Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1734
Views
0
Helpful
3
Replies

same user in tacacs and local database with different privilege

Marek Slabej
Level 1
Level 1

‎05-16-2012 02:06 AM - edited ‎03-10-2019 07:05 PM

Hi there,

i am just not sure if this is correct behavior.

i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.

i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.

aaa authentication login default group ACS

aaa authorization commands default group ACS local

aaa accounting default group ACS

a user test with priv 15 is craeted on ACS server, password test2

everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after )

e.g.:  

username test password test1 role priv-0   (note passwords are different for users in both databases)

after i create the same user in local database with privilege 0,

if i try to connect to the switch with this username test and password defined on ACS,  i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.

is this normal?

thank you for help...

Labels:
0 Helpful
3 Replies 3

maldehne
Cisco Employee
Cisco Employee

‎05-16-2012 07:40 AM

normally the AAA client should send authentication request to the first method defined in the method list which is the group ACS in our scenario.

Once the authentication is successfull another authorization request should be sent to the first method which is ACS in our case as well. If no reply for this authorization ( no response ) the AAA client fails over to the second method in the list which is the local.

Now you need to check the tacacs+ logs on ACS and see if we have any authorization request comming from that AAA client for the same user and also you might run debugs on AAA client for tacacs+ authorization and see where the issue is.

I hope this has been infromative for you

-------------------------------------------------------------

Please Don't forget to rate correct answers

0 Helpful

Eduardo Aliaga
Level 4
Level 4
In response to maldehne

‎05-17-2012 12:34 AM

Hello.

Privileges are used with traditional IOS. Privileges are part of "command authorization". Other operating systems (like IOS-XR, Nexus OS , Juniper JunOS) use "role-based authorization" instead of "command authorization".

So traditional IOS can use the "privilege" attribute but other operating systems can not.

Although IOS-XR, Nexus, ACE, Juniper  have "roled-based authorization" feature, every single one of them use their particular attributes.

When I was configuring TACACS with ACE, Juniper and other devices I had to capture the packets to find out what were the particular attributes of ACE, what were the particular attributes of JunOS, etc, etc and to search deeply some hints the documentation , because sadly  documentation is not very good when talking about TACACS details.

If you find which attributes to use, and what values to assign to the attributes then you can go to ACS and configure a "Shell Profile".

Now back to Nexus 5000. It seems this particular device has the option to mix "role-based" with "command authorization" by overriding the default roles with other roles which names are called "priv". It seems this was an effort to try to map the old concept of "privileges" to the new concept of "roles". Although you see the word "priv", it's just the name of the role. My particular point of view is that this complicates the whole thing. I would recommend to use just the default roles, or customize some of them (only if needed), but not to use "command authorization".

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/502_n1_1/Cisco_n5k_security_config_gd_rel_502_n1_1_chapter5.html

I will search the particular attributes Nexus use to talk to TACACS server. If I got them I will post them here.

Please rate if it helps

0 Helpful

Marek Slabej
Level 1
Level 1

‎05-18-2012 04:09 AM

there is an interesting thing, that this behaviour is described in guidelines and limitations but only in the Nexus 7000 platform configuration guide:

Guidelines and Limitations for AAA

AAA has the following guidelines and limitations:

  • If you have a user account configured on the local  Cisco NX-OS device that has the same name as a remote user account on an  AAA server, the Cisco NX-OS software applies the user roles for the  local user account to the remote user, not the user roles configured on  the AAA server.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter_0100.html#con_1235199

this limitation is missing in configuration guide to nexus 5000.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents