topic Authentication passed - authorization failed - IOS bug? in Network Access Control

Authentication passed - authorization failed - IOS bug?

Eric Varner — Mon, 11 Mar 2019 04:20:19 GMT

Bear with me as I cut/paste information gathered while trying to find a solution to our agency issue.

Platforms: Cisco 2821 Router & Cisco 2911 Router

Will provide IOS level/revision at the start of each segment.

Problem discussion: We use TACACS+ to authenticate end-users at remote locations and depending on which group they belong will determine if they have Internet access or Intranet Only access.

2821 with IOS: c2800nm-advsecurityk9-mz.124-20.T2

Has no issue authenticating and authorizing end-users. However, with the 200+ remote sites we have noticed an issue with auth cache not clearning correctly and we are spending a lot of time clearing IP addresses from the router manually. Thus, the hunt for an updated IOS that might be better suited and alleviate the cache clear issue. We have tested two routers with IOS c2800nm-advsecurityk9-mz.151-4.M7 and have not had to clear auth cache from these routers in over a month using ACS server 4.2 Now, here's where things get interesting. We are currently using ACS 4.2, but have two new 5.4 ACS appliances that will work in conjuntion with AD for end-user authentication (leaving authorization to ACS). The two routers with 15.1 code will not work. They authenticate just fine, but fail during authorization. I can load the old IOS on the router with the same exact config and it will work just fine. I've tried c2800nm-advsecurityk9-mz.150-1.M10 code and it does indeed work (authorization), but we still have the same issue with clearing auth cache IP addresses.

Here's the working 15.0 code debug: (tacacs/aaa authentication and authorization) using ACS 5.4

[Debug TACACS & AAA authentication and authorization] <I've changed the workstation IP address to something other than production>

Jan 29 13:47:28.361: AAA: parse name=GigabitEthernet0/1 idb type=-1 tty=-1

Jan 29 13:47:28.361: AAA: name=GigabitEthernet0/1 flags=0x15 type=22 shelf=0 slot=0 adapter=0 port=1 channel=0

Jan 29 13:47:28.361: AAA: parse name=<no string> idb type=-1 tty=-1

Jan 29 13:47:28.361: AAA/MEMORY: create_user (0x45667B40) user='NULL' ruser='NULL' ds0=0 port='GigabitEthernet0/1' rem_addr='192.168.1.11' authen_type=ASCII service=LOGIN priv=0 initial_task_id='0', vrf= (id=0)

Jan 29 13:47:28.361: AAA/AUTHEN/START (3899021442): port='GigabitEthernet0/1' list='default' action=LOGIN service=LOGIN

Jan 29 13:47:28.361: AAA/AUTHEN/START (3899021442): found list default

Jan 29 13:47:28.361: AAA/AUTHEN/START (3899021442): Method=LOCAL

Jan 29 13:47:28.365: AAA/AUTHEN (3899021442): status = GETUSER

Jan 29 13:47:28.365: AAA/AUTHEN/CONT (3899021442): continue_login (user='(undef)')

Jan 29 13:47:28.365: AAA/AUTHEN (3899021442): status = GETUSER

Jan 29 13:47:28.365: AAA/AUTHEN/CONT (3899021442): Method=LOCAL

Jan 29 13:47:28.365: AAA/AUTHEN(3899021442): User not found, emulating local-override

Jan 29 13:47:28.365: AAA/AUTHEN (3899021442): status = ERROR

Jan 29 13:47:28.365: AAA/AUTHEN/START (3776193362): port='GigabitEthernet0/1' list='' action=LOGIN service=LOGIN

Jan 29 13:47:28.365: AAA/AUTHEN/START (3776193362): Restart

Jan 29 13:47:28.365: AAA/AUTHEN/START (3776193362): Method=TACACS_GRP1 (tacacs+)

Jan 29 13:47:28.365: TAC+: send AUTHEN/START packet ver=192 id=-518773934

Jan 29 13:47:28.365: TAC+: Using default tacacs server-group "TACACS_GRP1" list.

