Hello Federico ,

I have been kicked out after applying those commands, I can't reload the switch as i m far away any command that can remove those command

Thanks

Hi Mathew,

That's why my recommendation regarding being ready to reload the switch when playing with authorization... ;-)

You may get around this by making sure that you have a user on ACS 5 for which you are passing back privilege level 15 and permitting all the commands.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello,

I m trying on different switch.The configs are same as below,as only the group name of tacacs server is changed from rus to sur

aaa new-model
aaa authentication login sur group tacacs+ local
aaa authentication login console none
aaa authorization exec sur group tacacs+
aaa authorization commands 2 sur group tacacs+

privilege exec level 2 undebug all
privilege exec level 2 undebug
privilege exec level 2 debug all
privilege exec level 2 debug
!
line con 0
logging synchronous
login authentication console
line vty 0 4
password 7 03074E5C5E592C
authorization commands 2 sur
authorization exec sur
login authentication sur
line vty 5 15
password 7 000706515C0D06
login authentication sur
authorization commands 2 sur
authorization exec sur
!

!
end

I m getting the same error as such below.

username:cisco
password:

Class_room_105>en

Here is the output.

*Mar 17 07:53:29.817: AAA: parse name=tty2 idb type=-1 tty=-1
*Mar 17 07:53:29.817: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
*Mar 17 07:53:29.817: AAA/MEMORY: create_user (0x1BCE4F0) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='10.75.7.130' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Mar 17 07:53:29.817: AAA/AUTHEN/START (936946286): port='tty2' list='sur' action=LOGIN service=LOGIN
*Mar 17 07:53:29.817: AAA/AUTHEN/START (936946286): found list sur
*Mar 17 07:53:29.817: AAA/AUTHEN/START (936946286): Method=tacacs+ (tacacs+)
*Mar 17 07:53:29.817: TAC+: send AUTHEN/START packet ver=192 id=936946286
*Mar 17 07:53:29.817: TAC+: Using default tacacs server-group "tacacs+" list.
*Mar 17 07:53:29.817: TAC+: Opening TCP/IP to 10.75.7.135/49 timeout=5
*Mar 17 07:53:29.817: TAC+: Opened TCP/IP handle 0x1B56938 to 10.75.7.135/49 using source 10.75.120.9
*Mar 17 07:53:29.817: TAC+: 10.75.7.135 (936946286) AUTHEN/START/LOGIN/ASCII queued
*Mar 17 07:53:30.019: TAC+: (936946286) AUTHEN/START/LOGIN/ASCII processed
*Mar 17 07:53:30.019: TAC+: ver=192 id=936946286 received AUTHEN status = GETUSER
*Mar 17 07:53:30.019: AAA/AUTHEN (936946286): status = GETUSER
*Mar 17 07:53:36.377: AAA/AUTHEN/CONT (936946286): continue_login (user='(undef)')
*Mar 17 07:53:36.377: AAA/AUTHEN (936946286): status = GETUSER
*Mar 17 07:53:36.385: AAA/AUTHEN (936946286): Method=tacacs+ (tacacs+)
*Mar 17 07:53:36.385: TAC+: send AUTHEN/CONT packet id=936946286
*Mar 17 07:53:36.385: TAC+: 10.75.7.135 (936946286) AUTHEN/CONT queued
*Mar 17 07:53:36.587: TAC+: (936946286) AUTHEN/CONT processed
*Mar 17 07:53:36.587: TAC+: ver=192 id=936946286 received AUTHEN status = GETPASS
*Mar 17 07:53:36.587: AAA/AUTHEN (936946286): status = GETPASS
*Mar 17 07:53:45.160: AAA/AUTHEN/CONT (936946286): continue_login (user='cisco')
*Mar 17 07:53:45.160: AAA/AUTHEN (936946286): status = GETPASS
*Mar 17 07:53:45.160: AAA/AUTHEN (936946286): Method=tacacs+ (tacacs+)
*Mar 17 07:53:45.160: TAC+: send AUTHEN/CONT packet id=936946286
*Mar 17 07:53:45.160: TAC+: 10.75.7.135 (936946286) AUTHEN/CONT queued
*Mar 17 07:53:45.361: TAC+: (936946286) AUTHEN/CONT processed
*Mar 17 07:53:45.361: TAC+: ver=192 id=936946286 received AUTHEN status = PASS
*Mar 17 07:53:45.361: AAA/AUTHEN (936946286): status = PASS
*Mar 17 07:53:45.361: TAC+: Closing TCP/IP 0x1B56938 connection to 10.75.7.135/49
*Mar 17 07:53:45.361: tty2 AAA/AUTHOR/EXEC (2947805954): Port='tty2' list='sur' service=EXEC
*Mar 17 07:53:45.361: AAA/AUTHOR/EXEC: tty2 (2947805954) user='cisco'
*Mar 17 07:53:45.361: tty2 AAA/AUTHOR/EXEC (2947805954): send AV service=shell
*Mar 17 07:53:45.361: tty2 AAA/AUTHOR/EXEC (2947805954): send AV cmd*
*Mar 17 07:53:45.361: tty2 AAA/AUTHOR/EXEC (2947805954): found list "sur"
*Mar 17 07:53:45.361: tty2 AAA/AUTHOR/EXEC (2947805954): Method=tacacs+ (tacacs+)
*Mar 17 07:53:45.361: AAA/AUTHOR/TAC+: (2947805954): user=cisco
*Mar 17 07:53:45.361: AAA/AUTHOR/TAC+: (2947805954): send AV service=shell
*Mar 17 07:53:45.361: AAA/AUTHOR/TAC+: (2947805954): send AV cmd*
*Mar 17 07:53:45.361: TAC+: using previously set server 10.75.7.135 from group tacacs+
*Mar 17 07:53:45.361: TAC+: Opening TCP/IP to 10.75.7.135/49 timeout=5
*Mar 17 07:53:45.361: TAC+: Opened TCP/IP handle 0x1B1D86C to 10.75.7.135/49 using source 10.75.120.9
*Mar 17 07:53:45.361: TAC+: Opened 10.75.7.135 index=1
*Mar 17 07:53:45.361: TAC+: 10.75.7.135 (2947805954) AUTHOR/START queued
*Mar 17 07:53:45.563: TAC+: (2947805954) AUTHOR/START processed
*Mar 17 07:53:45.563: TAC+: (2947805954): received author response status = PASS_ADD
*Mar 17 07:53:45.563: TAC+: Closing TCP/IP 0x1B1D86C connection to 10.75.7.135/49
*Mar 17 07:53:45.563: AAA/AUTHOR (2947805954): Post authorization status = PASS_ADD
*Mar 17 07:53:45.563: AAA/AUTHOR/EXEC: Authorization successful
*Mar 17 07:53:51.233: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/network-confg) failed
*Mar 17 07:53:59.244: AAA/MEMORY: dup_user (0x1B3011C) user='cisco' ruser='NULL' ds0=0 port='tty2' rem_addr='10.75.7.130' authen_type=ASCII service=ENABLE priv=15 source='AAA dup enable'
*Mar 17 07:53:59.244: AAA/AUTHEN/START (3747472480): port='tty2' list='sur' action=LOGIN service=ENABLE
*Mar 17 07:53:59.244: AAA/AUTHEN/START (3747472480): non-console enable - default to enable password
*Mar 17 07:53:59.244: AAA/AUTHEN/START (3747472480): Method=ENABLE
*Mar 17 07:53:59.244: AAA/AUTHEN (3747472480): status = GETPASS
*Mar 17 07:54:07.037: AAA/AUTHEN/CONT (3747472480): continue_login (user='(undef)')
*Mar 17 07:54:07.037: AAA/AUTHEN (3747472480): status = GETPASS
*Mar 17 07:54:07.037: AAA/AUTHEN/CONT (3747472480): Method=ENABLE
*Mar 17 07:54:07.054: AAA/AUTHEN (3747472480): password incorrect
*Mar 17 07:54:07.054: AAA/AUTHEN (3747472480): status = FAIL
*Mar 17 07:54:07.054: AAA/MEMORY: free_user (0x1B3011C) user='NULL' ruser='NULL' port='tty2' rem_addr='10.75.7.130' authen_type=ASCII service=ENABLE priv=15
*Mar 17 07:54:15.275: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/cisconet.cfg) failed
*Mar 17 07:54:28.579: AAA/MEMORY: free_user (0x1BCE4F0) user='cisco' ruser='NULL' port='tty2' rem_addr='10.75.7.130' authen_type=ASCII service=LOGIN priv=1
*Mar 17 07:54:34.275: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/lab_7_sw1-confg) failed
*Mar 17 07:54:58.317: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/lab_7_sw.cfg) failed

Thanks

Hi Mathew,

This what I am getting on my switch, up to the # prompt, without typing any commands and without the need to go through the > prompt:

Jan 13 14:01:58.400 CET: AAA/BIND(00000075): Bind i/f

Jan 13 14:01:58.400 CET: AAA/AUTHEN/LOGIN (00000075): Pick method list 'MyTacacs'

Jan 13 14:01:58.400 CET: TPLUS: Queuing AAA Authentication request 117 for processing

Jan 13 14:01:58.400 CET: TPLUS: processing authentication start request id 117

Jan 13 14:01:58.400 CET: TPLUS: Authentication start packet created for 117()

Jan 13 14:01:58.408 CET: TPLUS: Using server 10.48.76.77

Jan 13 14:01:58.408 CET: TPLUS(00000075)/0/NB_WAIT/4C8E878: Started 5 sec timeout

Jan 13 14:01:58.408 CET: TPLUS(00000075)/0/NB_WAIT: socket event 2

Jan 13 14:01:58.408 CET: TPLUS(00000075)/0/NB_WAIT: wrote entire 37 bytes request

Jan 13 14:01:58.408 CET: TPLUS(00000075)/0/READ: socket event 1

Jan 13 14:01:58.408 CET: TPLUS(00000075)/0/READ: Would block while reading

Jan 13 14:01:58.408 CET: TPLUS(00000075)/0/READ: socket event 1

Jan 13 14:01:58.408 CET: TPLUS(00000075)/0/READ: read entire 12 header bytes (expect 15 bytes data)

Jan 13 14:01:58.408 CET: TPLUS(00000075)/0/READ: socket event 1

Jan 13 14:01:58.408 CET: TPLUS(00000075)/0/READ: read entire 27 bytes response

Jan 13 14:01:58.408 CET: TPLUS(00000075)/0/4C8E878: Processing the reply packet

Jan 13 14:01:58.408 CET: TPLUS: Received authen response status GET_USER (7)

Jan 13 14:02:02.191 CET: TPLUS: Queuing AAA Authentication request 117 for processing

Jan 13 14:02:02.191 CET: TPLUS: processing authentication continue request id 117

Jan 13 14:02:02.191 CET: TPLUS: Authentication continue packet generated for 117

Jan 13 14:02:02.191 CET: TPLUS(00000075)/0/WRITE/4B830B4: Started 5 sec timeout

Jan 13 14:02:02.191 CET: TPLUS(00000075)/0/WRITE: wrote entire 23 bytes request

Jan 13 14:02:02.191 CET: TPLUS(00000075)/0/READ: socket event 1

Jan 13 14:02:02.191 CET: TPLUS(00000075)/0/READ: read entire 12 header bytes (expect 15 bytes data)

Jan 13 14:02:02.191 CET: TPLUS(00000075)/0/READ: socket event 1

Jan 13 14:02:02.191 CET: TPLUS(00000075)/0/READ: read entire 27 bytes response

Jan 13 14:02:02.191 CET: TPLUS(00000075)/0/4B830B4: Processing the reply packet

Jan 13 14:02:02.191 CET: TPLUS: Received authen response status GET_PASSWORD (8)

Jan 13 14:02:04.289 CET: TPLUS: Queuing AAA Authentication request 117 for processing

Jan 13 14:02:04.289 CET: TPLUS: processing authentication continue request id 117

Jan 13 14:02:04.289 CET: TPLUS: Authentication continue packet generated for 117

Jan 13 14:02:04.289 CET: TPLUS(00000075)/0/WRITE/4B830B4: Started 5 sec timeout

Jan 13 14:02:04.289 CET: TPLUS(00000075)/0/WRITE: wrote entire 22 bytes request

Jan 13 14:02:04.305 CET: TPLUS(00000075)/0/READ: socket event 1

Jan 13 14:02:04.305 CET: TPLUS(00000075)/0/READ: read entire 12 header bytes (expect 6 bytes data)

Jan 13 14:02:04.305 CET: TPLUS(00000075)/0/READ: socket event 1

Jan 13 14:02:04.305 CET: TPLUS(00000075)/0/READ: read entire 18 bytes response

Jan 13 14:02:04.305 CET: TPLUS(00000075)/0/4B830B4: Processing the reply packet

Jan 13 14:02:04.305 CET: TPLUS: Received authen response status PASS (2)

Jan 13 14:02:04.305 CET: AAA/AUTHOR (0x75): Pick method list 'MyTacacs'

Jan 13 14:02:04.305 CET: TPLUS: Queuing AAA Authorization request 117 for processing

Jan 13 14:02:04.305 CET: TPLUS: processing authorization request id 117

Jan 13 14:02:04.305 CET: TPLUS: Protocol set to None .....Skipping

Jan 13 14:02:04.305 CET: TPLUS: Sending AV service=shell

Jan 13 14:02:04.305 CET: TPLUS: Sending AV cmd*

Jan 13 14:02:04.305 CET: TPLUS: Authorization request created for 117(zilli2)

Jan 13 14:02:04.305 CET: TPLUS: using previously set server 10.48.76.77 from group tacacs+

Jan 13 14:02:04.305 CET: TPLUS(00000075)/0/NB_WAIT/41EE6AC: Started 5 sec timeout

Jan 13 14:02:04.314 CET: TPLUS(00000075)/0/NB_WAIT: socket event 2

Jan 13 14:02:04.314 CET: TPLUS(00000075)/0/NB_WAIT: wrote entire 62 bytes request

Jan 13 14:02:04.314 CET: TPLUS(00000075)/0/READ: socket event 1

Jan 13 14:02:04.314 CET: TPLUS(00000075)/0/READ: Would block while reading

Jan 13 14:02:04.322 CET: TPLUS(00000075)/0/READ: socket event 1

Jan 13 14:02:04.331 CET: TPLUS(00000075)/0/READ: read entire 12 header bytes (expect 17 bytes data)

Jan 13 14:02:04.331 CET: TPLUS(00000075)/0/READ: socket event 1

Jan 13 14:02:04.331 CET: TPLUS(00000075)/0/READ: read entire 29 bytes response

Jan 13 14:02:04.331 CET: TPLUS(00000075)/0/41EE6AC: Processing the reply packet

Jan 13 14:02:04.331 CET: TPLUS: Processed AV priv-lvl=2

Jan 13 14:02:04.331 CET: TPLUS: received authorization response for 117: PASS

Jan 13 14:02:04.331 CET: AAA/AUTHOR/EXEC(00000075): processing AV cmd=

Jan 13 14:02:04.331 CET: AAA/AUTHOR/EXEC(00000075): processing AV priv-lvl=2

Jan 13 14:02:04.331 CET: AAA/AUTHOR/EXEC(00000075): Authorization successful

In your case, what is currently missing is the privilege level passed back by ACS:

Jan 13 14:02:04.331 CET: TPLUS(00000075)/0/41EE6AC: Processing the reply packet

Jan 13 14:02:04.331 CET: TPLUS: Processed AV priv-lvl=2

Jan 13 14:02:04.331 CET: TPLUS: received authorization response for 117: PASS

Jan 13 14:02:04.331 CET: AAA/AUTHOR/EXEC(00000075): processing AV cmd=

Jan 13 14:02:04.331 CET: AAA/AUTHOR/EXEC(00000075): processing AV priv-lvl=2

Jan 13 14:02:04.331 CET: AAA/AUTHOR/EXEC(00000075): Authorization successful

As mentioned, I'd recommend to align your switch's config with mine and to check the authentication and authorization logs on ACS Monitoring&Report under

Catalog > AAA > TACACS_Authentication

Catalog > AAA > TACACS_Authorization

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello,Federico,

If i align according to ur configs i m kicked out because i m not applying any command to authorize on  privilege 0 and privilege 1 and privilege 15, so when i exit the switch and then renenter it says me authoriztion failed,it does'nt allow me to enter in again it will happen the same as with 1st switch.

Are u specifying any commands authorization on  privilege 0 and privilege 1 and privilege 15, or u r sending me the same configs as u have applied on u r switch

Thanks

Hi Mathew,

The configuration I am recommending is the one that I tested in my lab and that worked to achieve what you are trying to do: debug/undebug command authorization for users with privilege level 2.

From the previous debugs, it looks like the user is not being assigned with a privilege level: either ACS is not configured correctly, or the switch does not receive the priv-lvl attribute, or it does not apply it.

Could you please check the logs on ACS Monitoring&Report?

Catalog > AAA > TACACS_Authentication

Catalog > AAA > TACACS_Authorization

If this would need us to get direct access to your setup, you may start considering to open an official TAC case.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hi Mathew,

As an alternative, if you'd still like to keep a local authentication/authorization fallback method, you can also use the following:

aaa authentication login rus group tacacs+ local

aaa authorization exec rus group tacacs+ local

username Cisco privilege 15 password Cisco

In this way, in case of no responses from the TACACS+ servers, the switch will fallback to the local users.

So if you simply interrupt the communication between the switch and ACS you should still be able to login in privilege 15.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello Federico

Here are the attached print screen logs.

Thanks

Hi Mathew,

The attachment keeps showing "QUEUED" so I cannot download it yet: I'll let you know as soon as it is available.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

I will attached it again

Please have a look,

Hi Mathew,

From the ACS screenshots, we cannot see any activity in the TACACS+ authorization: this could be the reason why the user is not getting the exec privilege level right after the login.
As an example, please see the screenshot from a test in my lab when I am assigning exec privilege level 2.

If you'd like us to troubleshoot the issue a bit deeper, we would need the data from the following steps:

1. Please log in to the ACS GUI and enable the DEBUG logging level for the module "AAA Diagnostics", under

System Administration > Configuration > Log Configuration > Logging Categories > Global

2. Also, please log in to the ACS command line and enable the following debugs:

admin# acs-config
Escape character is CNTL/D.

Username:
Password:

acsadmin(config-acs)# debug-log runtime level debug

3. On the switch, please enable the following debugs:

debug aaa authentication
debug aaa authorization
debug tacacs

4. Now, with the debugs running on both ACS and the switch, please recreate the Tacacs+ authorization issue.
After having reproduced it, please collect the debugs from the switch and the ACS support bundle from the Monitoring & Report Viewer, under

Troubleshooting > ACS Support Bundle

Please be sure of collecting the support bundle while checking the following options:

Include full configuration database = Unchecked
Include debug logs = All
Include local logs = All
Include core files = All
Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day

Also, please communicate me the user name tested for the failed authorization and the time stamp when the issue is observed, so that I can track it faster in the logs.

5. As a last info, from the switch, I would like you to please forward me the output of the "show tech".

As mentioned, however, should this require deeper investigations, you may start considering to open an official TAC case:
http://tools.cisco.com/ServiceRequestTool/create/launch.do

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hello Federico,

Attached are the logs and sh tech for the thread.

USERNAME = CISCO

PASSWORD=CISCO

Time when user try to log in is between 12: 05 to 12:15

Thanks