Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2385
Views
16
Helpful
12
Replies

tacac+ logins asking for enable password

keshu1974
Level 1
Level 1

‎11-17-2014 01:05 PM - edited ‎03-10-2019 10:11 PM

Hi,

7609 with the following IOS version. 

Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICES-M), Version 15.2(4)S4a, RELEASE SOFTWARE (fc1)

Tacacs+ users can successfully login via telnet but its asking for the enable password to go to privilege mode. I have tried everything I could but it keeps asking for the enable password. How do I get rid of the enable password for the tacacs+ users? The following is the current relevant config.

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
aaa group server tacacs+ TAC_PLUS
 server name AUTH
!
aaa authentication login default group TAC_PLUS local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
!
tacacs server AUTH
 address ipv4 xx.xx.xx.xx
 key 7 xxxxxxxxxxxxxxxxxxxxx
!
line con 0
line vty 0 4
 session-timeout 15
 access-class 10 in
 exec-timeout 120 0
 timeout login response 15
 transport input telnet
!
ip telnet source-interface Loopback1
ip tacacs source-interface Loopback1

 

 

Labels:
0 Helpful
12 Replies 12

nspasov
Cisco Employee
Cisco Employee

‎11-17-2014 08:30 PM

So you have the "authentication" part configured but you have done no "authorization" related configurations. You have several options here but at the very minimum you can:

- Enable aaa authorization for the exec shell

- Use your AAA/Tacacs+ server to return the appropriate privilege level for the authenticated user

Here is a good example that involves ACS 5.x:

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html

Also, I would highly recommend that you configure a second method for authentication/authorization outside of TACACS+. That way if your TACACS+ server(s) become unavailable, administrators can still authenticate and administer the device. The example, from the link above uses the "local" database.

Another good reference is this Cisco Press book:

http://www.ciscopress.com/store/aaa-identity-management-security-9781587141447

I hope this helps!

 

Thank you for rating helpful posts!
 

Thank you for rating helpful posts!

keshu1974
Level 1
Level 1
In response to nspasov

‎11-17-2014 11:30 PM

Hi,

I enabled authorization for the exec shell with the following line

aaa authorization exec default group tacacs+ if-authenticated

Now the tacacs+ login does not work at all, throws "% Authorization failed." This is what the debug log shows

Nov 17 23:16:14: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Nov 17 23:16:16: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 0 list= '' AUTHOR-TYPE= 'commands'
Nov 17 23:16:24: AAA/AUTHOR (0x0): Pick method list 'default'
Nov 17 23:16:24: AAA/AUTHOR/EXEC(00000000): Authorization FAILED
Nov 17 23:16:32: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 15 list= '' AUTHOR-TYPE= 'commands'

 

If I remove that line tacacs+ works but the issue of having to supply enable password remains. This is what the debug low in this situation.

Nov 17 23:16:39: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Nov 17 23:17:13: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Nov 17 23:17:17: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 0 list= '' AUTHOR-TYPE= 'commands'
Nov 17 23:17:17: %SYS-5-CONFIG_I: Configured from console by xxxx on vty0 (xxx.xxx.xxx.xxx)
Nov 17 23:17:47: AAA/AUTHOR (00000000): Method list id=0 not configured. Skip author
Nov 17 23:17:49: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 0 list= '' AUTHOR-TYPE= 'commands'
Nov 17 23:17:49: AAA: parse name=tty3 idb type=-1 tty=-1
Nov 17 23:17:49: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
Nov 17 23:17:49: AAA/MEMORY: create_user (0x7C8274CC) user='xxxx' ruser='NULL' ds0=0 port='tty3' rem_addr='xxx.xxx.xxx.xxx' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Nov 17 23:17:56: AAA/MEMORY: free_user (0x7C8274CC) user='NULL' ruser='NULL' port='tty3' rem_addr='xxx.xxx.xxx.xxx' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Nov 17 23:18:01: AAA/AUTHOR: auth_need : user= 'xxxx' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 15 l

 

The same tacacs+ user can login fine on another similar router.

Any clue? Let me know if you need more information.

Thanks,

 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to keshu1974

‎11-17-2014 11:36 PM

What are you using for a AAA server and what is the authorization profile that you are returning for this user? More specifically what attributes?

Thank you for rating helpful posts!

keshu1974
Level 1
Level 1
In response to nspasov

‎11-17-2014 11:55 PM

Hi,

Using tac_plus on CentOS. Here is how its setup.

 

group = nwadmin {
         default service = permit
         service = exec {
         priv-lvl = 15
         }
}

user = user1 {
    login = des $1$XXXXXXXXXXXXXXXXXXXXXXXXX
    member = nwadmin
}

 

Thanks,

 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to keshu1974

‎11-18-2014 12:16 AM

Hmm, what debug commands do you have enabled? Do you have:

debug tacacs

debug aaa authentication

debug aaa authorization

 

Thank you for rating helpful posts!

keshu1974
Level 1
Level 1
In response to nspasov

‎11-18-2014 07:58 AM

Hi,

I did not have aaa authentication and tacacs debugging enabled. I have enabled them all and this is what it shows when tacacs+ works but have to type the enable password.

