Command authorization error when using aaa cache

khof — Sun, 10 Mar 2019 21:58:31 GMT

Hi,

I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:

% tty2 Unknown authorization method 6 set for list command

The command is then always authorized against the tacacs server.

The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.

I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.

Deleting the cache entry and using only the tacacs group the error message disappears.

Any suggestions?

Thanks.

Frank

======

config

======

aaa new-model

aaa group server tacacs+ group_tacacs

server 10.10.10.10

server 10.10.10.11

cache expiry 12

cache authorization profile admin_user

cache authentication profile admin_user

aaa authentication login default cache group_tacacs group group_tacacs local

aaa authentication enable default cache group_tacacs group group_tacacs enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default cache group_tacacs group group_tacacs local

aaa authorization commands 15 default cache group_tacacs group group_tacacs local

aaa accounting exec default start-stop group group_tacacs

aaa cache profile admin_user

profile admin no-auth

aaa session-id common

...

tacacs-server host 10.10.10.10 single-connection

tacacs-server host 10.10.10.11 single-connection

tacacs-server directed-request

tacacs-server key 7 <removed>

============

debug output

============

ap#

Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f

Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL

Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin

Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o

Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'

Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=

Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15

Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful

ap#

Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1

Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD

Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"

Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command

Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR

Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)

Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin

Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell

Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show

Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config

Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>

Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD

Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE

priv=15 vrf= (id=0)

Re: Command authorization error when using aaa cache

sbilgi — Tue, 13 Feb 2007 20:22:16 GMT

These are event logs which show that these are just informational messages of sev 6.

Try removing the cache related commands and add the following commands,

aaa authen login default group < group name > local

and aaa authorization exec default group local

Re: Command authorization error when using aaa cache

Vivek Santuka — Wed, 14 Feb 2007 14:40:50 GMT

Hi,

I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.

Regards,

Vivek

Re: Command authorization error when using aaa cache

khof — Wed, 14 Feb 2007 15:13:43 GMT

Hi Vivek,

I have almost expected to see this answer. Then I have to go another way to finish this task.

Thanks.

Frank

topic Command authorization error when using aaa cache in Network Access Control

Command authorization error when using aaa cache

Re: Command authorization error when using aaa cache

Re: Command authorization error when using aaa cache

Re: Command authorization error when using aaa cache