Issues Configuring AAA 'Client' Remotely

LeeBkr311 — Sun, 10 Mar 2019 14:56:31 GMT

I currently am implementing a ACS appliance I have it installed and configured to run as a TACACS+ server for our routers. Currently it has 2 users configured both have full access to all routers (max enable priviledge 15 for any client)I need to configure the clients remotely by means of telnet but, part way through the config I loose my connection because it then has to authorize to do further config commands but not having logged in previously I need to reconnect. When I go to reconnect it authenticates with the ACS but for some reason won't authorize. On a test network everything worked but, I was configuring through console cable at the time. The following are the steps I take each time to setup the client up until where the problems start (I chose to start with a router that is only a few miles away so I can go there and fix it if things go wrong but, I won't be able to do that when I'm trying to do this to routers in Leeds or Madrid or Melbourne etc. etc.):

(Telneted in and did the following)

....

Test1#reload in 000:20

Reload scheduled in 20 minutes

Proceed with reload? [confirm]

Test1#config t

Enter configuration commands, one per line. End with CNTL/Z.

Test1(config)#aaa new-model

Test1(config)#tacacs-server host 10.x.xx.xx single-connection

Test1(config)#tacacs-server key _xxxxxx_xxxxxxx_xxxx_

Test1(config)#tacacs-server timeout 20

Test1(config)#

Test1(config)#aaa authentication login default

Test1(config)#aaa authentication enable default tacacs+

Test1(config)#

Test1(config)#line vty 0 4

Test1(config-line)#login authentication default

Test1(config-line)#exit

Test1(config)#line con 0

Test1(config-line)#login authentication default

Test1(config-line)#exit

Test1(config)#

Test1(config)#aaa authorization network default tacacs+

Test1(config)#aaa authorization exec default tacacs+ if-authenticated

Test1(config)#aaa authorization commands 15 default tacacs+ if-authenticated

Test1(config)#aaa authorization config-commands

Command authorization failed.

Test1(config)#exit

Test1#exit

User Access Verification

Username: bakerd

Password:

% Authorization failed.

That's straight out of HyperTerminal

The following is the ACS's version of what happened

08/04/2004 16:25:11 Authen OK bakerd Global 10.x.xx.xxx tty2 10.x.xx.x

08/04/2004 16:25:11 Author failed bakerd Global 10.x.xx.xxx .. Service denied service=shell cmd* tty2 10.x.xx.x

Re: Issues Configuring AAA 'Client' Remotely

Richard Burts — Thu, 05 Aug 2004 13:21:52 GMT

It looks to me like it is more likely an issue with how users are defined in ACS than it is a configuration issue on the router. Have you turned on shell access for the users in ACS?

I would also make a suggestion that when you define authentication you provide for some backup method to cover cases where ACS/TACACS might not be available. So instead of having this:

Test1(config)#aaa authentication login default

Test1(config)#aaa authentication enable default tacacs+

you might want this:

Test1(config)#aaa authentication login default line

Test1(config)#aaa authentication enable default tacacs+ enable

This would allow the router to use the line passwords for user authentication and the enable password for privilege authentication if the ACS were not available.

HTH

Rick

topic Issues Configuring AAA 'Client' Remotely in Network Access Control

Issues Configuring AAA 'Client' Remotely

Re: Issues Configuring AAA 'Client' Remotely