AAA Authorization + Switch Cluster = Fail?

estebanzarikian — Fri, 21 Feb 2020 18:28:10 GMT

Hi, I had a Switch Cluster running with local authentication and authorization just fine (with aaa new-model). It's a stack of 3750-Xs and several 2960s, they've all been configured more or less the same way with a configuration template.

I added AAA authentication and authorization and I can still reach each of the switches individually, but when I try to rcommand "x" from the cluster commander, I get:

#rcommand 2

% Authorization failed.

One of the 2960s is a stack and when I run rcommand to that switch I get something different:

#rcommand 1

EBMIASWF1LB-01 tty1 is now available

Press RETURN to get started.

All other 2960s give me "% Authorization failed."

3750s are running:

Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)

2960Ses are running:

Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)

2960s are running:

Cisco IOS Software, C2960 Software (C2960-LANLITEK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)

I tried a debug aaa authentication and aaa authorization on the member (destination) 2960 switch and I got this:

541120: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/BIND(00004788): Bind i/f

541121: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA: parse name=tty4 idb type=-1 tty=-1

541122: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA: name=tty4 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=4 channel=0

541123: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/MEMORY: create_user (0x29DA580) user='radiususer' ruser='NULL' ds0=0 port='tty4' rem_addr='10.183.182.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)

541124: Mar 7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/AUTHOR (0x4788): Pick method list 'default'

541125: Mar 7 2013 17:14:30.754 EST: CLUSTER_MEMBER_2: AAA/AUTHOR/EXEC(00004788): Authorization FAILED

541126: Mar 7 2013 17:14:32.859 EST: CLUSTER_MEMBER_2: AAA/MEMORY: free_user (0x29DA580) user='radiususer' ruser='NULL' port='tty4' rem_addr='10.183.182.128' authen_type=ASCII service=LOGIN priv=15

Debug on 2960S (stack) is the same.

The radius server is a Microsoft NPS (IAS on 2012) and all switches have AAA configured the same:

NPS is sending these AV Pairs:

shell:priv-lvl=15

Service-Type = Administrative

Service-Type = NAS-Prompt-User

Switches are configured like this:

aaa new-model

aaa group server radius RadiusAAA

server x.x.x.x auth-port 1645 acct-port 1646

server y.y.y.y auth-port 1645 acct-port 1646

ip radius source-interface VlanXX

deadtime 1

aaa authentication login default group RadiusAAA local

aaa authorization exec default group RadiusAAA if-authenticated local

aaa session-id common

! etc etc

radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 <radius key>

radius-server host y.y.y.y auth-port 1645 acct-port 1646 key 7 <radius key>

radius-server deadtime 1

I've also tried moving around the

aaa authorization exec default group RadiusAAA if-authenticated local

to:

aaa authorization exec default group RadiusAAA local if-authenticated

But the results are the same... Telnet and SSH work great, but I'd like for the cluster to keep working!

Any ideas?

Thanks in advance for your help, I've spent a lot of time on this, and I don't even know if it's supported!

Esteban

topic AAA Authorization + Switch Cluster = Fail? in Network Access Control

AAA Authorization + Switch Cluster = Fail?