topic ACS 4.1 Command Authorization Failing Intermitently in Network Access Control

ACS 4.1 Command Authorization Failing Intermitently

CSCO10675262_2 — Mon, 11 Mar 2019 00:37:39 GMT

Hi,

I have setup aaa using tacacs+ on the network switches, however I seems to be getting occassional command authoization error. This is seen when i try to input the command on several ports at once (example interface range giga 1/1-48). If I was to do it on a single port instead, I dont seems to encounter the error. Would this be due to the ACS unable to handle the load? It is only for a single switch executing the command for port ranges.

I have attached a sample of the error for reference:

switch(config-if-range)#description level 3
% Authorization failed.

% Command failed on interface range. Aborting

I have checked the interface connecting to the ACS and I do not see any error. I am not too sure what may be causing the error. Would it be due to the ACS unable to work nicely with interface range?

Thanks.

Re: ACS 4.1 Command Authorization Failing Intermitently

Tarik Admani — Wed, 01 Dec 2010 05:00:15 GMT

Hi,

Are you trying to perform this command on a stack of 3750's? If so what version of code are you running? If this isnt the case you might want to increase the timeout value for your tacacs-server and then give the same command a shot.

Let me know how that works!

Thanks,

Re: ACS 4.1 Command Authorization Failing Intermitently

CSCO10675262_2 — Wed, 01 Dec 2010 06:12:04 GMT

Hi Tarik,

Yes, you are correct that it is a stack of 3750G. The code that is running on the switch is 12.2(53)SE2. Would there be an issue with the code on aaa authorization with acs 4.1?

I will also try to increase the tacacs+ timeout to see if it helps.

Thanks.

Re: ACS 4.1 Command Authorization Failing Intermitently

Tarik Admani — Wed, 01 Dec 2010 23:28:22 GMT

There is a bug open for this issue that was found in 12.2(46)SE, and at the moment there is no plans on resolving the issue since it involves some design work in the code to address this issue. The only work around is to remove command authorization, or to see what your limit is on the inteface range command before it starts dropping the requests.

Re: ACS 4.1 Command Authorization Failing Intermitently

CSCO10675262_2 — Fri, 10 Dec 2010 09:55:28 GMT

Hi Tarik,

Thanks for the information. May I ask what is the bug id for reference?

Thanks

Re: ACS 4.1 Command Authorization Failing Intermitently

Tarik Admani — Sat, 11 Dec 2010 03:14:57 GMT

Sure here is the link:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=cscti02944

Here is the detail of the bug:

CSCti02944

command authorization using a range of interfaces can cause issues with

Symptom: when you issue a command for a range of ports as per example router(config) interface g1 g14 then issue a group of commands router(config-if) set ip router(config-if) set speed 100 router(config-if) set duplex full router(config-if) set dhcp snoop limit rate router(config-if) no shut router(config-if) bandwidth 1000 router(config-if) default flowcontrol receive then you will see some of the commands as failed authorization the ACS does not show that the command hits it or is refused by it Conditions: have the following enabled on a stack and do commands for a range of interfaces. aaa authentication login default group tacacs+ local enable aaa authentication login tacacs+ local enable aaa authentication login console line aaa authentication enable default group tacacs+ enable aaa authorization config-commands aaa authorization exec default group tacacs+ if-authenticated local aaa authorization exec console none aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local aaa authorization commands 15 console none aaa authorization network default group tacacs+ aaa accounting update periodic 5 aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ Workaround: disable accounting and authorization config-commands

Re: ACS 4.1 Command Authorization Failing Intermitently

CSCO10675262_2 — Mon, 13 Dec 2010 02:34:29 GMT

Thanks for the bug id.

Re: ACS 4.1 Command Authorization Failing Intermitently

stevehorsleyNXG — Tue, 14 Dec 2010 12:10:24 GMT

Is this fixed in a later version of ACS?

Re: ACS 4.1 Command Authorization Failing Intermitently

Tarik Admani — Tue, 14 Dec 2010 17:19:44 GMT

No this is not an ACS issue, its a limitation on the software that divides up the AAA requests.