topic Problems with tacacs Authorisation with ACS5.3 and Catalyst 3750 in Network Access Control

Problems with tacacs Authorisation with ACS5.3 and Catalyst 3750s

Richard Bradfield — Mon, 11 Mar 2019 02:27:15 GMT

I am in the process of upgrading the ACS from 4.1.1. to 5.3,

I have Catalyst 3750s with various levels of IOS and with ACS 4.1.1 there were no problems

AAA config on switches as below

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login console local

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa session-id common

now with ACS5.3 I find that switches running 122-35.SE5 (ipbase) no problems, all ok

but switches running later IOS 122-50.SE5, 122-55.SE5, and 15,0.1 I users with the privilege level of 15 fails authorization most of the time.

users with privilege level 7 no problems

on advise from various entries on the support forums as below but did not make any difference

can anybody help with this?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login console local

aaa authentication enable default group tacacs+

aaa authentication dot1x default group radius

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default if-authenticated

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa session-id common

Problems with tacacs Authorisation with ACS5.3 and Catalyst 3750

saxenanitesh8522 — Thu, 23 Aug 2012 13:43:58 GMT

Hi,

these many commands are not required. Esp dot1x authentication commands.

what is the configuration you have done on the ACS 5.3? that is the place we have to see.

Please check the logs when the Users are getting failed.

Thanks,

Nitesh

Problems with tacacs Authorisation with ACS5.3 and Catalyst 3750

Tarik Admani — Thu, 23 Aug 2012 17:49:14 GMT

Nitesh is correct,

In ACS 5.3 the default command set is set to deny all. However this may not appear until you select the customize button in your authorization profile to make the "Command Set" option visible, there you will be able to set the condition to use the command set you want.

Thanks,

Tarik Admani

Problems with tacacs Authorisation with ACS5.3 and Catalyst 3750

Richard Bradfield — Thu, 23 Aug 2012 21:47:03 GMT

Tarik,

I think the problem is with the Cat 3750 as I can login into a switch running 122-35.SE5 ok, but when I log into a switch running 122-50.Se5 I get 'Authorization failed' message, this is for a user with a privilege level of 15. But no prblems with user with a privilege level of 7,

There must be a difference in the way Tacacs is handled betwen the different levels of OS in the Switch

Problems with tacacs Authorisation with ACS5.3 and Catalyst 3750

Tarik Admani — Fri, 24 Aug 2012 20:02:04 GMT

What is currently your show run | inc aaa?

Thanks,

Tarik Admani
*Please rate helpful posts*

Problems with tacacs Authorisation with ACS5.3 and Catalyst 3750

Richard Bradfield — Sat, 25 Aug 2012 02:19:12 GMT

We opened a case with Cisco TAC, and after much looking around came to the conclusion the problem was:

the "tacacs-server host xx.xx.xx.xx single-connection" command on the Cat 3750's

removed the "single-connection" from the command and now authorization ok no longer intermittent

We have had these switches some time and the "single-connection " is no longer required.

Re: Problems with tacacs Authorisation with ACS5.3 and Catalyst

Tarik Admani — Sat, 25 Aug 2012 18:00:54 GMT

Thanks for he response.

Sent from Cisco Technical Support iPad App