Tacacs+ authorization not working

axeleratorcisco · ‎04-23-2012

i have the following issue:

i can authenticate to my tacacs+ server, but authorization is not working

i have cross referenced the config with other routers but this one doesn't seem to work

i can login, so authentication works, then i do a "show run" or "whatever command" and it says "authorization failed" plus a long time wait

here the tacacs+ and aaa debugging

170325: Apr 23 09:52:12.907 Asd: TAC+: Opening TCP/IP to 10.60.12.88/49 timeout=5

170326: Apr 23 09:52:17.906 Asd: TAC+: TCP/IP open to 10.60.12.88/49 failed -- Connection timed out; remote host not responding

170327: Apr 23 09:52:17.906 Asd: AAA/AUTHOR (1505455504): Post authorization status = ERROR

170328: Apr 23 09:52:17.906 Asd: tty194 AAA/AUTHOR/CMD(1505455504): Method=LOCAL

170329: Apr 23 09:52:17.906 Asd: AAA/AUTHOR/LOCAL: no entry for username111

170330: Apr 23 09:52:17.906 Asd: AAA/AUTHOR (1505455504): Post authorization status = ERROR

170331: Apr 23 09:52:17.906 Asd: tty194 AAA/AUTHOR/CMD(1505455504): Method=NOT_SET

170332: Apr 23 09:52:17.906 Asd: tty194 AAA/AUTHOR/CMD(1505455504): no methods left to try

170333: Apr 23 09:52:17.906 Asd: AAA/AUTHOR (1505455504): Post authorization status = ERROR

170334: Apr 23 09:52:17.906 Asd: AAA/MEMORY: free_user (0x634E9E8C) user='user111' ruser='routername' port='tty194' rem_addr='1.1.1.1' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

170335: Apr 23 09:54:00.288 Asd: AAA: parse name=tty194 idb type=-1 tty=-1

170336: Apr 23 09:54:00.288 Asd: AAA: name=tty194 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=194 channel=0

170337: Apr 23 09:54:00.288 Asd: AAA/MEMORY: create_user (0x636AC9FC) user='username111' ruser='routername' ds0=0 port='tty194' rem_addr='1.1.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

170338: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): Port='tty194' list='' service=CMD

170339: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/CMD: tty194(3078002889) user='username111'

170340: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): send AV service=shell

170341: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): send AV cmd=show

170342: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): send AV cmd-arg=running-config

170343: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): send AV cmd-arg=<cr>

170344: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): found list "default"

170345: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): Method=ACS (tacacs+)

170346: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): user=username111

170347: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): send AV service=shell

170348: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): send AV cmd=show

170349: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): send AV cmd-arg=running-config

170350: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): send AV cmd-arg=<cr>

170351: Apr 23 09:54:00.288 Asd: TAC+: Using default tacacs server-group "ACS" list.

170352: Apr 23 09:54:00.288 Asd: TAC+: Opening TCP/IP to 10.60.12.88/49 timeout=5

170354: Apr 23 09:54:05.291 Asd: TAC+: TCP/IP open to 10.60.12.88/49 failed -- Connection timed out; remote host not responding

170355: Apr 23 09:54:05.291 Asd: TAC+: Opening TCP/IP to 10.60.12.88/49 timeout=5

170356: Apr 23 09:54:10.291 Asd: TAC+: TCP/IP open to 10.60.12.88/49 failed -- Connection timed out; remote host not responding

170357: Apr 23 09:54:10.291 Asd: AAA/AUTHOR (3078002889): Post authorization status = ERROR

170358: Apr 23 09:54:10.291 Asd: tty194 AAA/AUTHOR/CMD(3078002889): Method=LOCAL

170359: Apr 23 09:54:10.291 Asd: AAA/AUTHOR/LOCAL: no entry for username111

170360: Apr 23 09:54:10.291 Asd: AAA/AUTHOR (3078002889): Post authorization status = ERROR