Jan 29 13:47:28.365: TAC+: Opening TCP/IP to 192.168.1.2/49 timeout=2

Jan 29 13:47:28.365: TAC+: Opened TCP/IP handle 0x470E8E58 to 192.168.1.2/49

Jan 29 13:47:28.365: TAC+: 10.2.22.20 (3776193362) AUTHEN/START/LOGIN/ASCII queued

Jan 29 13:47:28.565: TAC+: (3776193362) AUTHEN/START/LOGIN/ASCII processed

Jan 29 13:47:28.565: TAC+: ver=192 id=-518773934 received AUTHEN status = GETPASS

Jan 29 13:47:28.565: AAA/AUTHEN (3776193362): status = GETPASS

Jan 29 13:47:28.565: AAA/AUTHEN/CONT (3776193362): continue_login (user='testuser')

Jan 29 13:47:28.565: AAA/AUTHEN (3776193362): status = GETPASS

Jan 29 13:47:28.565: AAA/AUTHEN (3776193362): Method=TACACS_GRP1 (tacacs+)

Jan 29 13:47:28.565: TAC+: send AUTHEN/CONT packet id=-518773934

Jan 29 13:47:28.565: TAC+: 192.168.1.2 (3776193362) AUTHEN/CONT queued

Jan 29 13:47:28.765: TAC+: (3776193362) AUTHEN/CONT processed

Jan 29 13:47:28.765: TAC+: ver=192 id=-518773934 received AUTHEN status = PASS

Jan 29 13:47:28.765: AAA/AUTHEN (3776193362): status = PASS

Jan 29 13:47:28.765: TAC+: Closing TCP/IP 0x470E8E58 connection to 192.168.1.2/49

Jan 29 13:47:28.765: GigabitEthernet0/1 AAA/AUTHOR/HTTP (2372033975): Port='GigabitEthernet0/1' list='default' service=AUTH-PROXY

Jan 29 13:47:28.765: AAA/AUTHOR/HTTP: GigabitEthernet0/1 (2372033975) user='testuser'

Jan 29 13:47:28.765: GigabitEthernet0/1 AAA/AUTHOR/HTTP (2372033975): send AV service=auth-proxy

Jan 29 13:47:28.765: GigabitEthernet0/1 AAA/AUTHOR/HTTP (2372033975): send AV cmd*

Jan 29 13:47:28.765: GigabitEthernet0/1 AAA/AUTHOR/HTTP(2372033975): found list "default"

Jan 29 13:47:28.765: GigabitEthernet0/1 AAA/AUTHOR/HTTP (2372033975): Method=TACACS_GRP1 (tacacs+)

Jan 29 13:47:28.765: AAA/AUTHOR/TAC+: (2372033975): user=he00020

Jan 29 13:47:28.765: AAA/AUTHOR/TAC+: (2372033975): send AV service=auth-proxy

Jan 29 13:47:28.765: AAA/AUTHOR/TAC+: (2372033975): send AV cmd*

Jan 29 13:47:28.765: TAC+: using previously set server 192.168.1.2 from group TACACS_GRP1

Jan 29 13:47:28.765: TAC+: lookup 192.168.1.2 in DNS local cache

Jan 29 13:47:28.765: TAC+: Using default tacacs server-group "TACACS_GRP1" list.

