topic Hi,I enabled authorization in Network Access Control

tacac+ logins asking for enable password

keshu1974 — Mon, 11 Mar 2019 05:11:24 GMT

Hi,

7609 with the following IOS version.

Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICES-M), Version 15.2(4)S4a, RELEASE SOFTWARE (fc1)

Tacacs+ users can successfully login via telnet but its asking for the enable password to go to privilege mode. I have tried everything I could but it keeps asking for the enable password. How do I get rid of the enable password for the tacacs+ users? The following is the current relevant config.

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
aaa group server tacacs+ TAC_PLUS
server name AUTH
!
aaa authentication login default group TAC_PLUS local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
!
tacacs server AUTH
address ipv4 xx.xx.xx.xx
key 7 xxxxxxxxxxxxxxxxxxxxx
!
line con 0
line vty 0 4
session-timeout 15
access-class 10 in
exec-timeout 120 0
timeout login response 15
transport input telnet
!
ip telnet source-interface Loopback1
ip tacacs source-interface Loopback1

So you have the

nspasov — Tue, 18 Nov 2014 04:30:13 GMT

So you have the "authentication" part configured but you have done no "authorization" related configurations. You have several options here but at the very minimum you can:

- Enable aaa authorization for the exec shell

- Use your AAA/Tacacs+ server to return the appropriate privilege level for the authenticated user

Here is a good example that involves ACS 5.x:

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html

Also, I would highly recommend that you configure a second method for authentication/authorization outside of TACACS+. That way if your TACACS+ server(s) become unavailable, administrators can still authenticate and administer the device. The example, from the link above uses the "local" database.

Another good reference is this Cisco Press book:

http://www.ciscopress.com/store/aaa-identity-management-security-9781587141447

I hope this helps!

Thank you for rating helpful posts!

Hi,I enabled authorization

keshu1974 — Tue, 18 Nov 2014 07:30:36 GMT

Hi,

I enabled authorization for the exec shell with the following line

aaa authorization exec default group tacacs+ if-authenticated

Now the tacacs+ login does not work at all, throws "% Authorization failed." This is what the debug log shows

Nov 17 23:16:14: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Nov 17 23:16:16: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 0 list= '' AUTHOR-TYPE= 'commands'
Nov 17 23:16:24: AAA/AUTHOR (0x0): Pick method list 'default'
Nov 17 23:16:24: AAA/AUTHOR/EXEC(00000000): Authorization FAILED
Nov 17 23:16:32: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 15 list= '' AUTHOR-TYPE= 'commands'

If I remove that line tacacs+ works but the issue of having to supply enable password remains. This is what the debug low in this situation.

Nov 17 23:16:39: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Nov 17 23:17:13: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Nov 17 23:17:17: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 0 list= '' AUTHOR-TYPE= 'commands'
Nov 17 23:17:17: %SYS-5-CONFIG_I: Configured from console by xxxx on vty0 (xxx.xxx.xxx.xxx)
Nov 17 23:17:47: AAA/AUTHOR (00000000): Method list id=0 not configured. Skip author
Nov 17 23:17:49: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 0 list= '' AUTHOR-TYPE= 'commands'
Nov 17 23:17:49: AAA: parse name=tty3 idb type=-1 tty=-1
Nov 17 23:17:49: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
Nov 17 23:17:49: AAA/MEMORY: create_user (0x7C8274CC) user='xxxx' ruser='NULL' ds0=0 port='tty3' rem_addr='xxx.xxx.xxx.xxx' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Nov 17 23:17:56: AAA/MEMORY: free_user (0x7C8274CC) user='NULL' ruser='NULL' port='tty3' rem_addr='xxx.xxx.xxx.xxx' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Nov 17 23:18:01: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 15 l

The same tacacs+ user can login fine on another similar router.

Any clue? Let me know if you need more information.

Thanks,

What are you using for a AAA

nspasov — Tue, 18 Nov 2014 07:36:43 GMT

What are you using for a AAA server and what is the authorization profile that you are returning for this user? More specifically what attributes?

Hi,Using tac_plus on CentOS.

keshu1974 — Tue, 18 Nov 2014 07:55:00 GMT

Hi,

Using tac_plus on CentOS. Here is how its setup.

group = nwadmin {
default service = permit
service = exec {
priv-lvl = 15
}
}

user = user1 {
login = des $1$XXXXXXXXXXXXXXXXXXXXXXXXX
member = nwadmin
}

Thanks,

Hmm, what debug commands do

nspasov — Tue, 18 Nov 2014 08:16:06 GMT

Hmm, what debug commands do you have enabled? Do you have:

debug tacacs

debug aaa authentication

debug aaa authorization

Hi,I did not have aaa

keshu1974 — Tue, 18 Nov 2014 15:58:11 GMT

Hi,

I did not have aaa authentication and tacacs debugging enabled. I have enabled them all and this is what it shows when tacacs+ works but have to type the enable password.

Nov 18 07:39:35: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
Nov 18 07:39:35: TPLUS: Queuing AAA Authentication request 0 for processing
Nov 18 07:39:35: TPLUS: processing authentication start request id 0
Nov 18 07:39:35: TPLUS: Authentication start packet created for 0()
Nov 18 07:39:35: TPLUS: Using server xx.xxx.xxx.xxx
Nov 18 07:39:35: TPLUS(00000000)/0/NB_WAIT/56CA2684: Started 5 sec timeout
Nov 18 07:39:35: TPLUS(00000000)/0/NB_WAIT: socket event 2
Nov 18 07:39:35: TPLUS(00000000)/0/NB_WAIT: wrote entire 20 bytes request
Nov 18 07:39:35: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:35: TPLUS(00000000)/0/READ: Would block while reading
Nov 18 07:39:35: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:35: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 43 bytes data)
Nov 18 07:39:35: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:35: TPLUS(00000000)/0/READ: read entire 55 bytes response
Nov 18 07:39:35: TPLUS(00000000)/0/56CA2684: Processing the reply packet
Nov 18 07:39:35: TPLUS: Received authen response status GET_USER (7)
Nov 18 07:39:37: TPLUS: Queuing AAA Authentication request 0 for processing
Nov 18 07:39:37: TPLUS: processing authentication continue request id 0
Nov 18 07:39:37: TPLUS: Authentication continue packet generated for 0
Nov 18 07:39:37: TPLUS(00000000)/0/WRITE/4752E370: Started 5 sec timeout
Nov 18 07:39:37: TPLUS(00000000)/0/WRITE: wrote entire 24 bytes request
Nov 18 07:39:37: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:37: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Nov 18 07:39:37: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:37: TPLUS(00000000)/0/READ: read entire 28 bytes response
Nov 18 07:39:37: TPLUS(00000000)/0/4752E370: Processing the reply packet
Nov 18 07:39:37: TPLUS: Received authen response status GET_PASSWORD (8)
Nov 18 07:39:41: TPLUS: Queuing AAA Authentication request 0 for processing
Nov 18 07:39:41: TPLUS: processing authentication continue request id 0
Nov 18 07:39:41: TPLUS: Authentication continue packet generated for 0
Nov 18 07:39:41: TPLUS(00000000)/0/WRITE/55F31F34: Started 5 sec timeout
Nov 18 07:39:41: TPLUS(00000000)/0/WRITE: wrote entire 27 bytes request
Nov 18 07:39:41: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:41: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Nov 18 07:39:41: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:41: TPLUS(00000000)/0/READ: read entire 18 bytes response
Nov 18 07:39:41: TPLUS(00000000)/0/55F31F34: Processing the reply packet
Nov 18 07:39:41: TPLUS: Received authen response status PASS (2)
Nov 18 07:39:41: AAA/AUTHOR (00000000): Method list id=0 not configured. Skip author
Nov 18 07:39:42: AAA/AUTHOR: auth_need : user= 'user1' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 0 list= '' AUTHOR-TYPE= 'commands'
Nov 18 07:39:42: AAA: parse name=tty1 idb type=-1 tty=-1
Nov 18 07:39:42: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
Nov 18 07:39:42: AAA/MEMORY: create_user (0x776722A4) user='user1' ruser='NULL' ds0=0 port='tty1' rem_addr='xxx.xxx.xxx.xxx' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Nov 18 07:39:42: AAA/AUTHEN/START (2568611223): port='tty1' list='' action=LOGIN service=ENABLE
Nov 18 07:39:42: AAA/AUTHEN/START (2568611223): non-console enable - default to enable password
Nov 18 07:39:42: AAA/AUTHEN/START (2568611223): Method=ENABLE
Nov 18 07:39:42: AAA/AUTHEN (2568611223): status = GETPASS
Nov 18 07:39:48: AAA/AUTHEN/CONT (2568611223): continue_login (user='(undef)')
Nov 18 07:39:48: AAA/AUTHEN (2568611223): status = GETPASS
Nov 18 07:39:48: AAA/AUTHEN/CONT (2568611223): Method=ENABLE
Nov 18 07:39:48: AAA/AUTHEN (2568611223): status = PASS
Nov 18 07:39:48: AAA/MEMORY: free_user (0x776722A4) user='NULL' ruser='NULL' port='tty1' rem_addr='xxx.xxx.xxx.xxx' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

And this is what I see when I

keshu1974 — Tue, 18 Nov 2014 16:19:07 GMT

And this is what I see when I try logging in with aaa authorization enabled(when the tacacs+ login fails with %Authorization failed.).

Nov 18 08:08:32: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
Nov 18 08:08:32: TPLUS: Queuing AAA Authentication request 0 for processing
Nov 18 08:08:32: TPLUS: processing authentication start request id 0
Nov 18 08:08:32: TPLUS: Authentication start packet created for 0()
Nov 18 08:08:32: TPLUS: Using server xxx.xxx.xxx.xxx
Nov 18 08:08:32: TPLUS(00000000)/0/NB_WAIT/52B2BA68: Started 5 sec timeout
Nov 18 08:08:32: TPLUS(00000000)/0/NB_WAIT: socket event 2
Nov 18 08:08:32: TPLUS(00000000)/0/NB_WAIT: wrote entire 20 bytes request
Nov 18 08:08:32: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:32: TPLUS(00000000)/0/READ: Would block while reading
Nov 18 08:08:32: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:32: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 43 bytes data)
Nov 18 08:08:32: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:32: TPLUS(00000000)/0/READ: read entire 55 bytes response
Nov 18 08:08:32: TPLUS(00000000)/0/52B2BA68: Processing the reply packet
Nov 18 08:08:32: TPLUS: Received authen response status GET_USER (7)
Nov 18 08:08:34: TPLUS: Queuing AAA Authentication request 0 for processing
Nov 18 08:08:34: TPLUS: processing authentication continue request id 0
Nov 18 08:08:34: TPLUS: Authentication continue packet generated for 0
Nov 18 08:08:34: TPLUS(00000000)/0/WRITE/52B2BA68: Started 5 sec timeout
Nov 18 08:08:34: TPLUS(00000000)/0/WRITE: wrote entire 24 bytes request
Nov 18 08:08:34: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:34: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Nov 18 08:08:34: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:34: TPLUS(00000000)/0/READ: read entire 28 bytes response
Nov 18 08:08:34: TPLUS(00000000)/0/52B2BA68: Processing the reply packet
Nov 18 08:08:34: TPLUS: Received authen response status GET_PASSWORD (8)
Nov 18 08:08:38: TPLUS: Queuing AAA Authentication request 0 for processing
Nov 18 08:08:38: TPLUS: processing authentication continue request id 0
Nov 18 08:08:38: TPLUS: Authentication continue packet generated for 0
Nov 18 08:08:38: TPLUS(00000000)/0/WRITE/52B2BA68: Started 5 sec timeout
Nov 18 08:08:38: TPLUS(00000000)/0/WRITE: wrote entire 27 bytes request
Nov 18 08:08:38: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:38: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Nov 18 08:08:38: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:38: TPLUS(00000000)/0/READ: read entire 18 bytes response
Nov 18 08:08:38: TPLUS(00000000)/0/52B2BA68: Processing the reply packet
Nov 18 08:08:38: TPLUS: Received authen response status PASS (2)
Nov 18 08:08:38: AAA/AUTHOR (0x0): Pick method list 'default'
Nov 18 08:08:38: AAA/AUTHOR/EXEC(00000000): Authorization FAILED

hmm, it looks like your

nspasov — Tue, 18 Nov 2014 19:16:05 GMT

hmm, it looks like your authentication is passing but you are failing the authorization part. I just tested this in my lab with ACS and had no problems with it. Here is my simple config:

NS-3560-E#sh run | sec aaa
aaa new-model
aaa authentication login vty group tacacs+ local
aaa authorization exec default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
NS-3560-E#sh run | sec line
line con 0
line vty 0 4
 login authentication vty
line vty 5 15
 login authentication vty

I am returning an authorization profile that just sets the user to be with privilege level 15. So I suspect that the issue is with your TACACS+ configuration.

I guess I am gonna have to

keshu1974 — Wed, 19 Nov 2014 05:31:37 GMT

I guess I am gonna have to give up. The same config works on all the other gears connecting to the same tacacs server, only this particular 7609 show this issue. I think I hit a bug. Thank you for all your help so far.

Ah, I did not know that only

nspasov — Wed, 19 Nov 2014 08:07:08 GMT

Ah, I did not know that only this device is giving you issues. If you have the same syntax on the other devices then it is very probable that you are hitting a bug. What version of code are you running?

Sorry for the delayed

keshu1974 — Thu, 20 Nov 2014 19:12:38 GMT

Sorry for the delayed response, its

Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICES-M), Version 15.2(4)S4a, RELEASE SOFTWARE (fc1)
Compiled Mon 07-Oct-13 21:48 by prod_rel_team

I could not find any bugs

nspasov — Fri, 21 Nov 2014 00:21:29 GMT

I could not find any bugs related to AAA/TACACS+ with that version of code. However, that does not mean that an actual bug does not exist 🙂 I would recommend contacting Cisco and get their input.