topic rel. 12.3 aaa authorization network in Network Access Control

rel. 12.3 aaa authorization network

giga01 — Sun, 10 Mar 2019 14:50:46 GMT

I have this configuration on my cisco 1700 router:

--------------------

version 12.3

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

hostname remote-aoud

clock timezone ITA 1

clock summer-time ITA recurring last Sun Mar 2:00 last Sun Oct 3:00

aaa new-model

aaa group server tacacs+ tac_admin

server 192.168.13.100

server 192.168.13.102

aaa group server radius remote_access

server 192.168.13.100 auth-port 1645 acct-port 1646

server 192.168.13.102 auth-port 1645 acct-port 1646

aaa authentication login default group tac_admin local

aaa authentication enable default group tac_admin enable

aaa authentication ppp default group remote_access local

aaa authorization exec default group tac_admin local

aaa authorization network default group remote_access

aaa session-id common

ip subnet-zero

interface FastEthernet0

ip address 172.17.40.113 255.255.252.0

speed auto

no cdp enable

interface Async1

ip unnumbered FastEthernet0

encapsulation ppp

async mode interactive

peer default ip address 172.17.40.117

no keepalive

ppp authentication ms-chap

ip classless

ip route 0.0.0.0 0.0.0.0 172.17.40.1

radius-server host 192.168.13.100 auth-port 1645 acct-port 1646 key 7 ...

radius-server host 192.168.13.102 auth-port 1645 acct-port 1646 key 7 ...

radius-server deadtime 60

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

line con 0

line 1

flush-at-activation

modem InOut

transport input all

autoselect during-login

autoselect ppp

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

exec-timeout 600 0

no scheduler allocate

sntp server 172.17.40.1

sntp server 192.168.13.1

end

-------------------------------

The users dialin are authenticate on a cisco acs 3.2

On acs 3.2 the user have check flag on ietf attributes 6 (framed) and 7 (ppp) for aaa authorization.

This works ok with release 12.2 but whit release 13.3 if i uncheck flag on ietf attributes 6 and 7 the

user login always.

In fact the aaa authorization network not work !!

thank

Ale

Re: rel. 12.3 aaa authorization network

d.kratz — Sun, 30 May 2004 20:01:10 GMT

Dear Ale,

Your configuration seems right, but we don´t say nothing whithout debugs. Please, enable debug aaa authorization and debug tacacs, try make one connection and post logs in this thread.

Regards,

kratz

Re: rel. 12.3 aaa authorization network

giga01 — Mon, 31 May 2004 10:58:29 GMT

Hello Kratz,

This is debug output:

remote-aoud#

00:06:07: AAA/BIND(00000003): Bind i/f Async1

00:06:09: %LINK-3-UPDOWN: Interface Async1, changed state to up

00:06:09: RADIUS/ENCODE(00000003):Orig. component type = EXEC

00:06:09: RADIUS: AAA Unsupported Attr: interface [153] 6

00:06:09: RADIUS: 41 73 79 6E [Asyn]

00:06:09: RADIUS(00000003): Storing nasport 1 in rad_db

00:06:09: RADIUS(00000003): Config NAS IP: 0.0.0.0

00:06:09: RADIUS/ENCODE(00000003): acct_session_id: 3

00:06:09: RADIUS(00000003): sending

00:06:09: RADIUS/ENCODE: Best Local IP-Address 192.168.13.113 for Radius-Server 192.168.13.100

00:06:09: RADIUS(00000003): Send Access-Request to 192.168.13.100:1645 id 1645/2, len 143

00:06:09: RADIUS: authenticator F8 75 D5 95 91 74 55 71 - 00 00 00 00 00 00 00 00

00:06:09: RADIUS: Framed-Protocol [7] 6 PPP [1]

00:06:09: RADIUS: User-Name [1] 12 "CASA\marco"

00:06:09: RADIUS: Vendor, Microsoft [26] 16

00:06:09: RADIUS: MSCHAP_Challenge [11] 10

00:06:09: RADIUS: F8 75 D5 95 91 74 55 71 [?u???tUq]

00:06:09: RADIUS: Vendor, Microsoft [26] 58

00:06:09: RADIUS: MS-CHAP-Response [1] 52 *

00:06:09: RADIUS: NAS-Port-Type [61] 6 Async [0]

00:06:09: RADIUS: Calling-Station-Id [31] 7 "async"

00:06:09: RADIUS: NAS-Port [5] 6 1

00:06:09: RADIUS: Service-Type [6] 6 Framed [2]

00:06:09: RADIUS: NAS-IP-Address [4] 6 192.168.13.113

00:06:09: RADIUS: Received from id 1645/2 192.168.13.100:1645, Access-Accept, len 62

00:06:09: RADIUS: authenticator E9 99 94 43 EB 4B 74 33 - F7 87 03 F6 64 F2 0E D6

00:06:09: RADIUS: Session-Timeout [27] 6 180

00:06:09: RADIUS: Framed-IP-Address [8] 6 255.255.255.255

00:06:09: RADIUS: Class [25] 30

00:06:09: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 66 63 [CISCOACS:00000fc]

00:06:09: RADIUS: 61 2F 63 30 61 38 30 64 37 31 2F 31 [a/c0a80d71/1]

00:06:09: RADIUS(00000003): Received from id 1645/2

00:06:09: As1 PPP/AAA: Check Attr: timeout: Peruser

00:06:10: As1 PPP/AAA: Check Attr: addr

00:06:10: As1 AAA/AUTHOR/LCP: Process Author

00:06:10: As1 AAA/AUTHOR/LCP: Process Attr: timeout

00:06:10: AAA/AUTHOR: Processing PerUser AV timeout

00:06:10: As1 AAA/AUTHOR/IPCP: FSM authorization not needed

00:06:10: As1 AAA/AUTHOR/FSM: We can start IPCP

00:06:10: As1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 192.168.13.170

00:06:10: As1 AAA/AUTHOR/IPCP: No remote address; FIP = Use peer provided address

00:06:10: As1 AAA/AUTHOR/IPCP: Processing AV addr

00:06:10: As1 AAA/AUTHOR/IPCP: Authorization succeeded

00:06:10: As1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 192.168.13.170

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for primary dns

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for primary wins

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for seconday dns

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for seconday wins

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for primary dns

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for seconday dns

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for primary dns

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for seconday dns

00:06:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to up

If you see the authorization network fail in fact. The user is not permitted from the acs user configuration to connect , but the connection is established .

I add jpeg with acs user configuration.

Regards

Ale

Re: rel. 12.3 aaa authorization network

giga01 — Mon, 31 May 2004 14:11:59 GMT

I have resolved !!!

I must insert :

radius-server attribute 6 mandatory

in my configuration with 12.3 ios release and all work well.

Thanks and Regards

Ale