08-27-2012 12:40 PM - edited 03-10-2019 07:28 PM
I have trouble landing to privilage mode of MRV LX-4048 using TACACS. It get authenticated fine bun Autherization donot work . Shell profile i am using is priv-lvl =15 and command set is allow all. when i try enable it says "Insufficient rights".
MRV is switch for out of band connection via pots(terminal server)
$ ssh InReach@172.21.239.222
Welcome to the MRV Communications' LX Series Server
InReach@172.21.239.222's password:
InReach:0 >en
Insufficient rights
Any one have a clue of attributes i can use in shell profile so i can land in privilege mode directly or after using enable.
08-27-2012 12:54 PM
FROM MRV MANUAL BUT I DONOT KNOW HOW TO PUT THESE IN ACS SERVER
TACACS+ Authorization Attributes
Table C.1 lists the TACACS+ Authorization Attributes that are
supported on the LX unit.
Auto Command
The only valid command is “menu
must already exist as a valid LX menu on the LX in the /config
directory. If the menu does not exist, you are logged off after
you are authenticated. If the menu does exist, you are
prompted with the menu and will not be able to access the CLI.
This attribute only applies if you are accessing the CLI (either
remotely or locally).
Example Enter the following in the TACACS+ configuration file on the
TACACS+ server if to be presented with a menu:
user bob {
login = cleartext bob
service = exec {
autocmd = “menu demo_menu”}
}
where
Table C.1 Supported TACACS+ Authorization Attributes
Attribute Description
01 Auto-cmd Sends an auto-command.
02 Priv-level Set this value to 15 to enable rights.
user bob is the username
cleartext bob is the password
exec is the login mode
menu demo_menu is the menu file
Privilege Level
You must configure an authorization server address
to access this privilege level. Refer to “Installing and
Configuring a TACACS+ Server on a Network-Based
Host” on page 2-29 for further information.
You must set this value to the Superuser level. The level must
be set to 15.
Example Enter the following in the TACACS+ configuration file on the
TACACS+ server if enable rights:
user InReach {
login = cleartext access
service = exec {
priv-lvl = 15}
}
where
user InReach is the username
cleartext access is the password
exec is the login mode
priv-lvl is the authorized level
08-27-2012 01:18 PM
Hi,
In the tacacs shell profile in ACS you dont have to send out the priv level, just set the default and maxmimum level to 15 and see if that fixes your issue. It looks like you can treat this as your ios devices.
thanks,
Tarik Admani
*Please rate helpful posts*
08-27-2012 02:55 PM
I tried that but that still land me to exec mode not privilege mode.
08-30-2012 10:42 AM
Any Clues on MRV LX-4048T to set users in ACS 5.2 with privilege level access.
08-30-2012 12:38 PM
Can you post a screenshot of the shell profile that ACS is mapping to the user.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-30-2012 01:30 PM
08-30-2012 01:32 PM
08-30-2012 03:30 PM
Hi,
Can you set the default priv level to 15 and give that a shot.
Are there any configuratoin or reference guide on how to run the tacacs commands for exec auth?
thanks,
Tarik Admani
*Please rate helpful posts*
08-31-2012 08:12 AM
No Luck still same situtaion ,after changing default priv level to 15.
$ ssh ts1lu.nl
Welcome to the MRV Communications' LX Series Server
bsingh@ts1lu.nl's password:
InReach:0 >en
Insufficient rights
InReach:0 >
I have link for MRV 's complete manual including tacacs + configuration manual .
08-31-2012 01:29 PM
Hi,
Can you post a screenshot of the authentication report. Also try to create another shell profile and trying changing the attributes around to the following:
You can do this in the custom attributes settings but do not touch the priv levels in the middle tab, rely only on these and test.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-31-2012 01:53 PM
Here is the report but i tried all the above options non of them work most of the time it shows pass in report but i land in exec mode only InReach:0 >en Insufficient rights InReach:0 > AAA Protocol > TACACS+ Authentication Details | ||
| ||
Generated on August 31, 2012 2:49:25 PM MDT | ||
|
08-31-2012 02:01 PM
08-31-2012 03:05 PM
Under the command tasks make sure they are all disabled and try the different attribute types and see if that fixes anything. I read through the guide and it looks pretty straight forward. Are there any debugs you can run in order to see why the MRV is rejecting the tacacs response?
Thanks,
Tarik Admani
*Please rate helpful posts*
09-01-2012 03:34 PM
Hi ,
Have you enabled authorization on the device ? , for ex:
AAA Authorization exec default ...
AAA Authorization commands 0 default ..
AAA Authorization commands 1 default ...
AAA Authorization commands 15 default ...
http://www.cisco.com/en/US/docs/ios/12_0/security/command/reference/srauth.html#wp1017390
Make sure to set default privilege to 15 .
If yes , Please post TACACS Authorization report
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: