topic Re: Different servers for dialup-access and exec-access in Network Access Control

Different servers for dialup-access and exec-access

SDWorx_2 — Sun, 10 Mar 2019 21:30:03 GMT

Hi all,

I am trying to configure a 3640 for authorization. The 'tricky' part is that I have to make a difference between dialup-access on one hand and exec-access on the other hand.

I am using TACACS+ for authentication and authorization.

The original configuration of the router (without exec-authorization) is as follows:

aaa new-model

aaa authentication login default group tacacs+

aaa authentication login no_login enable

aaa authentication login sd_routers group tacacs+ enable

aaa authentication login sd_console enable

aaa authentication ppp default local group tacacs+

aaa authorization network default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

tacacs-server host x.x.x.x

tacacs-server timeout 15

tacacs-server directed-request

To configure exec authorization I added this:

tacacs-server host y.y.y.y

aaa group server tacacs+ dialup

server x.x.x.x

aaa group server tacacs+ vtyaccess

server y.y.y.y

aaa authorization network default group dialup

aaa authorization exec default group vtyaccess

aaa authorization commands 0 default group vtyaccess none

aaa authorization commands 1 default group vtyaccess none

aaa authorization commands 15 default group vtyaccess none

So I tried to setup 2 different server groups with each 2 servers so authorization for dialup would be controlled by 1 server (and 1 in backup) and authorization for exec would be controlled by another server (and 1 in backup).

Is there something I don't understand quite well because it does not seem to work?

Kindly regards,

Jan

Re: Different servers for dialup-access and exec-access

Richard Burts — Tue, 07 Mar 2006 15:23:12 GMT

Jan

It would be helpful if you would post the complete current config of aaa. In your post you show the original authentication was:

aaa authentication ppp default local group tacacs+

but you do not indicate whether this part changed.

Perhaps you could help us understand better what is happening and what symptoms you are seeing? Are authentication transactions being sent from the router to the server? Is the server authenticating? Are authorization transactions being sent from the router to the server?

Do exec users work as you expect? If not, what is happening with exec users?

Do dialup users work as you expect? If not, what is happening with dialup users?

If we knew these things better we would be able to give you better suggestions.

HTH

Rick

Re: Different servers for dialup-access and exec-access

SDWorx_2 — Tue, 07 Mar 2006 16:17:53 GMT

Hi,

Thanks for the reply. I indeed provided not enough info.

The 'final' config was like this:

aaa new-model

aaa group server tacacs+ dialup

server x.x.x.x

aaa group server tacacs+ vtyaccess

server y.y.y.y

aaa authentication login default group tacacs+

aaa authentication login no_login enable

aaa authentication login sd_routers group tacacs+ enable

aaa authentication login sd_console enable

aaa authentication ppp default local group tacacs+

aaa authorization exec default group vtyaccess

aaa authorization commands 0 default group vtyaccess none

aaa authorization commands 1 default group vtyaccess none

aaa authorization commands 15 default group vtyaccess none

aaa authorization network default group dialup tacacs+

With this config the dialup-part kept working. The exec-part on the other hand changed. We were unable to log into the router, that is we were able to fill in the username and password but immediatly after this we got disconnected, due to 'not authorized'.

With other routers (without dialup), authorization is no problem.

So it seems authentication works, but I think there is something wrong with the authorization.

I'll post more info when needed.

Thanks!

Jan

Re: Different servers for dialup-access and exec-access

Richard Burts — Tue, 07 Mar 2006 19:53:21 GMT

Jan

It might be helpful if you could run debug tacacs authentication and debug tacacs authorization and post the output. I believe this would help us get to the bottom of the problem.

But I will take a guess at the issue without that information. I believe your problem is inconsistency in how you configure authentication versus authorization. You are configuring authentication with group tacacs+ and authorization exec with group vtyaccess. I suggest you change the authentication to use vtyaccess and I suspect that your authorization problem will be solved.

HTH

Rick

Re: Different servers for dialup-access and exec-access

SDWorx_2 — Thu, 09 Mar 2006 19:03:19 GMT

Hi Rick,

Sorry for this late reply, but I only could test this tonight due to change-management.

I again configured the router and this is what I get.

At login:

Username:xxxxx

Password:

Access Permitted

% Authorization failed.

Connection to host lost.

authen debug:

Mar 9 19:51:08: AAA: parse name=tty131 idb type=-1 tty=-1

Mar 9 19:51:08: AAA: name=tty131 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=131 channel=0

Mar 9 19:51:08: AAA/MEMORY: create_user (0x616BDB04) user='NULL' ruser='NULL' ds0=0 port='tty131' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0'

Mar 9 19:51:08: AAA/AUTHEN/START (1932337086): port='tty131' list='sd_routers'action=LOGIN service=LOGIN

Mar 9 19:51:08: AAA/AUTHEN/START (1932337086): found list sd_routers

Mar 9 19:51:08: AAA/AUTHEN/START (1932337086): Method=tacacs+ (tacacs+)

Mar 9 19:51:08: TAC+: send AUTHEN/START packet ver=192 id=1932337086

Mar 9 19:51:08: TAC+: ver=192 id=1932337086 received AUTHEN status = GETUSER

Mar 9 19:51:08: AAA/AUTHEN (1932337086): status = GETUSER

Mar 9 19:51:10: AAA/AUTHEN/CONT (1932337086): continue_login (user='(undef)')

Mar 9 19:51:10: AAA/AUTHEN (1932337086): status = GETUSER

Mar 9 19:51:10: AAA/AUTHEN (1932337086): Method=tacacs+ (tacacs+)

