Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2804
Views
0
Helpful
2
Replies

AAA w/RSA: "no appropriate authorization type..."

Go to solution
PAUL TRIVINO
Level 3
Level 3

‎01-16-2008 09:43 AM - edited ‎03-10-2019 03:36 PM

I have set up a router and a switch for AAA using an RSA RADIUS server. Both are RSA "Agent Hosts" with identical setups. Router (2621XM/EntServ Version 12.4(18)) and switch (3560-24PS/IPBase-12.2(25)SEB2) have identical AAA configs, and RADIUS/RSA is fine as far as the PASSCODE being accepted. But the switch doesn't let me in:

**********************

Username: <xxxx>

Password:

PASSCODE Accepted

% Authorization failed.

**************************

When I do "deb radius authentication" on each, the outputs are the same up to the last 2 lines. The router that works says:

000055: .Jan 16 12:22:51 EST: RADIUS(00000005): Received from id 1645/3

000056: .Jan 16 12:22:51 EST: RADIUS/DECODE: Reply-Message fragments, 19, total 19 bytes

But the switch says:

000284: Jan 16 12:20:47 EST: RADIUS: saved authorization data for user 3030220 at 3034440

000285: Jan 16 12:20:47 EST: RADIUS: no appropriate authorization type for user.

The only other difference I can think of is that I use ssh to the router and telent for the switch (IPBase apparently no habla "crypto", I could use a different IOS I think.

Any clue? TIA

Paul

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cisco24x7
Level 6
Level 6

‎01-16-2008 10:34 AM

If I were you, I would "disable" authorization

on the catalyst 3560. I haven an identical

setup like yours on mine Catalyst 2960 and it

works just fine. See below:

[root@LinuxES root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

C

*****************

User Access Verification

Username: test4

Password:

Enter your new PIN, containing 4 to 8 digits,

or

to cancel the New PIN procedure:

Please re-enter new PIN:

Wait for the code on your card to change, then log in with the new PIN

Enter PASSCODE:

C2960#sh ver

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE4, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Mon 16-Jul-07 02:53 by myl

Image text-base: 0x00003000, data-base: 0x00CC0000

ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)SEE1, RELEASE SOFTWARE (fc1)

C2960 uptime is 2 weeks, 6 days, 14 hours, 10 minutes

System returned to ROM by power-on

System restarted at 23:20:30 GMT Wed Dec 26 2007

System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco WS-C2960G-24TC-L (PowerPC405) processor (revision B0) with 61440K/4088K bytes of memory.

Processor board ID FOC1036X0F1

Last reset from power-on

2 Virtual Ethernet interfaces

24 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:19:55:1B:D6:00

Motherboard assembly number : 73-10015-05

Power supply part number : 341-0098-02

Motherboard serial number : FOC10352NF2

Power supply serial number : AZS103402ZF

Model revision number : B0

Motherboard revision number : B0

Model number : WS-C2960G-24TC-L

System serial number : FOC1036X0F1

Top Assembly Part Number : 800-26673-02

Top Assembly Revision Number : C0

Version ID : V02

CLEI Code Number : COM3G00BRA

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 24 WS-C2960G-24TC-L 12.2(25)SEE4 C2960-LANBASEK9-M

Configuration register is 0xF

C2960#sh run | inc aaa

aaa new-model

aaa authentication login test group radius local

aaa authentication login test1 group tacacs+ local

aaa authentication login notac local

aaa authentication dot1x default group radius

aaa session-id common

C2960#

CCIE Security

View solution in original post

0 Helpful
2 Replies 2

Go to solution
cisco24x7
Level 6
Level 6

‎01-16-2008 10:34 AM

If I were you, I would "disable" authorization

on the catalyst 3560. I haven an identical

setup like yours on mine Catalyst 2960 and it

works just fine. See below:

[root@LinuxES root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

C

*****************

User Access Verification

Username: test4

Password:

Enter your new PIN, containing 4 to 8 digits,

or

to cancel the New PIN procedure:

Please re-enter new PIN:

Wait for the code on your card to change, then log in with the new PIN

Enter PASSCODE:

C2960#sh ver

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE4, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Mon 16-Jul-07 02:53 by myl

Image text-base: 0x00003000, data-base: 0x00CC0000

ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)SEE1, RELEASE SOFTWARE (fc1)

C2960 uptime is 2 weeks, 6 days, 14 hours, 10 minutes

System returned to ROM by power-on

System restarted at 23:20:30 GMT Wed Dec 26 2007

System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco WS-C2960G-24TC-L (PowerPC405) processor (revision B0) with 61440K/4088K bytes of memory.

Processor board ID FOC1036X0F1

Last reset from power-on

2 Virtual Ethernet interfaces

24 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:19:55:1B:D6:00

Motherboard assembly number : 73-10015-05

Power supply part number : 341-0098-02

Motherboard serial number : FOC10352NF2

Power supply serial number : AZS103402ZF

Model revision number : B0

Motherboard revision number : B0

Model number : WS-C2960G-24TC-L

System serial number : FOC1036X0F1

Top Assembly Part Number : 800-26673-02

Top Assembly Revision Number : C0

Version ID : V02

CLEI Code Number : COM3G00BRA

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 24 WS-C2960G-24TC-L 12.2(25)SEE4 C2960-LANBASEK9-M

Configuration register is 0xF

C2960#sh run | inc aaa

aaa new-model

aaa authentication login test group radius local

aaa authentication login test1 group tacacs+ local

aaa authentication login notac local

aaa authentication dot1x default group radius

aaa session-id common

C2960#

CCIE Security

0 Helpful

Go to solution
PAUL TRIVINO
Level 3
Level 3
In response to cisco24x7

‎01-16-2008 11:29 AM

Outstanding - thanks! That did it. Interesting that the switch (maybe IPBase image?) is so significantly different. OTOH maybe I don't need it on the router either, I got the suggestion from another NetPro user to use:

line vty 0 4

privilege level 15

to get to Enabled mode, which works fine too.

Much grass!

Paul

0 Helpful
Customers Also Viewed These Support Documents