topic please check the below in Network Access Control

Regarding Radius Device Authentication/Authorization

rkandasa1 — Mon, 11 Mar 2019 06:23:23 GMT

Hi,

We are using ACS 5.7 in our environment, I need to add a router for authentication and authorization in this ACS.

when I added the device, its getting authenticated and going to "User Exec" mode. not to "PRIVILIGED" mode. please let me know how can we do that this device needs to authenticated and go to privileged mode.

Thanks,

Rajkumar

Rajkumar,

Javier Henderson — Wed, 13 Jan 2016 12:40:18 GMT

Rajkumar,

You need to add exec authorization to the roer, something like this:

aaa authorization exec default group tacacs+ local

Then configure a shell profile on ACS that will grant privilege level 15, and an authorization policy that will use that shell profile.

Javier Henderson

Cisco Systems

Hi Javier,

rkandasa1 — Wed, 13 Jan 2016 13:23:52 GMT

Hi Javier,

The switch doesn't use Tacacs+, it uses radius.......

How we can configure ACS for Radius devices

Thanks,

Rajkumar.

The same principle applies:

Javier Henderson — Wed, 13 Jan 2016 13:37:18 GMT

The same principle applies:

aaa authentication exec default group radius local

Then on ACS define a network authorization profile to grant privilege level 15, and tie it to an authorization rule for RADIUS.

Thanks Javier, I looked at

rkandasa1 — Wed, 13 Jan 2016 13:46:54 GMT

Thanks Javier, I looked at switch front, everything looks fine only.

I am in ACS..... Network Access -> Authorization Profiles -> Create Profile

then Should need to add something in radius attributes to get privilege 15.

Basically how can I create profile with Privilege 15......

Thanks,

Rajkumar

Hi Raj,

Jatin Katyal — Wed, 13 Jan 2016 17:25:36 GMT

Hi Raj,

With Radius we actually push Radius-IETF attribute service-type (6) with a value administrative. Please check the screen shot:

Thanks Jatin, It works :)

rkandasa1 — Wed, 13 Jan 2016 21:45:10 GMT

Thanks Jatin, It works 🙂

I have another query, could you please help to get this sort out.

How can I apply command sets in radius authorization rule, basically I wanted to have L1, L2, L3 authorization done for radius devices in ACS. for example For L1 I need to have only show command visible and for L3 - All commands.

I know that this can be done through "command sets", but I cant call command sets in network access rules.

is there a way we can achieve it

Thanks,

Rajkumar

Awesome !!

Jatin Katyal — Wed, 13 Jan 2016 22:46:26 GMT

Awesome !!

Unfortunately, command authorization is not supported with radius. You have to use TACACS protocol and good thing is ACS supports both.

Take a look here. Perfect example to address your query if you really want to use tacacs:

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html

- Jatin

Hi Jatin,

rkandasa1 — Thu, 14 Jan 2016 13:04:04 GMT

Hi Jatin,

Could you please help me on the below,

Now I have a device configured for tacacs+ and its getting authenticated. but again its going to "User Exec" mode not to "Pri Exec" mode.

I created a shell profile "PRI 15" as default "15" and Maximum "15" and assigned the shell profile to the authorization rule. but the access is not getting to "Pri Exec" mode.

I can see the hit count on this rule when ever I am accessing the switch. but every time I am accessing the switch it get increased with vaule of 2(2,4,6,8)

I was checking the TACACS authentication logs, it looks like the authentication happened successfully.

Any suggestions?

Thanks,

Rajkumar

Please share:

Jatin Katyal — Thu, 14 Jan 2016 14:37:06 GMT

Please share:

1.] Show run | in aaa from the switch/Router.

2.] Check ACS logs in Tacacs authorization and see what error are you seeing there.

3.] Debug aaa tacacs & debug aaa authorization from the switch / router

- Jatin

please check the below

rkandasa1 — Thu, 14 Jan 2016 14:43:31 GMT

please check the below details

aaa new-model
aaa group server tacacs+ TACACS-PLUS
aaa authentication login default group TACACS-PLUS local
aaa authentication login ConLine local group radius
aaa authentication enable default group TACACS-PLUS enable none
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization exec default group TACACS-PLUS none
aaa authorization exec my-authradius group radius if-authenticated
aaa accounting exec default start-stop group TACACS-PLUS
aaa session-id common

aaa authorization exec

Jatin Katyal — Thu, 14 Jan 2016 14:55:51 GMT

aaa authorization exec default group TACACS-PLUS none

The command we need on the switch is there. Lets check the ACS and switch logs.

- Jatin

Hi Jatin,

rkandasa1 — Mon, 18 Jan 2016 17:54:00 GMT

Hi Jatin,

I cant see anything in TACACS Authorization report. it looks like the authorization is not getting applied when the request comes

Any ide, How this can be fixed

Thanks,

Rajkumar

Pls share Debug aaa tacacs &

Jatin Katyal — Mon, 18 Jan 2016 18:21:05 GMT

Pls share Debug tacacs & debug aaa authorization from the switch / router.

