AAA authorization not working

bapatsubodh · ‎10-10-2012

Hi,

Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.

When connected to console it worked- Authenticated and then supplied the enable password.

When telneted : it says "access approved" and "authorization failed"

Relevant switch configuration is as follows and also debug of aaa authorization.

+++++++++++++++++++++++++++++

no service single-slot-reload-enable

no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Switch
!
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group radius if-authenticated local
aaa authorization commands 15 default group radius if-authenticated local
enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/
!

username cisco privilege 15 password 7 05080F1C224233
!
vlan 10
!
vlan 120
ip subnet-zero
!
vtp mode transparent
!
spanning-tree extend system-id
!
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
no ip address
spanning-tree portfast
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan120
ip address 10.12.8.70 255.255.255.240
!
ip default-gateway 10.12.8.65
ip classless
ip http server
!
!
radius-server host 192.168.38.169 auth-port 1812 acct-port 1813
radius-server host 10.12.1.142 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key cisco
!
line con 0
line vty 0 4
password 7 grrfcb7swe
transport input telnet
line vty 5 15
!
end

Debug output :

Switch#

21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:07: AAA/AUTHEN (2947331915): status = PASS
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------# authorization failed #
21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='10.12.7.71' authen_type=ASCII service=LOGIN priv=1
Switch#
Switch#

Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.

Please share the experience.

Thanks in advance,

Subodh

Karthik Chandran · ‎10-24-2012

Hi Subodh,

I understand that you are trying to use command authorization using RADIUS.

aaa authorization commands 15 default group radius if-authenticated local

Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed on a router and which cannot.

Please refer the following link:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.

Regards,

Karthik Chandran

*kindly rate helpful post*