Re: Problems with tacacs Authorisation with ACS5.3 and Catalyst

Richard Bradfield · ‎08-23-2012

I am in the process of upgrading the ACS from 4.1.1. to 5.3,

I have Catalyst 3750s with various levels of IOS and with ACS 4.1.1 there were no problems

AAA config on switches as below

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login console local

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa session-id common

now with ACS5.3 I find that switches running 122-35.SE5 (ipbase) no problems, all ok

but switches running later IOS 122-50.SE5, 122-55.SE5, and 15,0.1 I users with the privilege level of 15 fails authorization most of the time.

users with privilege level 7 no problems

on advise from various entries on the support forums as below but did not make any difference

can anybody help with this?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login console local

aaa authentication enable default group tacacs+

aaa authentication dot1x default group radius

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default if-authenticated

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa session-id common

saxenanitesh8522 · ‎08-23-2012

Hi,

these many commands are not required. Esp dot1x authentication commands.

what is the configuration you have done on the ACS 5.3? that is the place we have to see.

Please check the logs when the Users are getting failed.

Thanks,

Nitesh

Tarik Admani · ‎08-23-2012

Nitesh is correct,

In ACS 5.3 the default command set is set to deny all. However this may not appear until you select the customize button in your authorization profile to make the "Command Set" option visible, there you will be able to set the condition to use the command set you want.

Thanks,

Tarik Admani

Richard Bradfield · ‎08-23-2012

Tarik,

I think the problem is with the Cat 3750 as I can login into a switch running 122-35.SE5 ok, but when I log into a switch running 122-50.Se5 I get 'Authorization failed' message, this is for a user with a privilege level of 15. But no prblems with user with a privilege level of 7,

There must be a difference in the way Tacacs is handled betwen the different levels of OS in the Switch

Tarik Admani · ‎08-24-2012

What is currently your show run | inc aaa?

Thanks,

Tarik Admani
*Please rate helpful posts*

Richard Bradfield · ‎08-24-2012

We opened a case with Cisco TAC, and after much looking around came to the conclusion the problem was:

the "tacacs-server host xx.xx.xx.xx single-connection" command on the Cat 3750's

removed the "single-connection" from the command and now authorization ok no longer intermittent

We have had these switches some time and the "single-connection " is no longer required.

Tarik Admani · ‎08-25-2012

Thanks for he response.

Sent from Cisco Technical Support iPad App

Problems with tacacs Authorisation with ACS5.3 and Catalyst 3750s