topic Re: Authorization FAILING in Network Access Control

Authorization FAILING

nikalleyne — Mon, 11 Mar 2019 00:31:56 GMT

Guys,

can someone tell me why my Authorization is failing once i enable "aaa authorization exec default group radius if-authenticated". If I omit the authorization line then I get put into user mode.

aaa authorization exec default group radius if-authenticated

Debug aaa authorization

1w5d: AAA: parse name=tty2 idb type=-1 tty=-1
1w5d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
1w5d: AAA/MEMORY: create_user (0x1B5AEF8) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='190.168.2.8' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
1w5d: tty2 AAA/AUTHOR/EXEC (2449366269): Port='tty2' list='' service=EXEC
1w5d: AAA/AUTHOR/EXEC: tty2 (2449366269) user='User1'
1w5d: tty2 AAA/AUTHOR/EXEC (2449366269): send AV service=shell
1w5d: tty2 AAA/AUTHOR/EXEC (2449366269): send AV cmd*
1w5d: tty2 AAA/AUTHOR/EXEC (2449366269): found list "default"
1w5d: tty2 AAA/AUTHOR/EXEC (2449366269): Method=radius (radius)
1w5d: AAA/AUTHOR (2449366269): Post authorization status = FAIL
1w5d: AAA/AUTHOR/EXEC: Authorization FAILED
1w5d: AAA/MEMORY: free_user (0x1B5AEF8) user='User1' ruser='NULL' port='tty2' rem_addr='190.168.2.8' authen_type=ASCII service=LOGIN priv=1

line vty 0 4
session-timeout 15
exec-timeout 15 0
password test
login authentication My-RADIUS
line vty 5 15
password test
login authentication My-RADIUS

This config works on other devices, however it does not work on this device with IOS 12.2(25r)

All assistance welcome

Nik

Re: Authorization FAILING

Vinay Sharma — Tue, 02 Nov 2010 15:05:56 GMT

In order to get into authorization, user need to get priv lvl 15 whereas your user is getting only lvl 1.

' authen_type=ASCII service=LOGIN priv=1

Please check in ACS if you have given enough priv to the user at user profile.

thanks,

Vinay

Re: Authorization FAILING

Vinay Sharma — Tue, 02 Nov 2010 15:06:32 GMT

Also try this sample config:-

Here is a sample configuration:-

router(config)# enable password XXXXXXX

router(config)# username admin privilege 15 password xxxxx

router(config)# aaa new-model (Enables AAA configuration commands on the router)

router(config)# Tacacs-server host XXXXXXX ( IP address of the ACS server)

router(config)# Tacacs-server key XXXXXX ( This is the same shared secret key which we defined on the ACS for this IOS device)

router(config)# aaa authentication login default group Tacacs+ local

Authenticate telnet users on TACACS+ if TACACS+ is down authenticate users with locally configured telnet username password on router.

router(config)# aaa authentication enable default group Tacacs+ enable

Authenticate the enable password on the TACACS+ if TACACS+ is down authenticate enable password with locally configured enable password on router.

Router(config)# aaa accounting exec default start-stop group TACACS+ (Account all the user which are telneting based on start and stop session on TACACS+)

Router(config)# line vty 04 (Change to line vty line)

Router(config-line)# Login authentication default (Enables tacacs authentication for the vty lines)

Re: Authorization FAILING

nikalleyne — Tue, 02 Nov 2010 15:27:41 GMT

Hi Vinashar, I'm using RADIUS (Windows 2008 NPS). The funny thing is the configuration on the RADIUS works for IOS 12.2(50) on another device. However, I'm encountering the problem on the 12.1. Also it's the same user that can successfully login to the 12.2(50) IOS and granted authorization who cannot get into the 12.1.

All thoughts welcome.

Re: Authorization FAILING

Richard Burts — Tue, 02 Nov 2010 22:38:25 GMT

Nik

I am confused. In your original post you tell us the version of code on the box is 12.2(25r). Now in this post it seems that the problem is in 12.1. Perhaps you can clarify the issue of versions on the various boxes?

Also it might help us to know whether the box that is having the problem ever worked? Or is this a new install for this box and it is having the problem from the beginning?

It may seem a bit obsessive, but can you verify that the box that does successfully authorize the user is using exactly the same radius server as the box that has the problem?

If the same user authorizing to the same server works on one version and fails on another version, then it sounds like there may be some problem in the version. Is there any chance to put different code on the box that is having the problem?

HTH

Rick

Re: Authorization FAILING

nikalleyne — Wed, 03 Nov 2010 13:51:51 GMT

Hi Burts,

Let's look at it this way. I have the following configuration on the 12.2 box.

aaa authentication attempts login 5

aaa authentication login myRADIUS GRoup Radius Local

aaa authorization exec default group radius local if-authenticated

aaa accounting exec myRADIUS start-stop group radius

line vty 0 15

session-timeout 15

exec-timeout 4 30

The above configuration works the way I want it to by allowing the user to go directly into Enable mode.

Below is the configuration for the 12.1

aaa authentication login myRADIUS GRoup Radius Local

aaa accounting exec myRADIUS start-stop group radius

line vty 0 15

session-timeout 15

exec-timeout 4 30

As you may notice with the 12.1 config there is no "aaa authentication login myRADIUS GRoup Radius Local".

The reason for this is because once it is entered Authentication is successful but "Authorization Fails" and the user's session is closed.

My only conclusion is this has to be an issue with the version of IOS because a capture from the 12.2 NAS and the 12.1 NAS communication with the RADIUS server returns the same result. They both have "Access-Accept" VSA: 19 t=Cisco-AVPair(1): shell:priv-lvl=15. So this tells me the

user is getting the correct information - as in priviledge level returned - when he/she authenticates but something else is causing the authorization to fail.

Is this an issue with the 12.1 IOS because it's the same problemn on all the 12.1 devices I have.

As for verifying the same RADIUS they are both using the same box. As I mentioned above a capture at the RADIUS servers proves that they are.

Hope this clears it up. I'm still hoping you guys can help me resolve this.

Thanks

Re: Authorization FAILING

Richard Burts — Wed, 03 Nov 2010 17:13:26 GMT

Nik

I am quite puzzled at part of this post. You say :"As you may notice with the 12.1 config there is no "aaa authentication login myRADIUS GRoup Radius Local".". But clearly that command is in the part of the config that you posted.

But putting that part of the confusion aside, if it is the same lines of config (eliminating the possibility of something fat fingered), and if it consistently works with 12.2 and consistently does not work with 12.1 then it certainly suggests that there is a problem in the 12.1 code that you are running. I do not know what your maintenance situation is with these boxes, but I would suggest trying a different version of code on them and see if that resolves your problem.

I do not remember the version of code, but I do remember some years ago I was installing several 5350 routers and was having problems with authorization, especially with the if-authenticated functionality. A change of code version was very successful in resolving my problem. I hope that might also be the case with your problem.

HTH

Rick

Re: Authorization FAILING

nikalleyne — Wed, 03 Nov 2010 17:29:30 GMT

Hi Burts,
First my apologies for the confusion. That should have been there is no "aaa authorization exec default group radius local if-authenticated" on the 12.1 config.

Second I agree that we should upgrade and that will be the next project I will undertake. So I will mark your previous response as the answer and consider this case close.

Thanks for the assistance.