Solved: Command authorization issue.

andrea.meconi · ‎07-01-2013

Hello.

I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.

The shell command set that I'm using is a "permit unmatched commands".

Any idea?

Thanks.

Andrea

Jatin Katyal · ‎07-08-2013

What you're experiencing is a known defect:

CSCtg38468 cat4k/IOS: banner exec failed with blank characters

Symptom:

%PARSE_RC-4-PRC_NON_COMPLIANCE:

The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.

Conditions:

Problem happens, when AAA authorization is used together with TACACS+

Workaround:

Make sure there is no blank character at the begining of line in the banner message.

Problem Details: trying to configure banner exec with blank character at beginning of line failed.

This happens when configuring the banner exec via telnet/ssh !

When configuring the same banner exec via console-port, everything is fine.

Note the blank characters at beginning of each line. When removing those, banner exec works fine.

Again, this was working till IOS version 12.2(46)SG.

Beginning with 12.2(50)SG1 and up, the behaviour has changed.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Jatin Katyal · ‎07-06-2013

1. Could you please provide the exact command you're executing on the IOS?

2. Screen shot of command authorization set from ACS > shared profile component.

3. Error you're seeing in reports and activity > tacacs administration section.

4. debug tacacs and debug authorization from the CLI.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

andrea.meconi · ‎07-08-2013

Hello Jatin, hello Ravi.

I'm able to reproduce this authorization issue with a 3750 stack running 12.2(55)SE1, IPSERVICEK9.

Another stack running 12.2(44)SE2 works fine.

All stacks run with the same AAA model.

I try to set MOTD but when bannet text starts with a blank the entry fails.

sw-bcve11(config)#banner motd ^

Enter TEXT message. End with the character '^'

L'accesso a questo dispositivo e' consentito solo al personale autorizzato.

E' proibito ogni accesso non autorizzato

Command authorization failed.

Access to this equipment is allowed only to authorized personnel.

Command authorization failed.

Unauthorized use is prohibited

Command authorization failed.

^

sw-bcve11(config)#

Removing all initial space resolves the issue.

Attached you can find command set (permit any command), T+ log and debugs.

Many many thanks for your help.

Regards.

Andrea

Jatin Katyal · ‎07-08-2013

What you're experiencing is a known defect:

CSCtg38468 cat4k/IOS: banner exec failed with blank characters

Symptom:

%PARSE_RC-4-PRC_NON_COMPLIANCE:

The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.

Conditions:

Problem happens, when AAA authorization is used together with TACACS+

Workaround:

Make sure there is no blank character at the begining of line in the banner message.

Problem Details: trying to configure banner exec with blank character at beginning of line failed.

This happens when configuring the banner exec via telnet/ssh !

When configuring the same banner exec via console-port, everything is fine.

Note the blank characters at beginning of each line. When removing those, banner exec works fine.

Again, this was working till IOS version 12.2(46)SG.

Beginning with 12.2(50)SG1 and up, the behaviour has changed.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

andrea.meconi · ‎07-08-2013

Fine!

I don't remember to check bug!

Many many thankd Jatin!

Regards.

Andrea

Jatin Katyal · ‎07-08-2013

Happy to help

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Ravi Singh · ‎07-07-2013

The information you have provided is too less please provide the information requested by Jatin.