Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1034
Views
0
Helpful
0
Replies

TACACS commands not being sent for authorization

tedauction
Level 1
Level 1

‎05-09-2018 09:03 PM - edited ‎03-08-2019 02:58 PM

Hello, I have TACACS+ almost successfully working my 'WS-C2960-24PC-L  12.2(44)SE'.

Authentication and authorization work fine for my privilege level 15 users. 

The problem is that any command not allowed by default for my privilege level 3 user is NOT being sent to the TACACs server for authorization.

Below is output of 'debug aaa authorization'. This shows TACACS authorization being sent from the switch to the TACACS server for the command 'show terminal'. Authorization is successful and is allowed.

However when I try to run the command 'show running-config', no authorization request is sent from the switch to the TACACS server. This is the same with any command outside of the default privilege level 3 command set. Does anyone know why this is ?

Thank you.

 

EXAMPLE OF SUCCESSFUL AUTHORIZATION OF 'SHOW TERMINAL' COMMAND:

*Mar 1 00:28:32.735: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
*Mar 1 00:28:32.735: AAA/MEMORY: create_user (0x211830C) user='support' ruser='Switch' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1 initial_task_id='0', vrf= (id=0)
*Mar 1 00:28:32.735: tty0 AAA/AUTHOR/CMD (3716672745): Port='tty0' list='' service=CMD
*Mar 1 00:28:32.735: AAA/AUTHOR/CMD: tty0 (3716672745) user='support'
*Mar 1 00:28:32.735: tty0 AAA/AUTHOR/CMD (3716672745): send AV service=shell
*Mar 1 00:28:32.735: tty0 AAA/AUTHOR/CMD (3716672745): send AV cmd=show
*Mar 1 00:28:32.735: tty0 AAA/AUTHOR/CMD (3716672745): send AV cmd-arg=terminal
*Mar 1 00:28:32.735: tty0 AAA/AUTHOR/CMD (3716672745): send AV cmd-arg=<cr>
*Mar 1 00:28:32.735: tty0 AAA/AUTHOR/CMD (3716672745): found list "default"
*Mar 1 00:28:32.735: tty0 AAA/AUTHOR/CMD (3716672745): Method=tacacs+ (tacacs+)
*Mar 1 00:28:32.743: AAA/AUTHOR/TAC+: (3716672745): user=support
*Mar 1 00:28:32.743: AAA/AUTHOR/TAC+: (3716672745): send AV service=shell
*Mar 1 00:28:32.743: AAA/AUTHOR/TAC+: (3716672745): send AV cmd=show
*Mar 1 00:28:32.743: AAA/AUTHOR/TAC+: (3716672745): send AV cmd-arg=terminal
*Mar 1 00:28:32.743: AAA/AUTHOR/TAC+: (3716672745): send AV cmd-arg=<cr>
*Mar 1 00:28:32.945: AAA/AUTHOR (3716672745): Post authorization status = PASS_ADD
*Mar 1 00:28:32.945: AAA/MEMORY: free_user (0x211830C) user='support' ruser='Switch' port='tty0' rem_addr='async' authen_type=ASCII service=NFull user help is disabled
Allowed input transports are none.
Allowed output transports are telnet.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters
Switch#

********NOW I TRY TO RUN THE COMMAND 'SHOW RUNNING-CONFIG' HOWEVER NO TACACS AUTHORIZATION TRAFFIC IS GENERATED AT ALL !!!!
Switch#show running-config
^
% Invalid input detected at '^' marker.

***************************SEE HERE NO AUTHORIZATION ATTEMPT WAS SENT FROM THE SWITCH TO THE TACACS SERVER*****WHY IS THAT ?

 

CONFIGURATION:

Current configuration : 2378 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
username support privilege 3 secret 5 $1$e1En$YNav/fS5tV6T6.4L60u9c0
username lastresort privilege 15 secret 5 $1$FDqZ$KjKCKXKMOINDCnfne2/VE/
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 3 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
!
!
aaa session-id common
system mtu routing 1500
ip subnet-zero
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
switchport trunk allowed vlan 57
switchport mode trunk
!

!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan57
ip address 10.100.7.57 255.255.255.0
no ip route-cache
!
ip default-gateway 10.100.7.1
ip http server
ip tacacs source-interface Vlan57
tacacs-server host 10.21.250.212
tacacs-server timeout 10
no tacacs-server directed-request
tacacs-server key RUc=U@3.n6:`%aZP3~nV
!
control-plane
!
!
line con 0
line vty 5 15
!
end

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card