- Jatin

Log Buffer (4096 bytes):8:34

rkandasa1 — Mon, 18 Jan 2016 18:31:45 GMT

Log Buffer (4096 bytes):
8:34.026 GMT: TPLUS: processing authentication start request id 1037
Jan 18 18:28:34.026 GMT: TPLUS: Authentication start packet created for 1037(admin-rkandasa)
Jan 18 18:28:34.026 GMT: TPLUS: Using server 10.242.14.24
Jan 18 18:28:34.026 GMT: TPLUS(0000040D)/0/NB_WAIT/5C74EC8: Started 5 sec timeout
Jan 18 18:28:34.169 GMT: TPLUS(0000040D)/0/NB_WAIT: socket event 2
Jan 18 18:28:34.169 GMT: TPLUS(0000040D)/0/NB_WAIT: wrote entire 50 bytes request
Jan 18 18:28:34.169 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:34.169 GMT: TPLUS(0000040D)/0/READ: Would block while reading
Jan 18 18:28:34.311 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:34.311 GMT: TPLUS(0000040D)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Jan 18 18:28:34.311 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:34.311 GMT: TPLUS(0000040D)/0/READ: read entire 28 bytes response
Jan 18 18:28:34.311 GMT: TPLUS(0000040D)/0/5C74EC8: Processing the reply packet
Jan 18 18:28:34.311 GMT: TPLUS: Received authen response status GET_PASSWORD (8)
Jan 18 18:28:38.086 GMT: TPLUS: Queuing AAA Authentication request 1037 for processing
Jan 18 18:28:38.086 GMT: TPLUS: processing authentication continue request id 1037
Jan 18 18:28:38.086 GMT: TPLUS: Authentication continue packet generated for 1037
Jan 18 18:28:38.086 GMT: TPLUS(0000040D)/0/WRITE/5C74EC8: Started 5 sec timeout
Jan 18 18:28:38.086 GMT: TPLUS(0000040D)/0/WRITE: wrote entire 26 bytes request
Jan 18 18:28:38.279 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:38.279 GMT: TPLUS(0000040D)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Jan 18 18:28:38.279 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:38.279 GMT: TPLUS(0000040D)/0/READ: read entire 18 bytes response
Jan 18 18:28:38.279 GMT: TPLUS(0000040D)/0/5C74EC8: Processing the reply packet
Jan 18 18:28:38.279 GMT: TPLUS: Received authen response status PASS (2)
Jan 18 18:28:38.522 GMT: AAA/AUTHOR (0000040D): Method list id=79000002 not configured. Skip author
Jan 18 18:28:38.522 GMT: TPLUS: Queuing AAA Accounting request 1037 for processing
Jan 18 18:28:38.522 GMT: TPLUS: processing accounting request id 1037
Jan 18 18:28:38.522 GMT: TPLUS: Sending AV task_id=1019
Jan 18 18:28:38.522 GMT: TPLUS: Sending AV timezone=GMT
Jan 18 18:28:38.522 GMT: TPLUS: Sending AV service=shell
Jan 18 18:28:38.522 GMT: TPLUS: Sending AV start_time=1453141718
Jan 18 18:28:38.522 GMT: TPLUS: Accounting request created for 1037(admin-rkandasa)
Jan 18 18:28:38.522 GMT: TPLUS: Using server 10.242.14.24
Jan 18 18:28:38.522 GMT: TPLUS(0000040D)/0/NB_WAIT/5C74EC8: Started 5 sec timeout
Jan 18 18:28:38.665 GMT: TPLUS(0000040D)/0/NB_WAIT: socket event 2
Jan 18 18:28:38.665 GMT: TPLUS(0000040D)/0/NB_WAIT: wrote entire 113 bytes request
Jan 18 18:28:38.665 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:38.665 GMT: TPLUS(0000040D)/0/READ: Would block while reading
Jan 18 18:28:38.808 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:38.808 GMT: TPLUS(0000040D)/0/READ: read entire 12 header bytes (expect 5 bytes data)
Jan 18 18:28:38.808 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:38.808 GMT: TPLUS(0000040D)/0/READ: read entire 17 bytes response
Jan 18 18:28:38.808 GMT: TPLUS(0000040D)/0/5C74EC8: Processing the reply packet
Jan 18 18:28:38.808 GMT: TPLUS: Received accounting response with status PASS
Jan 18 18:28:40.762 GMT: AAA/AUTHOR: auth_need : user= 'admin-rkandasa' ruser= 'GBMASW15'rem_addr= '10.100.3.133' priv= 0 list= '' AUTHOR-TYPE= 'command'
Jan 18 18:28:40.762 GMT: AAA: parse name=tty3 idb type=-1 tty=-1
Jan 18 18:28:40.762 GMT: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
Jan 18 18:28:40.762 GMT: AAA/MEMORY: create_user (0x5B98918) user='admin-rkandasa' ruser='NULL' ds0=0 port='tty3' rem_addr='10.100.3.133' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Jan 18 18:28:51.240 GMT: AAA/MEMORY: free_user (0x5B98918) user='NULL' ruser='NULL' port='tty3' rem_addr='10.100.3.133' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
GBMASW15#sh debug
General OS:
TACACS access control debugging is on
AAA Authorization debugging is on

Hi Jatin,

rkandasa1 — Thu, 04 Feb 2016 07:28:29 GMT

Hi Jatin,

Just thought of updating you that this switch vty was configured to radius, due to this authorization was not happening, i have removed it and authorization is working fine.thanks for your help

Thanks,

Rajkumar