Mar 9 19:51:10: TAC+: send AUTHEN/CONT packet id=1932337086

Mar 9 19:51:11: TAC+: ver=192 id=1932337086 received AUTHEN status = GETPASS

Mar 9 19:51:11: AAA/AUTHEN (1932337086): status = GETPASS

Mar 9 19:51:14: AAA/AUTHEN/CONT (1932337086): continue_login (user='xxxxx')

Mar 9 19:51:14: AAA/AUTHEN (1932337086): status = GETPASS

Mar 9 19:51:14: AAA/AUTHEN (1932337086): Method=tacacs+ (tacacs+)

Mar 9 19:51:14: TAC+: send AUTHEN/CONT packet id=1932337086

Mar 9 19:51:15: TAC+: ver=192 id=1932337086 received AUTHEN status = PASS

Mar 9 19:51:15: AAA/AUTHEN (1932337086): status = PASS

Mar 9 19:51:17: AAA/MEMORY: free_user (0x616BDB04) user='xxxxx' ruser='NULL' port='tty131' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1

author debug:

Mar 9 19:42:50: AAA: parse name=tty131 idb type=-1 tty=-1

Mar 9 19:42:50: AAA: name=tty131 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=131 channel=0

Mar 9 19:42:50: AAA/MEMORY: create_user (0x6183BA20) user='NULL' ruser='NULL' ds0=0 port='tty131' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0'

Mar 9 19:42:57: tty131 AAA/AUTHOR/EXEC (657940182): Port='tty131' list='' service=EXEC

Mar 9 19:42:57: AAA/AUTHOR/EXEC: tty131 (657940182) user='xxxxx'

Mar 9 19:42:57: tty131 AAA/AUTHOR/EXEC (657940182): send AV service=shell

Mar 9 19:42:57: tty131 AAA/AUTHOR/EXEC (657940182): send AV cmd*

Mar 9 19:42:57: tty131 AAA/AUTHOR/EXEC (657940182): found list "default"

Mar 9 19:42:57: tty131 AAA/AUTHOR/EXEC (657940182): Method=vtyaccess (tacacs+)

Mar 9 19:42:57: AAA/AUTHOR/TAC+: (657940182): user=xxxxx

Mar 9 19:42:57: AAA/AUTHOR/TAC+: (657940182): send AV service=shell

Mar 9 19:42:57: AAA/AUTHOR/TAC+: (657940182): send AV cmd*

Mar 9 19:42:57: AAA/AUTHOR (657940182): Post authorization status = ERROR

Mar 9 19:42:57: tty131 AAA/AUTHOR/EXEC (657940182): Method=NOT_SET

Mar 9 19:42:57: tty131 AAA/AUTHOR/EXEC (657940182): no methods left to try

Mar 9 19:42:57: AAA/AUTHOR (657940182): Post authorization status = ERROR

Mar 9 19:42:57: AAA/AUTHOR/EXEC: Authorization FAILED

I'm not really sure what you mean with changing the authentication and the inconsistency.

Thanks for the help!

Regards,

Jan

Re: Different servers for dialup-access and exec-access

SDWorx_2 — Thu, 09 Mar 2006 19:04:11 GMT

And this is the config:

config:

aaa new-model

aaa group server tacacs+ dialup

server x.x.x.x

aaa group server tacacs+ vtyaccess

server y.y.y.y

aaa authentication login default group tacacs+

aaa authentication login no_login enable

aaa authentication login sd_routers group tacacs+ enable

aaa authentication login sd_console enable

aaa authentication ppp default local group tacacs+

aaa authorization exec default group vtyaccess

aaa authorization commands 0 default group vtyaccess none

aaa authorization commands 1 default group vtyaccess none

aaa authorization commands 15 default group vtyaccess none

aaa authorization network default group dialup

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

Regards,

Jan

Re: Different servers for dialup-access and exec-access

Richard Burts — Thu, 09 Mar 2006 21:43:49 GMT

Jan

I was hoping to get debug for authentication and authorization of the same attempt to login. But this output gives us some insight. The authorization debug pretty clearly shows that the device is sending authorization request to tacacs and the server is returning an error. I am not entirely clear at this point what causes the error, though I do have a theory. I may need to ask you to run debug tacacs packet to determine if my theory is correct.

The inconsistency that I refer to is this:

- what group is specified for authentication?

answer: group = tacacs+

- what group is specified for authorization?

answer: group = vtyaccess

I suspect that the membership of group tacacs+ is different from the membership of group vtyaccess.

My suggestion is to use the same group name for both authentication and authorization.

HTH

Rick

Re: Different servers for dialup-access and exec-access

SDWorx_2 — Fri, 24 Mar 2006 08:57:30 GMT

Hi,

Sorry for the late reply.

Thanks to your help I managed this to work. The problem was indeed the mixed ways I used authorization and authentication.

The final config is like this:

aaa new-model

aaa group server tacacs+ dialup

server x.x.x.x

aaa group server tacacs+ vtyaccess

server y.y.y.y

aaa authentication login default group tacacs+

aaa authentication login no_login enable

aaa authentication login sd_routers group vtyaccess enable

aaa authentication login sd_console enable

aaa authentication ppp default local group dialup

aaa authorization commands 0 default group vtyaccess none

aaa authorization commands 1 default group vtyaccess none

aaa authorization commands 15 default group vtyaccess none

aaa authorization network default group dialup none

I also think following line isn't necessary but I'll keep that in mind when I have a little more time:

aaa authentication login default group tacacs+

Thanks for the help!

Regards,

Jan