 

Nov 18 07:39:35: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
Nov 18 07:39:35: TPLUS: Queuing AAA Authentication request 0 for processing
Nov 18 07:39:35: TPLUS: processing authentication start request id 0
Nov 18 07:39:35: TPLUS: Authentication start packet created for 0()
Nov 18 07:39:35: TPLUS: Using server xx.xxx.xxx.xxx
Nov 18 07:39:35: TPLUS(00000000)/0/NB_WAIT/56CA2684: Started 5 sec timeout
Nov 18 07:39:35: TPLUS(00000000)/0/NB_WAIT: socket event 2
Nov 18 07:39:35: TPLUS(00000000)/0/NB_WAIT: wrote entire 20 bytes request
Nov 18 07:39:35: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:35: TPLUS(00000000)/0/READ: Would block while reading
Nov 18 07:39:35: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:35: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 43 bytes data)
Nov 18 07:39:35: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:35: TPLUS(00000000)/0/READ: read entire 55 bytes response
Nov 18 07:39:35: TPLUS(00000000)/0/56CA2684: Processing the reply packet
Nov 18 07:39:35: TPLUS: Received authen response status GET_USER (7)
Nov 18 07:39:37: TPLUS: Queuing AAA Authentication request 0 for processing
Nov 18 07:39:37: TPLUS: processing authentication continue request id 0
Nov 18 07:39:37: TPLUS: Authentication continue packet generated for 0
Nov 18 07:39:37: TPLUS(00000000)/0/WRITE/4752E370: Started 5 sec timeout
Nov 18 07:39:37: TPLUS(00000000)/0/WRITE: wrote entire 24 bytes request
Nov 18 07:39:37: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:37: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Nov 18 07:39:37: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:37: TPLUS(00000000)/0/READ: read entire 28 bytes response
Nov 18 07:39:37: TPLUS(00000000)/0/4752E370: Processing the reply packet
Nov 18 07:39:37: TPLUS: Received authen response status GET_PASSWORD (8)
Nov 18 07:39:41: TPLUS: Queuing AAA Authentication request 0 for processing
Nov 18 07:39:41: TPLUS: processing authentication continue request id 0
Nov 18 07:39:41: TPLUS: Authentication continue packet generated for 0
Nov 18 07:39:41: TPLUS(00000000)/0/WRITE/55F31F34: Started 5 sec timeout
Nov 18 07:39:41: TPLUS(00000000)/0/WRITE: wrote entire 27 bytes request
Nov 18 07:39:41: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:41: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Nov 18 07:39:41: TPLUS(00000000)/0/READ: socket event 1
Nov 18 07:39:41: TPLUS(00000000)/0/READ: read entire 18 bytes response
Nov 18 07:39:41: TPLUS(00000000)/0/55F31F34: Processing the reply packet
Nov 18 07:39:41: TPLUS: Received authen response status PASS (2)
Nov 18 07:39:41: AAA/AUTHOR (00000000): Method list id=0 not configured. Skip author
Nov 18 07:39:42: AAA/AUTHOR: auth_need : user= 'user1' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 0 list= '' AUTHOR-TYPE= 'commands'
Nov 18 07:39:42: AAA: parse name=tty1 idb type=-1 tty=-1
Nov 18 07:39:42: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
Nov 18 07:39:42: AAA/MEMORY: create_user (0x776722A4) user='user1' ruser='NULL' ds0=0 port='tty1' rem_addr='xxx.xxx.xxx.xxx' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Nov 18 07:39:42: AAA/AUTHEN/START (2568611223): port='tty1' list='' action=LOGIN service=ENABLE
Nov 18 07:39:42: AAA/AUTHEN/START (2568611223): non-console enable - default to enable password
Nov 18 07:39:42: AAA/AUTHEN/START (2568611223): Method=ENABLE
Nov 18 07:39:42: AAA/AUTHEN (2568611223): status = GETPASS
Nov 18 07:39:48: AAA/AUTHEN/CONT (2568611223): continue_login (user='(undef)')
Nov 18 07:39:48: AAA/AUTHEN (2568611223): status = GETPASS
Nov 18 07:39:48: AAA/AUTHEN/CONT (2568611223): Method=ENABLE
Nov 18 07:39:48: AAA/AUTHEN (2568611223): status = PASS
Nov 18 07:39:48: AAA/MEMORY: free_user (0x776722A4) user='NULL' ruser='NULL' port='tty1' rem_addr='xxx.xxx.xxx.xxx' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

 

0 Helpful

keshu1974
Level 1
Level 1
In response to nspasov

‎11-18-2014 08:19 AM

And this is what I see when I try logging in with aaa authorization enabled(when the tacacs+ login fails with %Authorization failed.).