170361: Apr 23 09:54:10.291 Asd: tty194 AAA/AUTHOR/CMD(3078002889): Method=NOT_SET

170362: Apr 23 09:54:10.291 Asd: tty194 AAA/AUTHOR/CMD(3078002889): no methods left to try

170363: Apr 23 09:54:10.291 Asd: AAA/AUTHOR (3078002889): Post authorization status = ERROR

i can ping both tacacs+ servers from within their vrf, using the source interface, so connectivity is good, no firewalls in between

authentication works, just authorization not, with a large timeout

any ideas?

sh ver

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.3(8)T8, RELEASE SOFTWARE (fc1)

key is also good as i can authenticate

tacacs+ server also is set to accept from the correct ip address, i.e. the source address of the interface on the router

johnlloyd_13 · ‎04-23-2012

hi,

can you post your show run | i aaa output?

double check the Group Setup settings on your ACS/TACACS+ server. make sure you've permitted the commands/arguments for the user/group.

axeleratorcisco · ‎04-23-2012

aaa new-model
!
!
aaa group server tacacs+ ACS
server-private server 1 key 7 x
server-private server 2 key 7 x
ip vrf forwarding yadayada
ip tacacs source-interface FastEthernet0/0.50
!
aaa authentication login default group ACS local
aaa authentication login NO_AUTHEN none
aaa authorization console
aaa authorization exec default group ACS local
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 default group ACS local
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default stop-only group ACS
aaa accounting commands 15 default stop-only group ACS
aaa session-id common

it's acs version 3.1

johnlloyd_13 · ‎04-23-2012

could you add the below and try again:

aaa authorization exec default group tacacs+

axeleratorcisco · ‎04-23-2012

it has locked me out now

i get a direct authorization failed when i login with either my username or that of my colleague

Dan-Ciprian Cicioiu · ‎04-23-2012

170352: Apr 23 09:54:00.288 Asd: TAC+: Opening TCP/IP to 10.60.12.88/49 timeout=5

170354: Apr 23 09:54:05.291 Asd: TAC+: TCP/IP open to 10.60.12.88/49 failed -- Connection timed out; remote host not

Try to use the local database of the equipment in order to login.

After using the user from the local database paste :

show ip vrf

show ip route vrf yadayada

show run int FastEthernet0/0.50

ping vrf yadayada 10.60.12.88

Dan

axeleratorcisco · ‎04-23-2012

i tried this

the router is connected to our core

i tried the pinging to both tacacs servers from within the vrf and fa0/0.50 as source interface

this works

johnlloyd_13 · ‎04-23-2012

hi,

AAA can be very tricky. you should've perform this on a maintenance window if this is a production router. only way to recover is to do a reboot. be sure that at least 1 user always has full rights.

axeleratorcisco · ‎04-23-2012

i know.. it's a testrouter.. im gonna go to the DC to try access it with console cable, had to go there anyway

is a reload only option?

or is the console not subject to acs?

i stopped the acs server:

my username -> authentication failed

colleage username -> authorization failed

tacacs server back running:

my username -> direct authorization failed on login prompt

colleague -> direct authorization failed on login prompt

i checked both users in acs and they are set up exactly the same

johnlloyd_13 · ‎04-23-2012

hi,

a reboot will do.

the console line is also subjected to AAA authentication if you've set it up:

line con 0

login auth ACS

could you post the AAA config on the devices that are working properly?

Dan-Ciprian Cicioiu · ‎04-23-2012

Hi John ,

From the configuration pasted :

aaa authentication login default group ACS local

aaa authorization console

aaa authentication login NO_AUTHEN none

This means that the default authentication login is used the ACS group, so there is no need to use "login auth" on the line.

But if he used "login auth NO_AUTHEN" on the line con 0 , then he can get via the console line without any authentication.

