ACE and AAA (TACACS) part 2

dirk.barnekow · ‎07-12-2007

Hi there,

i have configuerd my acs with an custom attribute : shell:Admin=Admin. AAA with the ACE works fine... But now i can't login into my switches :-( i got the massage authorization failed. Here is the aaa debug from the switch :

Jul 12 13:41:38.433 UTC: AAA: parse name=tty2 idb type=-1 tty=-1

Jul 12 13:41:38.441 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

Jul 12 13:41:38.441 UTC: AAA/MEMORY: create_user (0x16E1F28) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='*******' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port='tty2' list='' service=EXEC

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user='*******'

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV service=shell

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd*

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found list "default"

Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Method=tacacs+ (tacacs+)

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): user=*******

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV service=shell

Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV cmd*

Jul 12 13:41:44.799 UTC: AAA/AUTHOR (945064986): Post authorization status = PASS_ADD

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV service=shell

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV cmd*

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Authorization FAILED

Jul 12 13:41:46.804 UTC: AAA/MEMORY: free_user (0x16E1F28) user='*******' ruser='NULL' port='tty2' rem_addr='*******' authen_type=AS

Any idea what's wrong ??

Best regards Dirk

Roble Mumin · ‎07-12-2007

Unfortunately i use Radius to authenticate all my devices so i have not much experience on your problem. But i suggest you post that Question in the Security->AAA section of the forums where it will probably be more successful in getting a good answer.

Interesting though is following line.

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin

Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin

It looks like the same parameter can be used on switches or routers for authentication and this one value seems not to be expected. So you might either find a way to disable the parsing of that argument or maybe add a second argument to satisfy the "regular" cisco devices.

Another approach might be to limit the transmission of this value only to ACS->ACE communication but i don't know if that is possible with the ACS.

Roble

harrjd222 · ‎07-12-2007

try creating a new custom service in tacacs

call it something like ace_modules and use "common" for the protocol.

this fixed my issue. The only problem I have now is I only get network-monitor privleges when I login. can you post your tacacs/aaa config for me to compare with mine.

dirk.barnekow · ‎07-13-2007

Hi ,

i've got the following info from a user here in the forum :

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045

[quote]

The user profile attribute serves an important configuration function configuration for a TACACS+ server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, the default role (Network-Monitor) and default domain (default-domain) will be assigned to the user provided the authentication is successful.

[quote end]

In this way i configured the ACS...

Be carefull with the attribute... because if you set it in the way the documentation describes you will not authorized at other devices using tacacs+.

You have to set the attribute in this way :

shell:* it's working for both switches / ACE

shell:= this works only for the ACE

Then the attribute is marked as optional and only the ACE cares about it.

Regards Dirk

harrjd222 · ‎07-13-2007

I tried using both shell:*

the = also broke access to the rest of my switches. so * works for both. but I still cannot get login'd with anything but network-monitor privledges. I am not sure what's wrong? Can someone please post their ace tacacs config for me to compare.

dirk.barnekow · ‎07-13-2007

Hi,

the attribute must be case-sesetive...

shell:admin*admin doesn't work ..

shell:Admin*Admin this is working for me...

Regards Dirk

oliverpaetzold · ‎03-28-2008

Hi,

the attribute shell:Admin*Admin runs greate, but I have now a problem on my ACS Server.

If I connect to a ACE module, first there is a password invalid message on Failed Attempts Log, before login.

03/28/2008,15:09:37,b-slsv9000-01,Authen failed,RZ,10.x.x.x,,ACS password invalid,,,172.x.x.x,opaetzold,1,ACE-Test

After Login there is a Passed Authentification message on Passed Authentification log.

03/28/2008,15:09:39,Authen OK,opaetzold,ACE-Test,172.x.x.x,,10.x.x.x,RZ,

My concern rules describes me a User disable after 3 attempts, so after to bad password my user is disabled.

I've run ACS 4.1(1) Build 23 Patch 5.

Have anyone an idee?

Greets Oliver