cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2387
Views
39
Helpful
15
Replies

Some commands allowed, TACACS+ configured wrong?

lifeforce4
Level 1
Level 1

I have a test switch and TACACS+ server to try setting up TACACS+ before putting it in to production. We have 3 persons on our network team and want to make it easier to manage device access if one of us leaves. Also to have a limited account for the person that would be filling the open position for a trial period. My issue is mainly with the config file for the server I think. Also I am not 100% sure on a few AAA commands which I have read about and applied to the switch.

The "test" user can only do show ip or so I thought. It denies all other "show" commands but for some reason "show run" still will work. If any one could give me some tips on my configuration that would be greatly appreciated.

Thank you,

Kyle

##### TACACS+ Configured #####

user = test {

member = limited

login = des "encrypted password"

enable = des "encrypted password"

name = "tester"

}

user = admin {

config omitted

}

group = admin {

default service = permit

}

group = limited {

default service = deny

cmd = show {

permit "ip .*"

deny .*

}

}

15 Replies 15

Jagdeep Gambhir
Level 10
Level 10

On the NAS, issue debug aaa authorization and debug tacacs.

Issue show run command,

Now see if NAS is sending command " show run " to the tacacs for authorization.

Regards,

~JG

Regards,

~JG

I have the debugging enabled, "tail" the two files tac_plus.log and tac_plus.acct in /var/log/. When I issue any commands it goes to the tacacs server and either allows or blocks the command. The command "show run" is still being allowed. Also there is no debugging info being displayed when I run the commands.

If its using tacacs to block all the commands besides the ones permitted and debugging is on why would it not show that?

Thanks,

Kyle

##### TACACS+ Configured #####

user = test {

member = limited

login = des "encrypted password"

enable = des "encrypted password"

name = "tester"

}

user = admin {

config omitted

}

group = admin {

default service = permit

}

group = limited {

default service = deny

cmd = show {

permit "ip .*"

permit "debugging .*"

deny .*

}

cmd = debug {

permit .*

}

}

Kyle,

There is a know bug is some IOS where it does not send authorization status of command "show run". Rest other commands are sent to acs but not show run.

Which IOS running on that device ? You may need to upgrade.

Regards,

~JG

Do rate helpful posts

The ISO is 12.2(25r) c3560-ipservices-mx.122-25.SEB4.bin is there a location on cisco's site for viewing known bugs? Viewing the running config might not be a problem I need to consult the other members of our networking team.

Thank you,

Kyle

You can search it using bug tool. As you said i also think that viewing it, should not be a issue as they will not able to issue any other command.

Regards,

~JG

Do rate helpful posts

I think there is something wrong with your tac_plus configuration.

I am using version c2960-lanbasek9-mz.122-25.SEE4.bin and

I have NO such issue. See below.

Here is my tac_plus configuration:

[root@dca2-LinuxES root]# more /etc/tacacs/tac_plus.cfg

accounting file = /var/log/tac_plus.log

key = zFgGkIooIsZ.Q

user = cciesec {

member = admin

name = "rancid user"

login = des xxxxxxx

}

user = $cciesec$ {

member = admin

name = "rancid user"

login = des yyyyyyy

}

user = test {

member = limited

login = des xxxxxxx

name = "tester"

}

user = $test$ {

member = limited

login = des xxxxxx

name = "tester"

}

group = limited {

default service = deny

cmd = show {

permit "ip .*"

permit "debugging .*"

deny .*

}

cmd = debug {

permit .*

}

cmd = exit { permit .* }

cmd = enable { permit .* }

}

group = admin {

default service = permit

}

[root@dca2-LinuxES root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

C

*****************

User Access Verification

Username: test

Password:

C2960>en

Password:

C2960#sh run

Command authorization failed.

C2960#sh ver

Command authorization failed.

C2960#

When I log in with an "admin" account, I can do just about

everything:

[root@dca2-LinuxES root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

C

*****************

User Access Verification

Username: cciesec

Password:

C2960>en

Password:

C2960#conf t

Enter configuration commands, one per line. End with CNTL/Z.

C2960(config)#end

C2960#exit

Connection closed by foreign host.

[root@dca2-LinuxES root]#

As you can see, even when the user has level 15 privilege, I can still restrict

what he/she can do, as desmonstrated with account "test". That's the beauty

with tacacs authorization.

Life force is using IOS ver c3560-ipservices-mx.122-25.SEB4

Where in you are using

c2960-lanbasek9-mz.122-25.SEE4.bi

Both codes are different.

But this IOS version is the same with the

exception that I have enterprise edition where

as life force has standard edition, correct?

I can see other features may be different but

I would think that tacacs would be the same

right?

There is a huge difference between SE and EE codes. Extra feature can result in change in behavior of existing feature set.

Other then codes we also have different hardware feature here.

The biggest difference is the 3560 does L3 while the 2960 is a L2 device only..

2960 only supports static ACL policies for authorization.

You need to have the ACL defined statically on the switch for it to apply to a user session based on successful authentication.

On 3560/3750, we support downloadable ACLs for authorization. AAA can tell the switch what ACL to apply which gets craeted dynamically on the switch. So there is less provisioing, and more automation and

intelligence.

Private VLAN is another security feature available on 3560 (not on 2960)

3560 supports more NAC features than 2960.

Wow I did not even catch that he was talking about a 2960 instead of 3560. This is one thing that makes me worry about implementing tacacs on the whole network. with 270+ NAS connected im sure a few will have some bugs with the ISO installed on them and AAA.

Thanks,

Kyle

I can say that I do not have issues with IOS

version 12.2(15)T17 and 12.3(12) on Cisco 2621

and 3640 routers, in addition what I described

in 2960.

with "test" user

C2621>en

Password:

C2621#conf t

Command authorization failed.

^

% Invalid input detected at '^' marker.

C2621#

with "admin" user

C2621>en

Password:

C2621#conf t

Enter configuration commands, one per line. End with CNTL/Z.

C2621(config)#exit

C2621#

IOS image tested:

c2600-ik9o3s3-mz.122-15.T17.bin

c2600-ik9o3s3-mz.123-19.bin

Thank you for the testing, I dont doubt it works on those IOS versions you have. but you have seen my configuration and it should work... yet it does not. I will try it out on a different switch with a different IOS just to make sure its not the config setup. but the IOS it self.

Thanks,

Kyle

Kyle,

Please do share the outcome of your testing.

Regards,

~JG

Yes it has to be the IOS version because I just put the same AAA commands on another switch and here is the outcome.

### Switch output ###

User Access Verification

Username: test

Password:

TestSwitch01>en

Password:

TestSwitch01#show run

Command authorization failed.

###################

User Access Verification

Username: admin

Password:

TestSwitch01>en

Password:

TestSwitch01#show ver

Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2004 by cisco Systems, Inc.

Compiled Mon 19-Apr-04 20:58 by yenanh

Image text-base: 0x80010000, data-base: 0x805A8000

c2950-i6q4l2-mz.121-20.EA1a.bin

### End ###

Its fine because we will be updating all our devices with the latest IOS very soon so I would hope maybe we wont run in to a bug like this. I'll make sure if we do that it gets reported to cisco for fixing.

Thanks,

Kyle