Jan 29 13:47:28.765: TAC+: Opening TCP/IP to 192.168.1.2/49 timeout=2

Jan 29 13:47:28.765: TAC+: Opened TCP/IP handle 0x470E24F4 to 192.168.1.2/49

Jan 29 13:47:28.765: TAC+: 192.168.1.2 (2372033975) AUTHOR/START queued

Jan 29 13:47:28.965: TAC+: (2372033975) AUTHOR/START processed

Jan 29 13:47:28.965: TAC+: (-1922933321): received author response status = PASS_ADD

Jan 29 13:47:28.965: TAC+: Closing TCP/IP 0x470E24F4 connection to 192.168.1.2/49

Jan 29 13:47:28.965: TAC+: Received Attribute "priv-lvl=15"

Jan 29 13:47:28.965: TAC+: Received Attribute "proxyacl#1=permit ip any any"

Jan 29 13:47:28.965: AAA/AUTHOR (2372033975): Post authorization status = PASS_ADD

Jan 29 13:47:31.969: %AP-6-AUTH_PROXY_AUDIT_START: initiator (192.168.1.11) start

This is the same router with the same config but updated IOS (15.1) and using ACS 5.4

[Debug TACACS & AAA authentication and authorization] FAILED TEST

Jan 29 15:06:27.726: AAA/BIND(00000010): Bind i/f

Jan 29 15:06:27.730: AAA/AUTHEN/AUTH-PROXY (00000010): Pick method list 'default'

Jan 29 15:06:27.730: TPLUS: Queuing AAA Authentication request 16 for processing

Jan 29 15:06:27.730: TPLUS: processing authentication start request id 16

Jan 29 15:06:27.730: TPLUS: Authentication start packet created for 16(testuser)

Jan 29 15:06:27.730: TPLUS: Using server 192.168.1.2

Jan 29 15:06:27.734: TPLUS(00000010)/0/NB_WAIT/47823D9C: Started 2 sec timeout

Jan 29 15:06:27.734: TPLUS(00000010)/0/NB_WAIT: socket event 2

Jan 29 15:06:27.734: TPLUS(00000010)/0/NB_WAIT: wrote entire 27 bytes request

Jan 29 15:06:27.734: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:27.734: TPLUS(00000010)/0/READ: Would block while reading

Jan 29 15:06:27.742: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:27.742: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 16 bytes data)

Jan 29 15:06:27.742: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:27.742: TPLUS(00000010)/0/READ: read entire 28 bytes response

Jan 29 15:06:27.742: TPLUS(00000010)/0/47823D9C: Processing the reply packet

Jan 29 15:06:27.742: TPLUS: Received authen response status GET_PASSWORD (8)

Jan 29 15:06:27.742: TPLUS: Queuing AAA Authentication request 16 for processing

Jan 29 15:06:27.742: TPLUS: processing authentication continue request id 16

Jan 29 15:06:27.742: TPLUS: Authentication continue packet generated for 16

Jan 29 15:06:27.742: TPLUS(00000010)/0/WRITE/47823D9C: Started 2 sec timeout

Jan 29 15:06:27.742: TPLUS(00000010)/0/WRITE: wrote entire 27 bytes request

Jan 29 15:06:27.766: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:27.766: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 6 bytes data)

Jan 29 15:06:27.766: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:27.766: TPLUS(00000010)/0/READ: read entire 18 bytes response

Jan 29 15:06:27.770: TPLUS(00000010)/0/47823D9C: Processing the reply packet

Jan 29 15:06:27.770: TPLUS: Received authen response status PASS (2)

Jan 29 15:06:27.770: AAA/AUTHOR (0x10): Pick method list 'default'

Jan 29 15:06:27.770: TPLUS: Queuing AAA Authorization request 16 for processing

Jan 29 15:06:27.770: TPLUS: processing authorization request id 16

Jan 29 15:06:27.770: TPLUS: Sending AV service=auth-proxy

Jan 29 15:06:27.770: TPLUS: Sending AV protocol=ip

Jan 29 15:06:27.770: TPLUS: Authorization request created for 16(testuser)

Jan 29 15:06:27.770: TPLUS: using previously set server 192.168.1.2 from group TACACS_GRP1

Jan 29 15:06:27.774: TPLUS(00000010)/0/NB_WAIT/47823D9C: Started 2 sec timeout

Jan 29 15:06:27.774: TPLUS(00000010)/0/NB_WAIT: socket event 2

Jan 29 15:06:27.774: TPLUS(00000010)/0/NB_WAIT: wrote entire 58 bytes request

Jan 29 15:06:27.774: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:27.774: TPLUS(00000010)/0/READ: Would block while reading

Jan 29 15:06:27.778: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:27.778: TPLUS(00000010)/0/READ: read 0 bytes

Jan 29 15:06:29.774: TPLUS(00000010)/0/READ/47823D9C: timed out

Jan 29 15:06:29.774: TPLUS: Sending AV service=auth-proxy

Jan 29 15:06:29.774: TPLUS: Sending AV protocol=ip

Jan 29 15:06:29.774: TPLUS: Authorization request created for 16(testuser)

Jan 29 15:06:29.774: TPLUS(00000010)/0/READ/47823D9C: timed out, clean up

Jan 29 15:06:29.774: TPLUS(00000010)/0/47823D9C: Processing the reply packet - FAIL

Jan 29 15:06:29.802: AAA/AUTHEN/AUTH-PROXY (00000010): Pick method list 'default'

Jan 29 15:06:29.806: TPLUS: Queuing AAA Authentication request 16 for processing

Jan 29 15:06:29.806: TPLUS: processing authentication start request id 16

Jan 29 15:06:29.806: TPLUS: Authentication start packet created for 16(testuser)

Jan 29 15:06:29.806: TPLUS: Using server 192.168.1.2

Jan 29 15:06:29.810: TPLUS(00000010)/0/NB_WAIT/478F7640: Started 2 sec timeout

Jan 29 15:06:29.810: TPLUS(00000010)/0/NB_WAIT: socket event 2

Jan 29 15:06:29.810: TPLUS(00000010)/0/NB_WAIT: wrote entire 27 bytes request

Jan 29 15:06:29.810: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:29.810: TPLUS(00000010)/0/READ: Would block while reading

Jan 29 15:06:29.814: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:29.814: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 16 bytes data)

Jan 29 15:06:29.814: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:29.814: TPLUS(00000010)/0/READ: read entire 28 bytes response

Jan 29 15:06:29.814: TPLUS(00000010)/0/478F7640: Processing the reply packet

Jan 29 15:06:29.814: TPLUS: Received authen response status GET_PASSWORD (8)

Jan 29 15:06:29.818: TPLUS: Queuing AAA Authentication request 16 for processing

Jan 29 15:06:29.818: TPLUS: processing authentication continue request id 16

Jan 29 15:06:29.818: TPLUS: Authentication continue packet generated for 16

Jan 29 15:06:29.818: TPLUS(00000010)/0/WRITE/478F7640: Started 2 sec timeout

Jan 29 15:06:29.818: TPLUS(00000010)/0/WRITE: wrote entire 27 bytes request

Jan 29 15:06:29.834: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:29.834: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 6 bytes data)

Jan 29 15:06:29.834: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:29.834: TPLUS(00000010)/0/READ: read entire 18 bytes response

Jan 29 15:06:29.838: TPLUS(00000010)/0/478F7640: Processing the reply packet

Jan 29 15:06:29.838: TPLUS: Received authen response status PASS (2)

Jan 29 15:06:29.838: AAA/AUTHOR (0x10): Pick method list 'default'

Jan 29 15:06:29.838: TPLUS: Queuing AAA Authorization request 16 for processing

Jan 29 15:06:29.838: TPLUS: processing authorization request id 16

Jan 29 15:06:29.838: TPLUS: Sending AV service=auth-proxy

Jan 29 15:06:29.838: TPLUS: Sending AV protocol=ip

Jan 29 15:06:29.838: TPLUS: Authorization request created for 16(testuser)

Jan 29 15:06:29.838: TPLUS: using previously set server 192.168.1.2 from group TACACS_GRP1

Jan 29 15:06:29.842: TPLUS(00000010)/0/NB_WAIT/478F7640: Started 2 sec timeout

Jan 29 15:06:29.842: TPLUS(00000010)/0/NB_WAIT: socket event 2

Jan 29 15:06:29.842: TPLUS(00000010)/0/NB_WAIT: wrote entire 58 bytes request

Jan 29 15:06:29.842: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:29.842: TPLUS(00000010)/0/READ: Would block while reading

Jan 29 15:06:29.846: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:29.846: TPLUS(00000010)/0/READ: read 0 bytes

Jan 29 15:06:31.838: TPLUS(00000010)/0/READ/478F7640: timed out

Jan 29 15:06:31.838: TPLUS: Sending AV service=auth-proxy

Jan 29 15:06:31.838: TPLUS: Sending AV protocol=ip

Jan 29 15:06:31.838: TPLUS: Authorization request created for 16(testuser)

Jan 29 15:06:31.838: TPLUS(00000010)/0/READ/478F7640: timed out, clean up

Jan 29 15:06:31.838: TPLUS(00000010)/0/478F7640: Processing the reply packet - FAIL

Jan 29 15:06:31.898: AAA/AUTHEN/AUTH-PROXY (00000010): Pick method list 'default'

Jan 29 15:06:31.902: TPLUS: Queuing AAA Authentication request 16 for processing

Jan 29 15:06:31.902: TPLUS: processing authentication start request id 16

Jan 29 15:06:31.902: TPLUS: Authentication start packet created for 16(testuser)

Jan 29 15:06:31.902: TPLUS: Using server 192.168.1.2

Jan 29 15:06:31.906: TPLUS(00000010)/0/NB_WAIT/478F2274: Started 2 sec timeout

Jan 29 15:06:31.906: TPLUS(00000010)/0/NB_WAIT: socket event 2

Jan 29 15:06:31.906: TPLUS(00000010)/0/NB_WAIT: wrote entire 27 bytes request

Jan 29 15:06:31.906: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:31.906: TPLUS(00000010)/0/READ: Would block while reading

Jan 29 15:06:31.910: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:31.910: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 16 bytes data)

Jan 29 15:06:31.910: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:31.910: TPLUS(00000010)/0/READ: read entire 28 bytes response

Jan 29 15:06:31.910: TPLUS(00000010)/0/478F2274: Processing the reply packet

Jan 29 15:06:31.910: TPLUS: Received authen response status GET_PASSWORD (8)

Jan 29 15:06:31.910: TPLUS: Queuing AAA Authentication request 16 for processing

Jan 29 15:06:31.914: TPLUS: processing authentication continue request id 16

Jan 29 15:06:31.914: TPLUS: Authentication continue packet generated for 16

Jan 29 15:06:31.914: TPLUS(00000010)/0/WRITE/478F2274: Started 2 sec timeout

Jan 29 15:06:31.914: TPLUS(00000010)/0/WRITE: wrote entire 27 bytes request

Jan 29 15:06:31.930: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:31.930: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 6 bytes data)

Jan 29 15:06:31.934: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:31.934: TPLUS(00000010)/0/READ: read entire 18 bytes response

Jan 29 15:06:31.934: TPLUS(00000010)/0/478F2274: Processing the reply packet

Jan 29 15:06:31.934: TPLUS: Received authen response status PASS (2)

Jan 29 15:06:31.934: AAA/AUTHOR (0x10): Pick method list 'default'

Jan 29 15:06:31.934: TPLUS: Queuing AAA Authorization request 16 for processing

Jan 29 15:06:31.934: TPLUS: processing authorization request id 16

Jan 29 15:06:31.934: TPLUS: Sending AV service=auth-proxy

Jan 29 15:06:31.934: TPLUS: Sending AV protocol=ip

Jan 29 15:06:31.934: TPLUS: Authorization request created for 16(testuser)

Jan 29 15:06:31.934: TPLUS: using previously set server 192.168.1.2 from group TACACS_GRP1

Jan 29 15:06:31.938: TPLUS(00000010)/0/NB_WAIT/478F2274: Started 2 sec timeout

Jan 29 15:06:31.938: TPLUS(00000010)/0/NB_WAIT: socket event 2

Jan 29 15:06:31.938: TPLUS(00000010)/0/NB_WAIT: wrote entire 58 bytes request

Jan 29 15:06:31.938: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:31.938: TPLUS(00000010)/0/READ: Would block while reading

Jan 29 15:06:31.942: TPLUS(00000010)/0/READ: socket event 1

Jan 29 15:06:31.942: TPLUS(00000010)/0/READ: read 0 bytes

Jan 29 15:06:33.938: TPLUS(00000010)/0/READ/478F2274: timed out

Jan 29 15:06:33.938: TPLUS: Sending AV service=auth-proxy

Jan 29 15:06:33.938: TPLUS: Sending AV protocol=ip

Jan 29 15:06:33.938: TPLUS: Authorization request created for 16(testuser)

Jan 29 15:06:33.938: TPLUS(00000010)/0/READ/478F2274: timed out, clean up

Jan 29 15:06:33.938: TPLUS(00000010)/0/478F2274: Processing the reply packet - FAIL

I've bolded (above) where the problem is and hoping someone much smarter can tell me why it's failing and of course a solution.

I've tried three different routers to eliminate possible hardware issues. Started fresh with a clean slate with no config and then rebuilt it from scratch. Same results.

ACS 5.4 authorization reports this:

13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets

But, before anyone pinpoints that as the issue - it's NOT! I know what I have typed in and it matches perfectly 100%. Besides, I can take the code to 15.0 with the EXACT same config and it works just fine on ACS 5.4 (and 4.2)

Authentication passed - authorization failed - IOS bug?

Javier Henderson — Wed, 29 Jan 2014 23:31:42 GMT

Eric,

Would you be able to capture the traffic between the router and ACS? Ideally you'd get two captures, one with each version of IOS, so we can compare both.

We will need the TACACS+ shared key to decode the packet capture, so you may want to make that something trivial while testing (ie, not something you're using on your production routers).

If you prefer, you can send me the packet capture and shared key directly, and we can summarize our findings here for the benefit of anyone else who might be following this thread.

Javier Henderson

Cisco Systems

Authentication passed - authorization failed - IOS bug?

Eric Varner — Thu, 30 Jan 2014 12:59:32 GMT

Javier,

Not a problem and will get the captures to you ASAP (with non-production shared key).

Thank you.

Authentication passed - authorization failed - IOS bug?

blenka — Thu, 30 Jan 2014 22:48:42 GMT

Please go through the link below may help you to touble shooting for the router with version 15

http://www.cisco.com/en/US/products/ps9911/products_tech_note09186a0080bb8100.shtml#p47

Problem: TACACS+ Auth-Proxy authentication is not working on a router running IOS 15.x from ACS 5.x server
TACACS+ Auth-Proxy authentication is not working on a router that runs Cisco IOS Software Release 15.x from an ACS 5.x server.

Solution
TACACS+ Auth-Proxy is only supported after ACS 5.3 patch 5. Upgrade your ACS 5.x, or use RADIUS for Auth-Proxy.

Authentication passed - authorization failed - IOS bug?

Eric Varner — Fri, 31 Jan 2014 12:59:13 GMT

Thank you for the reply.

We are using an ACS appliance Build ID: B.221 with Patches: 5-4-0-46-5

Not sure what upgrade other than what we are at is available??

Authentications works great! Authorizaton fails!

IOS 15.0.x works fine with the above ACS appliance.

IOS 15.1.x does not work with the above ACS appliance (authorization fails)

Please check again (I've already sent the packet captures to Javier).

Thank you.

Authentication passed - authorization failed - IOS bug?

Peter Koltl — Fri, 31 Jan 2014 19:48:28 GMT

Do you really use AAA cache feature? What kind of service do you provide with TACACS? Can you post your config?

Authentication passed - authorization failed - IOS bug?

Eric Varner — Fri, 31 Jan 2014 20:36:27 GMT

This is as much as I can provide.

aaa group server tacacs+ TACACS_GRP1

server 10.x.x.x

server 204.x.x.x.x

server 204.x.x.x

aaa authentication login default local group TACACS_GRP1 enable

aaa authentication login local group TACACS_GRP1 enable

aaa authentication login no_tacacs enable

aaa authorization exec default group TACACS_GRP1

aaa authorization commands 15 default if-authenticated

aaa authorization auth-proxy default group TACACS_GRP1

aaa accounting exec default start-stop group TACACS_GRP1

aaa accounting commands 0 default start-stop group TACACS_GRP1

aaa accounting commands 1 default start-stop group TACACS_GRP1

aaa accounting commands 15 default start-stop group TACACS_GRP1

aaa session-id common

dot11 syslog

no ip source-route

ip cef

no ip bootp server

no ip domain lookup

ip domain name

ip name-server 10.x.x.x

ip auth-proxy auth-proxy-banner http ^Clash:acs.htm ^C

ip auth-proxy auth-proxy-audit

ip auth-proxy inactivity-timer 10

ip auth-proxy absolute-timer 720

ip auth-proxy name ACS http inactivity-time 60 list AUTH_TRAFFIC

ip admission auth-proxy-banner http ^Clash:acs.htm ^C

ip admission auth-proxy-audit

ip admission inactivity-timer 10

ip admission absolute-timer 720

multilink bundle-name authenticated

interface GigabitEthernet0/0

description LAN

ip address x.x.x.x 255.255.252.0

ip access-group ACS_USERS in

ip helper-address x.x.x.x

no ip redirects

no ip unreachables

no ip proxy-arp

ip accounting output-packets

ip auth-proxy ACS

ip policy route-map Traffic

duplex auto

speed auto

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip http server

ip http authentication aaa login-authentication default

ip http authentication aaa exec-authorization default

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface GigabitEthernet0/0

ip access-list extended AUTH_TRAFFIC

permit ip 10.0.0.0 0.255.255.255 host x.x.x.x

permit ip 10.0.0.0 0.255.255.255 x.x.x.x. 0.255.255.255

permit ip 10.0.0.0 0.255.255.255 x.x.x.x 0.0.255.255

ip access-list extended ACS_USERS

permit icmp any any

permit udp any eq bootpc any

permit tcp any any established

permit udp any any eq domain

permit tcp any any eq domain

permit udp any any eq snmptrap

permit ip host x.x.x.10 any

permit ip host x.x.x.11 any

permit ip host x.x.x.2 any

permit ip host x.x.x.33 any

permit ip host x.x.x.52 host x.x.x.x

permit ip host x.x.x.50 host x.x.x.x

permit ip host x.x.x.51 host x.x.x.x

permit ip host x.x.x.47 any

permit ip host x.x.x.5 any

permit ip host x.x.x.97 any

permit ip host x.x.x.100 any

permit ip host x.x.x.101 any

permit ip host x.x.x.102 any

permit ip host x.x.x.3 any

permit ip host x.x.x.193 any

permit ip host x.x.x.65 any

permit ip host x.x.x.4 any

permit ip host x.x.x.9 any

permit ip host x.x.x.8 any

deny ip any any

tacacs-server host 10.x.x.x single-connection

tacacs-server host 204.x.x.x. single-connection

tacacs-server host 204.x.x.x single-connection

tacacs-server directed-request

tacacs-server key 123456

_______

Been using this type config to authenticate/authorize end-users for 10yrs. Older code will work with ACS 5.4, but 15.1 code will not work.

Authentication passed - authorization failed - IOS bug?

Eric Varner — Mon, 03 Feb 2014 16:00:32 GMT

Need someone from Cisco to repond via PM with a valid e-mail address so I can send the packet captures.

Thank you.

Authentication passed - authorization failed - IOS bug?

Javier Henderson — Mon, 03 Feb 2014 16:07:53 GMT

PM sent.

Javier Henderson

Cisco Systems