 

Nov 18 08:08:32: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
Nov 18 08:08:32: TPLUS: Queuing AAA Authentication request 0 for processing
Nov 18 08:08:32: TPLUS: processing authentication start request id 0
Nov 18 08:08:32: TPLUS: Authentication start packet created for 0()
Nov 18 08:08:32: TPLUS: Using server xxx.xxx.xxx.xxx
Nov 18 08:08:32: TPLUS(00000000)/0/NB_WAIT/52B2BA68: Started 5 sec timeout
Nov 18 08:08:32: TPLUS(00000000)/0/NB_WAIT: socket event 2
Nov 18 08:08:32: TPLUS(00000000)/0/NB_WAIT: wrote entire 20 bytes request
Nov 18 08:08:32: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:32: TPLUS(00000000)/0/READ: Would block while reading
Nov 18 08:08:32: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:32: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 43 bytes data)
Nov 18 08:08:32: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:32: TPLUS(00000000)/0/READ: read entire 55 bytes response
Nov 18 08:08:32: TPLUS(00000000)/0/52B2BA68: Processing the reply packet
Nov 18 08:08:32: TPLUS: Received authen response status GET_USER (7)
Nov 18 08:08:34: TPLUS: Queuing AAA Authentication request 0 for processing
Nov 18 08:08:34: TPLUS: processing authentication continue request id 0
Nov 18 08:08:34: TPLUS: Authentication continue packet generated for 0
Nov 18 08:08:34: TPLUS(00000000)/0/WRITE/52B2BA68: Started 5 sec timeout
Nov 18 08:08:34: TPLUS(00000000)/0/WRITE: wrote entire 24 bytes request
Nov 18 08:08:34: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:34: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Nov 18 08:08:34: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:34: TPLUS(00000000)/0/READ: read entire 28 bytes response
Nov 18 08:08:34: TPLUS(00000000)/0/52B2BA68: Processing the reply packet
Nov 18 08:08:34: TPLUS: Received authen response status GET_PASSWORD (8)
Nov 18 08:08:38: TPLUS: Queuing AAA Authentication request 0 for processing
Nov 18 08:08:38: TPLUS: processing authentication continue request id 0
Nov 18 08:08:38: TPLUS: Authentication continue packet generated for 0
Nov 18 08:08:38: TPLUS(00000000)/0/WRITE/52B2BA68: Started 5 sec timeout
Nov 18 08:08:38: TPLUS(00000000)/0/WRITE: wrote entire 27 bytes request
Nov 18 08:08:38: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:38: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Nov 18 08:08:38: TPLUS(00000000)/0/READ: socket event 1
Nov 18 08:08:38: TPLUS(00000000)/0/READ: read entire 18 bytes response
Nov 18 08:08:38: TPLUS(00000000)/0/52B2BA68: Processing the reply packet
Nov 18 08:08:38: TPLUS: Received authen response status PASS (2)
Nov 18 08:08:38: AAA/AUTHOR (0x0): Pick method list 'default'
Nov 18 08:08:38: AAA/AUTHOR/EXEC(00000000): Authorization FAILED

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to keshu1974

‎11-18-2014 11:16 AM

hmm, it looks like your authentication is passing but you are failing the authorization part. I just tested this in my lab with ACS and had no problems with it. Here is my simple config:

NS-3560-E#sh run | sec aaa
aaa new-model
aaa authentication login vty group tacacs+ local
aaa authorization exec default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
NS-3560-E#sh run | sec line
line con 0
line vty 0 4
 login authentication vty
line vty 5 15
 login authentication vty

I am returning an authorization profile that just sets the user to be with privilege level 15. So I suspect that the issue is with your TACACS+ configuration. 

Thank you for rating helpful posts!

keshu1974
Level 1
Level 1
In response to nspasov

‎11-18-2014 09:31 PM

I guess I am gonna have to give up. The same config works on all the other gears connecting to the same tacacs server, only this particular 7609 show this issue. I think I hit a bug. Thank you for all your help so far.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to keshu1974

‎11-19-2014 12:07 AM

Ah, I did not know that only this device is giving you issues. If you have the same syntax on the other devices then it is very probable that you are hitting a bug. What version of code are you running?

Thank you for rating helpful posts!
0 Helpful

keshu1974
Level 1
Level 1
In response to nspasov

‎11-20-2014 11:12 AM

Sorry for the delayed response, its

Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICES-M), Version 15.2(4)S4a, RELEASE SOFTWARE (fc1)
Compiled Mon 07-Oct-13 21:48 by prod_rel_team

 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to keshu1974

‎11-20-2014 04:21 PM

I could not find any bugs related to AAA/TACACS+ with that version of code. However, that does not mean that an actual bug does not exist :) I would recommend contacting Cisco and get their input.

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents