Solved: AAA authentication problemssss

raza555 · ‎11-15-2013

Hi,

When I use below aaa commands, and try to authenticate, I am able to authenticate against TACACS+, but further then when I do "sh run" I get message "Command authorization failed." Please advise.

Test-Switch#sh run

Command authorization failed.

aaa new-model
aaa authentication login NETWORK_ACCESS group tacacs+ local enable
aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host IP-Address key String

line vty 0 4
transport input telnet ssh
login authentication NETWORK_ACCESS
exec-timeout 10

BUT as soon, I just change the aaa configuration as below I am able to run sh run commands as usual without any error.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs local

aaa authentication enable default none

aaa authentication login default group tacacs+ line

aaa authentication login no_tacacs line

aaa authorization console

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec no_tacacs local if-authenticated

aaa authorization commands 0 no_tacacs none

aaa authorization commands 1 no_tacacs none

aaa authorization commands 15 no_tacacs none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa session-id common

Please advise, Thanks. its urgent

Richard Burts · ‎11-16-2013

To aproach the issue from a slightly different perspective - your original set of commands instruct the router to send authorization request to TACACS for every level 15 command, which includes show run. Your TACACS server was not configured to authorize your use of show run and so your attempt to show run was rejected.

Your revised set of commands does not send authorizaiton requests to TACACS for level 15 commands (or for other level of commands for that matter) and so there is no issue here with doing show run.

As far as I can tell your revised set of commands is saying do not do any authorization for commands. You could achieve this result just as easily (and with less complication in your configuration) if you just remove aaa authorization command lines from your config.

HTH

Rick

HTH

Rick

View solution in original post

prswami · ‎11-16-2013

hi,

It's because of the following config:

aaa authorization commands 0 no_tacacs none

aaa authorization commands 1 no_tacacs none

aaa authorization commands 15 no_tacacs none

The NAS sees it as it has to authorize the exec commands for privilege level 0,1 till 15 to a group of server called "no_tacacs".

If you have defined the "no_tacacs" server group on the NAS, then it must be sending out the command authorization packets to the servers defined in the group.

If there is no command set associated with the rule configured on the TACACS shell profile on the ACS or if it does not have the "show running-config" command permitted, your user will definately fail the command authorization.

Please enable "debug tacacs authorization" or "debug aaa authorization" to check which server is the request being sent to and on that server check if the corresponding rule contains the "show running-config" command permitted.

Thanks,

Prateek

Richard Burts · ‎11-16-2013

To aproach the issue from a slightly different perspective - your original set of commands instruct the router to send authorization request to TACACS for every level 15 command, which includes show run. Your TACACS server was not configured to authorize your use of show run and so your attempt to show run was rejected.

Your revised set of commands does not send authorizaiton requests to TACACS for level 15 commands (or for other level of commands for that matter) and so there is no issue here with doing show run.

As far as I can tell your revised set of commands is saying do not do any authorization for commands. You could achieve this result just as easily (and with less complication in your configuration) if you just remove aaa authorization command lines from your config.

HTH

Rick

HTH

Rick

raza555 · ‎11-17-2013

Thanks Richard for making me understand..that ACS need configurations to allow authentication of commands. As soon as i have configured ACS Group Setup ->"Shell Command Authrization Set" -> Assign a Shell Command Authorization set for any network Device-> ReadWriteAccess. ACS is then able to authenticate all commands.

I am using below Final Script for Full Access, ReadOnlyAccess & Limited access users; as this script is more clear and accurate;

aaa new-model
aaa authentication login NETWORK_ACCESS group tacacs+ local enable
aaa authentication enable default group tacsacs+ enable

aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

If anyone get stuck with ACS Shell Command Authorization Sets on IOS, below is very useful document;

http://www.cisco.com/en/US/products/sw/secursw/ps2086

/products_configuration_example09186a00808d9138.shtml#asso1

Richard please furher confirm that my final script is good enough secure or not ?

Richard Burts · ‎11-17-2013

Your final script look good to me and should help provide security for your devices. Thank you for the link to the helpful document. And thank you for marking this question as answered. I am glad that my response was helpful to you.

HTH

Rick

HTH

Rick