08-27-2010 01:25 PM - edited 03-10-2019 05:22 PM
Experts,
My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+. I don't even get a log in ACS when attempting to authenticate via HTTPS.
Here is my AAA config, followed by a debug:
aaa new-model
aaa authentication login ACCESS group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec ACCESS group tacacs+
aaa authorization commands 1 Priv1 group tacacs+ none
aaa authorization commands 15 Priv15 group tacacs+ none
aaa authorization network ACCESS group tacacs+
aaa accounting exec ACCESS start-stop group tacacs+
aaa accounting commands 0 ACCESS start-stop group tacacs+
aaa accounting commands 1 ACCESS start-stop group tacacs+
aaa accounting commands 15 ACCESS start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication ACCESS
ip http authentication aaa exec-authorization ACCESS
ip http authentication aaa command-authorization 1 Priv1
ip http authentication aaa command-authorization 15 Priv15
ip http secure-server
no ip http server
tacacs-server host X.X.X.X key 7
tacacs-server timeout 3
tacacs-server directed-request
Debug:
47w4d: HTTP AAA Login-Authentication List name: ACCESS
47w4d: HTTP AAA Exec-Authorization List name: ACCESS
47w4d: HTTP: Authentication failed for level 15
Shell authorization profiles are working in ACS when SSHing to devices (Priv1 and Priv15), and I can't figure out why its not working for HTTPS.
Any ideas?
08-30-2010 08:50 AM
Can you turn on "debug tacacs" on the router, collect the output, and post it here please?
08-30-2010 08:54 AM
Thank you for your response, here is the debug from the 3560:
BC-3560-48-6-1-1#
48w0d: HTTP AAA Login-Authentication List name: ACCESS
48w0d: HTTP AAA Exec-Authorization List name: ACCESS
48w0d: TPLUS: Queuing AAA Authentication request 0 for processing
48w0d: TPLUS: processing authentication start request id 0
48w0d: TPLUS: Authentication start packet created for 0(varnumd)
48w0d: TPLUS: Using server 10.10.0.16
48w0d: TPLUS(00000000)/0/NB_WAIT/458EDA8: Started 3 sec timeout
48w0d: TPLUS(00000000)/0/NB_WAIT: socket event 2
48w0d: TPLUS(00000000)/0/NB_WAIT: wrote entire 27 bytes request
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: Would block while reading
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 16 bytes data)
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read entire 28 bytes response
48w0d: TPLUS(00000000)/0/458EDA8: Processing the reply packet
48w0d: TPLUS: Received authen response status GET_PASSWORD (8)
48w0d: TPLUS: Queuing AAA Authentication request 0 for processing
48w0d: TPLUS: processing authentication continue request id 0
48w0d: TPLUS: Authentication continue packet generated for 0
48w0d: TPLUS(00000000)/0/WRITE/4332F88: Started 3 sec timeout
48w0d: TPLUS(00000000)/0/WRITE: wrote entire 30 bytes request
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 6 bytes data)
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read entire 18 bytes response
48w0d: TPLUS(00000000)/0/4332F88: Processing the reply packet
48w0d: TPLUS: Received authen response status PASS (2)
48w0d: TPLUS: Queuing AAA Authorization request 0 for processing
48w0d: TPLUS: processing authorization request id 0
48w0d: TPLUS: Inappropriate protocol: 25
48w0d: TPLUS: Sending AV service=shell
48w0d: TPLUS: Sending AV cmd*
48w0d: TPLUS: Authorization request created for 0(varnumd)
48w0d: TPLUS: Using server 10.10.0.16
48w0d: TPLUS(00000000)/0/NB_WAIT/4332E18: Started 3 sec timeout
48w0d: TPLUS(00000000)/0/NB_WAIT: socket event 2
48w0d: TPLUS(00000000)/0/NB_WAIT: wrote entire 46 bytes request
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: Would block while reading
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read 0 bytes
48w0d: TPLUS(00000000)/0/READ/4332E18: timed out
48w0d: TPLUS: Inappropriate protocol: 25
48w0d: TPLUS: Sending AV service=shell
48w0d: TPLUS: Sending AV cmd*
48w0d: TPLUS: Authorization request created for 0(varnumd)
48w0d: TPLUS(00000000)/0/READ/4332E18: timed out, clean up
48w0d: TPLUS(00000000)/0/4332E18: Processing the reply packet
48w0d: HTTP: Authentication failed for level 15
11-11-2011 10:13 AM
I am having the same issue with the same debug. Did you ever get any resolution to this? If you look at the "Passed" authentications in ACS, it logs the attempt as Passed, but still fails to login. Thanks.
11-14-2011 08:21 AM
48w0d: TPLUS(00000000)/0/4332E18: Processing the reply packet
48w0d: HTTP: Authentication failed for level 15
Note that it says that authentication failed for level 15. Is the shell profile being hit configured to grant privilege level 15?
11-14-2011 11:30 AM
I never figured out the issue and ended up moving on to other projects, but I'm definitely interested in picking this back up.
Javier, yes the shell profile being hit is configured to grant priv level 15. This works fine via SSH and telnet. What's strange is my ACS logs show successful authentication. If I look at the actual log, I can see myself match the appropriate ID Store, shell profile, ID group, ID policy, Group Mapping, and Authorization policy, with success.
I'm curious if something is misconfigured on the switch side, can you take a look at the posted config, particularly the http configuration? I know over SSH and telnet my shell profiles work fine, just not HTTP. I'll do some more digging since I haven't looked at this in over a year and let you know if I resolve the issue.
11-14-2011 11:34 AM
Dave,
The switch configuration looks fine. Can you look at the traffic between the switch and ACS using a tool like wireshark, to see the contents of the reply packet from ACS, to see if priv-lvl=15 is included?
Also, when you look at the details of the authentication and authorization on ACS, does it show that it's sending priv-level=15?
11-14-2011 11:42 AM
I found this bug and it looks like it has not been fixed yet.
The Bug ID is CSCtq94595.
HTTP AAA Authentication does not work any more after upgrade to 12.2.58S. | |
Symptom: HTTP AAA Authentication does not work with IOS version 12.2.58SE1Conditions: HTTP AAA authentication with local DBWorkaround: None |
1st Found-In
15.2(1)TPI17
12.2(58)SE2
15.0(1)SE
12.2(58)SE1
Fixed-In
Release-Pending
11-14-2011 12:57 PM
I'm running 12.2(50)SE on my 3560, where I am experiencing the issue.
One thing I noticed on the 3560 was I could successfully login via http://x.x.x.x/level/1, but not http://x.x.x.x/level/15, even though both logs show success authentication and authorization.
I decided to try a 2960 running 12.2(53r)SE, and HTTP auth worked! Same exact configuration, just a different switch, slightly different IOS revision. I'm going to try and upgrade my 3560 to this version of code during our maintenance window this week and see if it works. I hope this really is just a bug in particular versions of code, good find.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide