05-30-2013 03:57 AM - edited 03-10-2019 08:29 PM
I have optional custom attribute in my ACS group to be able to enter config mode on ACE: shell:Admin*Admin default-domain
Privilege level 15 is also part of exec configuration.
Recently I applied patch 17 on ACS 4.2(0) Build 124. Since then I can not login with privilege level 15 into IOS routers/switches.
It looks like IOS box considers this custom attribute as a mandatory now.
---------------------------------------------------------------------------------------------------
IOS debug (Cat6500,12.2(33)SXJ4 ):
May 27 13:23:56.819: TPLUS: Authorization request created for 61929(pehruby)
May 27 13:23:56.819: TPLUS: using previously set server 10.105.24.44 from group tacacs+
May 27 13:23:56.819: TPLUS(0000F1E9)/0/NB_WAIT/550052A4: Started 5 sec timeout
May 27 13:23:56.819: TPLUS(0000F1E9)/0/NB_WAIT: socket event 2
May 27 13:23:56.819: TPLUS(0000F1E9)/0/NB_WAIT: wrote entire 62 bytes request
May 27 13:23:56.819: TPLUS(0000F1E9)/0/READ: socket event 1
May 27 13:23:56.823: TPLUS(0000F1E9)/0/READ: Would block while reading
May 27 13:23:56.823: TPLUS(0000F1E9)/0/READ: socket event 1
May 27 13:23:56.823: TPLUS(0000F1E9)/0/READ: read entire 12 header bytes (expect 51 bytes data)
May 27 13:23:56.823: TPLUS(0000F1E9)/0/READ: socket event 1
May 27 13:23:56.823: TPLUS(0000F1E9)/0/READ: read entire 63 bytes response
May 27 13:23:56.823: TPLUS(0000F1E9)/0/550052A4: Processing the reply packet
May 27 13:23:56.823: TPLUS: Processed AV priv-lvl=15
May 27 13:23:56.823: TPLUS: Failed to decode unknown AV shell - FAIL
May 27 13:23:56.823: TPLUS(0000F1E9)/0/REQ_WAIT/550052A4: timed out
May 27 13:23:56.823: TPLUS: Protocol set to None .....Skipping
May 27 13:23:56.823: TPLUS: Sending AV service=shell
May 27 13:23:56.823: TPLUS: Sending AV cmd*
TCS.log from ACS (different time, the same attempt):
TCS 05/27/2013 11:59:39 I 0043 5088 0x15 <<< PACKET TO CLIENT:10.106.11.114 TYPE:AUTHOR/PASS_ADD, SEQ 2, FLAGS 1
TCS 05/27/2013 11:59:39 I 0043 5088 0x15 SESSIONID -998342923 (0xc47e7ef5), DATALEN 51 (0x33)
TCS 05/27/2013 11:59:39 I 0043 5088 0x15 type=AUTHOR/REPLY status=1 (AUTHOR/PASS_ADD)
TCS 05/27/2013 11:59:39 I 0043 5088 0x15 msg_len=0, data_len=0 arg_cnt=2
TCS 05/27/2013 11:59:39 I 0043 5088 0x15 arg[0] size=11 =priv-lvl=15
TCS 05/27/2013 11:59:39 I 0043 5088 0x15 arg[1] size=32 =shell:Admin*Admin default-domain
TCS 05/27/2013 11:59:39 I 0043 5088 0x15 End >>>
------------------------------------------------------------------------------------------------------------------------
IOS debug (C1841, 12.3(14)T7 ):
May 30 12:21:58.248: AAA/BIND(00000A52): Bind i/f
May 30 12:21:58.272: AAA/AUTHOR (0xA52): Pick method list 'acs'
May 30 12:21:58.272: TPLUS: Queuing AAA Authorization request 2642 for processing
May 30 12:21:58.272: TPLUS: processing authorization request id 2642
May 30 12:21:58.272: TPLUS: Protocol set to None .....Skipping
May 30 12:21:58.276: TPLUS: Sending AV service=shell
May 30 12:21:58.276: TPLUS: Sending AV cmd*
May 30 12:21:58.276: TPLUS: Authorization request created for 2642(ph)
May 30 12:21:58.276: TPLUS: using previously set server 10.105.24.44 from group tacacs+
May 30 12:21:58.276: TPLUS(00000A52)/0/NB_WAIT/656FB000: Started 5 sec timeout
May 30 12:21:58.276: TPLUS(00000A52)/0/NB_WAIT: socket event 2
May 30 12:21:58.276: TPLUS(00000A52)/0/NB_WAIT: wrote entire 59 bytes request
May 30 12:21:58.276: TPLUS(00000A52)/0/READ: socket event 1
May 30 12:21:58.276: TPLUS(00000A52)/0/READ: Would block while reading
May 30 12:21:58.280: TPLUS(00000A52)/0/READ: socket event 1
May 30 12:21:58.280: TPLUS(00000A52)/0/READ: read entire 12 header bytes (expect 51 bytes data)
May 30 12:21:58.280: TPLUS(00000A52)/0/READ: socket event 1
May 30 12:21:58.280: TPLUS(00000A52)/0/READ: read entire 63 bytes response
May 30 12:21:58.280: TPLUS(00000A52)/0/656FB000: Processing the reply packet
May 30 12:21:58.280: TPLUS: Processed AV priv-lvl=15
May 30 12:21:58.280: TPLUS: Failed to decode AV shell:Admin*Admin default-domain - PASS - PASS
May 30 12:21:58.284: AAA/AUTHOR/EXEC(00000A52): processing AV cmd=
May 30 12:21:58.284: AAA/AUTHOR/EXEC(00000A52): Authorization successful
ACS.log:
TCS 05/30/2013 12:21:58 I 0043 1280 0x0 <<< RECEIVED FROM CLIENT:10.106.0.50 TYPE=AUTHOR, SEQ=1, FLAGS=1
TCS 05/30/2013 12:21:58 I 0043 1280 0x0 SESSIONID 1990425999 (0x76a37d8f), DATALEN 47 (0x2f)
TCS 05/30/2013 12:21:58 I 0043 1280 0x0 type=AUTHOR, priv_lvl=1, authen=1
TCS 05/30/2013 12:21:58 I 0043 1280 0x0 METHOD=tacacs+
TCS 05/30/2013 12:21:58 I 0043 1280 0x0 SVC=1 USER_LEN=2 PORT_LEN=6 REM_ADDR_LEN=12 ARG_CNT=2
TCS 05/30/2013 12:21:58 I 0043 1280 0x0 USER=ph
TCS 05/30/2013 12:21:58 I 0043 1280 0x0 PORT=tty195
TCS 05/30/2013 12:21:58 I 0043 1280 0x0 REM_ADDR=10.106.33.22
TCS 05/30/2013 12:21:58 I 0043 1280 0x0 arg[0](size=13)=service=shell
TCS 05/30/2013 12:21:58 I 0043 1280 0x0 arg[1](size=4)=cmd*
TCS 05/30/2013 12:21:58 I 0043 1280 0x0 END >>>
TCS 05/30/2013 12:21:58 I 0850 3244 0xf Single Connect thread 1 allocated work
TCS 05/30/2013 12:21:58 I 0143 3244 0xf Author Data: phtty19510.106.33.22service=shellcmd.=13362timezone=MEZservi
TCS 05/30/2013 12:21:58 I 0163 3244 0xf -- Extracted service info
TCS 05/30/2013 12:21:58 I 0189 3244 0xf -- Checked NARs
TCS 05/30/2013 12:21:58 I 0199 3244 0xf -- Set up Reqs:
TCS 05/30/2013 12:21:58 I 0209 3244 0xf -- Got Profiles
TCS 05/30/2013 12:21:58 I 0261 3244 0xf -- executed
TCS 05/30/2013 12:21:58 I 0263 3244 0xf -- command set clean done
TCS 05/30/2013 12:21:58 I 0265 3244 0xf -- NDG release done
TCS 05/30/2013 12:21:58 I 0043 3244 0xf <<< PACKET TO CLIENT:10.106.0.50 TYPE:AUTHOR/PASS_ADD, SEQ 2, FLAGS 1
TCS 05/30/2013 12:21:58 I 0043 3244 0xf SESSIONID 1990425999 (0x76a37d8f), DATALEN 51 (0x33)
TCS 05/30/2013 12:21:58 I 0043 3244 0xf type=AUTHOR/REPLY status=1 (AUTHOR/PASS_ADD)
TCS 05/30/2013 12:21:58 I 0043 3244 0xf msg_len=0, data_len=0 arg_cnt=2
TCS 05/30/2013 12:21:58 I 0043 3244 0xf arg[0] size=11 =priv-lvl=15
TCS 05/30/2013 12:21:58 I 0043 3244 0xf arg[1] size=32 =shell:Admin*Admin default-domain
TCS 05/30/2013 12:21:58 I 0043 3244 0xf End >>>
Putty session:
login as: ph
ph@10.106.0.16's password: <------ (10.106.0.16 and 10.106.0.50 are IP addresses of the same router)
1841_hra_lab>
1841_hra_lab> <------ I'm not in enable mode (priv.level 15)
--------------------------------------------------------------------------------------------------------------------
Unfortunalety I haven't got logs/debugs from the period before update, when everything was ok.
I guess the problem is somewhere in this argument which goes from ACS to client:
TCS 05/30/2013 12:21:58 I 0043 3244 0xf arg[1] size=32 =shell:Admin*Admin default-domain
Anyone can tell me how this argument with optional parametr should looks like?
Perhaps *shell:Admin*Admin default-domain?
Petr
Solved! Go to Solution.
05-30-2013 04:13 AM
Hi Petr,
You're running into a defect.
CSCth75577 ACS incorrectly sends optional custom TACACS+ attributes
Symptom:
TACACS+ Authorization from IOS fails if customer attributes (even optional attributes) are configured on the ACS user group. The login will work but any attributes passed will not be honored.
Conditions:
ACS 4.2.0.124 patch 16
ACS 4.2.1.15 patch 2
Workaround:
Downgrade to a previous ACS patch.
This has been fixed in
ACS 4.2.1.15 patch 3 or later.
Upgrade the ACS to 4.2.1.15 and apply the latest patch 10.
Jatin Katyal
- Do rate helpful posts -
05-30-2013 04:13 AM
Hi Petr,
You're running into a defect.
CSCth75577 ACS incorrectly sends optional custom TACACS+ attributes
Symptom:
TACACS+ Authorization from IOS fails if customer attributes (even optional attributes) are configured on the ACS user group. The login will work but any attributes passed will not be honored.
Conditions:
ACS 4.2.0.124 patch 16
ACS 4.2.1.15 patch 2
Workaround:
Downgrade to a previous ACS patch.
This has been fixed in
ACS 4.2.1.15 patch 3 or later.
Upgrade the ACS to 4.2.1.15 and apply the latest patch 10.
Jatin Katyal
- Do rate helpful posts -
05-30-2013 04:24 AM
Hi Jatin,
thanks a lot!
What is the proper way to downgrade to the previous patch? Should I apply Acs-4.2.0.124.15-SW.zip directy over my current installation which contains Patch 17?
Petr
Message was edited by: Petr Hruby
05-30-2013 04:32 AM
Do you ACS appliance or software running on windows server?
Jatin Katyal
- Do rate helpful posts -
05-30-2013 04:34 AM
Software running on windows server.
P.
05-30-2013 05:12 AM
Petr,
we do have a rollback command for acs appliance. However, in case of acs windows it's not recommended to install the previous patch over the existing/latest patch. I'd suggest you to upgrade.
You may download the upgrade image and patch from the below listed link:
http://tools.cisco.com/squish/bF79B
Executable of ACS v4.2.1.15
ACS-4.2.1.15-BIN-K9.zip
ACS 4.2.1.15.10 cumulative patch
Acs-4.2.1.15.10-SW.zip
NOTE: Please take backup of your current configuration before you proceed with the upgrade.
In case you're not comfortable with the above procedure, please open a TAC case.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide