hi John ,

From the configuration pasted :

aaa authentication login default group ACS local

aaa authorization console

aaa authentication login NO_AUTHEN none

This means that the default authentication login is used the ACS group, so there is no need to use "login auth" on the line.

But if he used "login auth NO_AUTHEN" on the line con 0 , then he can get via the console line without any authentication.

Another issue via console with this will be authorization, which by default is via ACS, so there will be the need of :

authorization exec  NO_AUTHOR

Could you check the logs from the ACS, even though the 1841's logs are straigh forward :

"10.60.12.88/49 failed -- Connection timed out; remote host not responding"

Dan

Re: Tacacs+ authorization not working

Hi Dan,

You've got a good point! I might have understood the authentication interchangeably.

I would also concur with you that OP should check further the ACS policies or logs for the authorization to work.

Sent from Cisco Technical Support iPhone App

New Member

Re: Tacacs+ authorization not working

i reloaded the router and it's back up again

which specific logging am i looking for?

i got the tacacs+ administration where i see all the commands, and the tacacs+ accounting

i don't see much strange happening there

in failed attempts i see this for my own username when i tried this morning:

CS password invalid

External DB user invalid or bad password

however i am certain i typed in my password correctly, and also reentered my password for the user

New Member

Re: Tacacs+ authorization not working

Affected version 12.3(8)T8 - would the below apply?

CSCsa53912 Bug Details

Bug #25 of 90 | < Previous | Next >

Tacacs login is failing
Symptoms: You cannot log on when a TACACS+ server is used for authentication.
You get a message that authentication fails and you are asked again to enter
your user name.

Conditions: This symptom is observed when you make a Telnet connection to a
router that is configured for TACACS+ after you have entered you user name and
your TACACS password.

Workaround: Configure the TACACS+ single connection option by entering the
tacacs-server host host-name
single-connection command.
Status Status
Fixed
(Resolved)
Severity Severity
2 - severe

Last Modified Last Modified
In Last Year

Product Product
Cisco IOS software

Technology Technology
Authentication Protocols

1st Found-In 1st Found-in
12.3M
12.3(12.10)M
12.3(12.12)M
12.4(0.2)M
12.3(4)T13
12.3(9a)BC1
12.3(12.11)PI6
12.4(0.2)PI1a
Known Affected Versions KAV


Fixed-In Fixed-in
12.3(13)M
12.3(14.5)M
12.4(0.3)M
12.3(9a)BC3
12.3(11)T7
12.3(12.12)BC
12.3(12.12)T2
12.3(12b)M
12.4(1.8)T

Component(s) Component
aaa

Regression Regression
Y
Related Bug Information
3660/3725: TCP-2-INVALIDTCB:Invalid TCB pointer with tracebacks
Symptoms: A Cisco router shows an  invalid TCB pointer and tracebacks, and authentication stops at random:  %TCP-2-INVALIDTCB: Invalid TCB pointer: 0x62C4512C -Process= "TPLUS",  ipl= 0, pid= 102 -Traceback= 60D60A5C 60D3DC8C  60D43F88 60B5C1CC 60B5BCAC 60B52E58 TPLUS(00003EB1)/0/NB_WAIT/628D8528:  timed out Conditions: This symptom is observed on a Cisco 3660 and  Cisco 3725 that run Cisco IOS Release 12.3(6b). Rebooting may or may not  return the router to normal behavior (that is, TACACS authentication  functions). Workaround: There is no workaround.
tacacs server is bypassed even when there is connectivity
Cannot authenticate using AAA server even when  there is connectivity. The following is configured: aaa authentication  login default group tacacs+ local Even though there's connectivity with  the AAA server as shown by successful pings,  the router does local authenticaton.
TACACS authentication fails in 12.3(123_9_BC1.041229)
Customer was running a pre-released copy of  12.3(123_9_BC1.041229) this image ould not allow him to authenticate  using Tacacs. The error was invalid character in username. without  changing the config or the tacacs sever he could authenticate  if he reverted to 12.3(9a)BC. Authentication should be working in both  versions. Workaround: use the single-connection tacacs option.  tac-server host x.x.x.x single-connection
TACACS authorization failed when perform ACQR telneting
Symptoms : The Telnet authorization failed when configure the UUT with TACACS . The telnet is ok with radius or local configuration . Condition : the problem is seen on 12.4(0.2) version Workaround : work with radius or local authorization configuration

Re: Tacacs+ authorization not working

Yes it's on the Affected versions.If you press "Known Affected Versions"  you will see the list.

Dan

New Member

Re: Tacacs+ authorization not working

i know i clicked it and my version was also there

i might upgrade it and see how that works

New Member

Re: Tacacs+ authorization not working

i upgraded to 12.4(25f) adv ip services and reloaded

issue is GONE!

thanks for thinking along guys

1295
Views
0
Helpful
16
Replies
CreatePlease login to create content