Firmware 1.4.0.88 breaks aaa authorization for TACACS

Michal Bruncko · ‎11-07-2014

Hello folks,

I have recently upgraded from 1.3.7.18 to version 1.4.0.88 on my several SG300-28P switches. I am using TACACS authentication. My account is a part of "admins" group which has been set "priv-lvl = 15" (inside tac_plus.conf configuration). This means, that before upgrade I get privilege 15 level access immediately (shell ending with "#" sign) without need to use "enable". But after upgrade to 1.4.0.88 I have lost authorization function and login behavior looks following:

$ ssh dist-sw
testuser@dist-sw's password:

Password: ss Verification

Username:
Password: ss Verification

Username:

dist-sw>

(note: I have to enter password only once - requested on second line above, the rest username/password requests were just displayed automatically followed until the "dist-sw>" line without need of my interaction)

Yes, I read release notes and there is mentioned new functionality:

AAA authentication – Added a control for authorization so the user can decide whether to do authentication-only or authentication + authorization. When upgrading from previous versions, the default becomes authentication-only.

So I have added new command to switch configuration: "aaa authentication enable authorization default tacacs enable" which should enable authorization over same channel like authentication (i.e. using tacacs). But it is not working either and I have to use "enable" command in order to get privilege 15 level access.

With using RADIUS authentication the behavior is different (better from user point of view), byt seems not working correctly as well: no matter if I apply "aaa authentication enable authorization default radius enable" command or not, I get privilege 15 level access immediately (radius is sending Cisco-AVPair = "shell:priv-lvl=15" within access-accept response).

Has anyone working tacacs aaa authorization on 1.4.0.88? Or are you observing same behavior? For me its looking like bug.

thanks!

michal

Aleksandra Dargiel · ‎11-10-2014

Hi Michal,

I have no TACACS to test but it will be very good idea to open official ticket with Small Business team so they can communicate with engineering team:

http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

Regards,

Aleksandra

Aaron Sheard · ‎11-18-2014

this just happened to me today as well. SF-30048P same firmware

ill post if i get it figured out.

for me, i can ssh in as user (after pressing enter on the "login as:" prompt, and then entering login on the "User Name:" prompt

but older f/w does that too)

i just cannot get into enable mode

when i connect via web with tacacs account im good.

eg:

login as: [press enter]

User Name:test
Password:*********

SF30048P>en
Password:*********
Password:*********
Password:*********
authentication failed

SF30048P>

Michal Bruncko · ‎11-18-2014

Hi aaron

it looks quite similar. I managed to get it finally work once I tried to reproduce issue for Cisco TAC. Once I have entered those two commands in a row:

aaa authentication enable default tacacs enable
aaa authentication enable authorization default tacacs enable

...then authorization started finally work me. no need to reload device. for me it was looking like first time that command "aaa authentication enable authorization default tacacs enable" was not applied to environment.

Aaron Sheard · ‎11-18-2014

hey thanks!

and for the benefit of those that could access the web in lvl15 but not the shell,

in the web, i went to Security, Management Access Authentication, selected SSH in the Application list, and checked off "enable" under Authorization

(i rarely use the web but i was locked out of enable mode.)

voila! its working

zavodecomol · ‎12-10-2014

Hello,Aaron.

May be you help me, can not setting acces from SSH and web with RADIUS.

Couldn't you hel pe - show runnig config

Thank you

Firmware 1.4.0.88 breaks aaa authorization for TACACS

Cisco Business Product Family

Cisco Switching Product Family