Another issue via console with this will be authorization, which by default is via ACS, so there will be the need of :

authorization exec NO_AUTHOR

Could you check the logs from the ACS, even though the 1841's logs are straigh forward :

"10.60.12.88/49 failed -- Connection timed out; remote host not responding"

Dan

johnlloyd_13 · ‎04-23-2012

Hi Dan,

You've got a good point! I might have understood the authentication interchangeably.

I would also concur with you that OP should check further the ACS policies or logs for the authorization to work.

Sent from Cisco Technical Support iPhone App

axeleratorcisco · ‎04-23-2012

i reloaded the router and it's back up again

which specific logging am i looking for?

i got the tacacs+ administration where i see all the commands, and the tacacs+ accounting

i don't see much strange happening there

in failed attempts i see this for my own username when i tried this morning:

CS password invalid

External DB user invalid or bad password

however i am certain i typed in my password correctly, and also reentered my password for the user

axeleratorcisco · ‎04-23-2012

Affected version 12.3(8)T8 - would the below apply?

CSCsa53912 Bug Details

Bug #25 of 90 | < Previous | Next >

Tacacs login is failing

Symptoms: You cannot log on when a TACACS+ server is used for authentication.
You get a message that authentication fails and you are asked again to enter
your user name.

Conditions: This symptom is observed when you make a Telnet connection to a
router that is configured for TACACS+ after you have entered you user name and
your TACACS password.

Workaround: Configure the TACACS+ single connection option by entering the
tacacs-server host host-name
single-connection command.

Status

Fixed
(Resolved)
Severity

2 - severe

Last Modified

In Last Year

Product

Cisco IOS software

Technology

Authentication Protocols

1st Found-In

12.3M
12.3(12.10)M
12.3(12.12)M
12.4(0.2)M
12.3(4)T13
12.3(9a)BC1
12.3(12.11)PI6
12.4(0.2)PI1a
Known Affected Versions

Fixed-In

12.3(13)M
12.3(14.5)M
12.4(0.3)M
12.3(9a)BC3
12.3(11)T7
12.3(12.12)BC
12.3(12.12)T2
12.3(12b)M
12.4(1.8)T

Component(s)

aaa

Regression

Y

Related Bug Information

3660/3725: TCP-2-INVALIDTCB:Invalid TCB pointer with tracebacks

Symptoms: A Cisco router shows an invalid TCB pointer and tracebacks, and authentication stops at random: %TCP-2-INVALIDTCB: Invalid TCB pointer: 0x62C4512C -Process= "TPLUS", ipl= 0, pid= 102 -Traceback= 60D60A5C 60D3DC8C 60D43F88 60B5C1CC 60B5BCAC 60B52E58 TPLUS(00003EB1)/0/NB_WAIT/628D8528: timed out Conditions: This symptom is observed on a Cisco 3660 and Cisco 3725 that run Cisco IOS Release 12.3(6b). Rebooting may or may not return the router to normal behavior (that is, TACACS authentication functions). Workaround: There is no workaround.

tacacs server is bypassed even when there is connectivity

Cannot authenticate using AAA server even when there is connectivity. The following is configured: aaa authentication login default group tacacs+ local Even though there's connectivity with the AAA server as shown by successful pings, the router does local authenticaton.

TACACS authentication fails in 12.3(123_9_BC1.041229)

Customer was running a pre-released copy of 12.3(123_9_BC1.041229) this image ould not allow him to authenticate using Tacacs. The error was invalid character in username. without changing the config or the tacacs sever he could authenticate if he reverted to 12.3(9a)BC. Authentication should be working in both versions. Workaround: use the single-connection tacacs option. tac-server host x.x.x.x single-connection

TACACS authorization failed when perform ACQR telneting

Symptoms : The Telnet authorization failed when configure the UUT with TACACS . The telnet is ok with radius or local configuration . Condition : the problem is seen on 12.4(0.2) version Workaround : work with radius or local authorization configuration

Dan-Ciprian Cicioiu · ‎04-23-2012

Yes it's on the Affected versions.If you press "Known Affected Versions" you will see the list.

Dan