Re: 15.2(7)E10 not using named authorization list on console

Breathing · ‎08-15-2024

I configured a 2960x not to require authentication on the console port.

aaa authentication login NoPassword none
line con 0
 exec-timeout 0 0
 privilege level 15
 login authentication NoPassword
 stopbits 1

But on firmware version 15.2(7)E10 if I also have the default authorization policy (see below) I cannot connect via console. I get the error "% Authorization failed.". But on 15.2(7)E7 it does work.

aaa authorization exec default local

Furthermore, I created a new aaa authorization policy with none and applied it on the line and it still not working.

aaa authentication login NoPassword none
aaa authorization console
aaa authorization exec NoPassword none
line con 0
 exec-timeout 0 0
 authorization exec NoPassword
 login authentication NoPassword
 stopbits 1

Debug aaa authorization shows that the switch is somehow still using the default list.

Aug 15 16:32:57.000: AAA/BIND(00000022): Bind i/f
Aug 15 16:32:57.000: AAA/AUTHEN/LOGIN (00000022): Pick method list 'NoPassword'
Aug 15 16:32:57.000: AAA/AUTHOR (0x22): Pick method list 'default'
Aug 15 16:32:57.000: AAA/AUTHOR/EXEC(00000022): Authorization FAILED

On 15.2(7)E7 we can the authentication flow doesn't touch the authorization policy at all.

Aug 15 13:37:43.088: AAA/BIND(00000014): Bind i/f
Aug 15 13:37:43.088: AAA/AUTHEN/LOGIN (00000014): Pick method list 'NoPassword'

When I remove the default authorization entry the console login flow on 15.2(7)E10 looks like this

Aug 15 16:43:04.517: AAA/BIND(00000025): Bind i/f
Aug 15 16:43:04.520: AAA/AUTHEN/LOGIN (00000025): Pick method list 'NoPassword'
Aug 15 16:43:04.520: AAA/AUTHOR (00000025): Method list id=0 not configured. Skip author
Aug 15 16:43:12.661: AAA/AUTHOR: auth_need : user= '' ruser= '<>'rem_addr= '127.0.0.5' priv= 0 list= '' AUTHOR-TYPE= 'commands'
Aug 15 16:43:12.661: AAA: parse name=tty2 idb type=-1 tty=-1
Aug 15 16:43:12.661: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Aug 15 16:43:12.661: AAA/MEMORY: create_user (0xEEFF104) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='127.0.0.5' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Aug 15 16:43:12.661: AAA/AUTHEN/START (1151806892): port='tty2' list='' action=LOGIN service=ENABLE
Aug 15 16:43:12.661: AAA/AUTHEN/START (1151806892): console enable - default to enable password (if any)
Aug 15 16:43:12.661: AAA/AUTHEN/START (1151806892): Method=ENABLE
Aug 15 16:43:12.661: AAA/AUTHEN(1151806892): can't find any passwords
Aug 15 16:43:12.661: AAA/AUTHEN (1151806892): status = ERROR
Aug 15 16:43:12.661: AAA/AUTHEN/START (1151806892): Method=NONE
Aug 15 16:43:12.661: AAA/AUTHEN (1151806892): status = PASS
Aug 15 16:43:12.661: AAA/MEMORY: free_user (0xEEFF104) user='NULL' ruser='NULL' port='tty2' rem_addr='127.0.0.5' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

But on 15.2(7)E7 it looks like this

Aug 15 13:45:44.052: AAA/BIND(00000017): Bind i/f
Aug 15 13:45:44.052: AAA/AUTHEN/LOGIN (00000017): Pick method list 'NoPassword'
Aug 15 13:45:49.872: AAA: parse name=tty0 idb type=-1 tty=-1
Aug 15 13:45:49.872: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Aug 15 13:45:49.872: AAA/MEMORY: create_user (0xC60F7EC) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Aug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): port='tty0' list='' action=LOGIN service=ENABLE
Aug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): console enable - default to enable password (if any)
Aug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): Method=ENABLE
Aug 15 13:45:49.876: AAA/AUTHEN(1746517121): can't find any passwords
Aug 15 13:45:49.876: AAA/AUTHEN (1746517121): status = ERROR
Aug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): Method=NONE
Aug 15 13:45:49.876: AAA/AUTHEN (1746517121): status = PASS
Aug 15 13:45:49.876: AAA/MEMORY: free_user (0xC60F7EC) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

MHM Cisco World · ‎08-15-2024

aaa authorization console <<- add this command and check authz

MHM

Breathing · ‎08-15-2024

@MHM Cisco World thank you, but I already added that command prior to posting here (see my third code block).

Thanks again

poongarg · ‎08-15-2024

AAA authorization is disabled on the console by default. If AAA authorization is enabled on the console, disable it by configuring the no aaa authorization console command during the AAA configuration stage. AAA should be disabled on the console for user authentication.

The logs also tells that it is looking for enable password but none is configured.

ug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): console enable - default to enable password (if any)
Aug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): Method=ENABLE
Aug 15 13:45:49.876: AAA/AUTHEN(1746517121): can't find any passwords
Aug 15 13:45:49.876: AAA/AUTHEN (1746517121): status = ERROR

Breathing · ‎08-20-2024

@poongarg these lines in the logs are when I did no aaa authorization console and no aaa authorization exec default and I'm actually able to log in (albeit not in exec mode). If you look further down the logs you can notice it passing authentication

Aug 15 13:45:49.876: AAA/AUTHEN (1746517121): status = PASS

Update:
This is weird, now on 15.2(7)E7 I'm getting the same error.

Update2:
I've managed to make it work by adding the below config

aaa authorization exec default none
line vty 0 15
priv level 15
line con 0
priv level 15

This doesn't explain the behavior and the fact that the custom authorization list is ignored, and that I'm getting conflicting results on the same firmware, but it works now so I'll leave it as is.