Re: NX-API tacacs authorization issues

TODD RIEMENSCHNEIDER · ‎03-19-2015

We have some nexus 9Ks in our environment and I have been testing out the NX-API functionality. One of the things I've noticed is that command authorization in tacacs really seems to have an effect. Especially as it pertains to configuration commands. I've disabled the authorization command in tacacs and now I am able to make configurations changes through the api. The way I wrote the script I'm using my own tacacs user creds so my thought was that the privileges should have been there.

I will do more digging, being new to using APIs I didn't know what to expect when it came to command authorization. Honestly I didn't fully understand what an API configuring the box would look like from the devices perspective.

Curious if anyone has had a similar experience?

Thanks.

Todd

Jason Pfeifer · ‎03-23-2015

Hi,

The NXAPI credentials and authorization should match what is set for CLI commands as well. If you are noticing

different behavior you may be hitting a bug. Are you noticing different behavior if you run the same command on CLI as the same user?

TODD RIEMENSCHNEIDER · ‎03-23-2015

No the commands work if I do it in the cli. The first switch 10.13.0.1 has the following tacacs command removed

aaa authorization config-commands default group TacServer

The second switch 10.13.0.2 does not.

Results from running the python script.

Username : xxxxxx

Password :

10.13.0.1

[{

"jsonrpc": "2.0",

"result": null,

"id": 1

}, {

"jsonrpc": "2.0",

"result": null,

"id": 2

}, {

"jsonrpc": "2.0",

"result": null,

"id": 3

}]

10.13.0.2

[{

"jsonrpc": "2.0",

"result": null,

"id": 1

}, {

"jsonrpc": "2.0",

"error": {

"code": -32602,

"message": "Invalid params",

"data": {

"msg": "Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)\n"

}

},

"id": 2

}, {

"jsonrpc": "2.0",

"error": {

"code": -32008,

"message": "Command not ran due to previous failures"

},

"id": 3

}]

You can see the commands worked on 10.13.0.1. Failed on 10.13.0.2. These are the commands I'm running.

payload=[{"jsonrpc": "2.0","method": "cli", "params": {"cmd": "config t", "version": 1}, "id": 1},

{"jsonrpc": "2.0", "method": "cli", "params": {"cmd": "interface loopback 12","version": 1},"id": 2},

{"jsonrpc": "2.0", "method": "cli", "params": {"cmd": "description nxapi script test","version": 1},"id": 3}]

10.13.0.1 - output

lab-cmh1-dc-ds3# sh run int loop12

!Command: show running-config interface loopback12
!Time: Mon Mar 23 15:37:28 2015

version 6.1(2)I3(1)

interface loopback12
description nxapi script test

10.13.0.2 - did not implement the commands from the nxapi script.

Here's the commands entered manually.

lab-cmh1-dc-ds4# config t
Enter configuration commands, one per line. End with CNTL/Z.
lab-cmh1-dc-ds4(config)# int loopback 12
lab-cmh1-dc-ds4(config-if)# description nxapi script test
lab-cmh1-dc-ds4(config-if)# end
lab-cmh1-dc-ds4# sh run int loop12

!Command: show running-config interface loopback12
!Time: Mon Mar 23 15:35:49 2015

version 6.1(2)I3(1)

interface loopback12
description nxapi script test

Looking buggy to me.

Todd

Javier Henderson · ‎03-26-2015

It will be interesting to see the reason given by the TACACS+ server for denying authorization for those commands, plus debug output on the switch for TACACS+.

Samuel Womack · ‎10-28-2016

I'm running into this issue as well..same response from Nexus..

TODD RIEMENSCHNEIDER · ‎01-14-2017

Curious if you found anything out? Thanks.

Samuel Womack · ‎02-02-2017

We did..

CSCvc36118

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc36118/?reffering_site=dumpcr

TODD RIEMENSCHNEIDER · ‎02-02-2017

Wow. Thanks for the information. Good to finally have some closure on the issue,.

Samuel Womack · ‎02-02-2017

Based on what I've heard the fix is coming in April(ish) in 8.1.x of NXOS