12-09-2013 04:53 PM - edited 03-10-2019 09:10 PM
I have the following configuration on my switch and it works correctly:
aaa group server tacacs+ tacacs_serv
server 192.168.70.20
aaa authentication login tac_auth group tacacs_serv local
line vty 0 15
login authentication tac_auth
transport input ssh
The configuration above works correctly, my username/pwd are authenticated via Tacacs+ and the "enable" password is confirmed via the local database on the switch.
When I make the following changes attempeing to have Tacacs validate the username/pwd as well as the "enable" password I cannot log into the switch at all.
aaa group server tacacs+ tacacs_serv
server 192.168.70.20
aaa authentication login default group tacacs_serv local
aaa authentication enable default group tacacs_serv enable
line vty 0 15
login authentication default
transport input ssh
The switch is running 12.2(44)SE6. The username/pwd are in the local database of the Linux server. The Enable password is configured in two places within the tac_plus.conf file:
host = 192.168.70.15 {
prompt = "Enter your Username and Password. Username: "
enable = cleartext "password"
}
AND
user = $enab15$ {
login = cleartext "password"
Any help would be appreciated.
Thanks
12-09-2013 07:30 PM
Dear David ,
Please post debug aaa authentication
frm the configuration you have posted it seems your switch side configuration is correct and there could be something missing on the tacacs server side .
http://my.safaribooksonline.com/book/networking/cisco-ios/0596527225/tacacsplus/i47039__heada__4_8
If you choose to use TACACS+ to authenticate your enable password as well, then you will need to define a special enable user called $enabl15$. The following example creates this enable account by using the password happy. After you define this username, the TACACS+ server will be able to handle authentication requests for the enable password:
user = $enab15$ { login = cleartext happy }
Thanks
sharad
12-10-2013 07:19 AM
Thanks for your help. I have tried creating the special user you mentioned (enabl15 and enabl15). I did it both ways since ther was a typo. Neither work. Below is the output from the command debug aaa authentication:
Dec 10 15:08:43.155: AAA: parse name=tty0 idb type=-1 tty=-1
Dec 10 15:08:43.155: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Dec 10 15:08:43.155: AAA/MEMORY: create_user (0x1F3BA50) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Dec 10 15:08:43.155: AAA/AUTHEN/START (1044210600): port='tty0' list='' action=LOGIN service=ENABLE
Dec 10 15:08:43.155: AAA/AUTHEN/START (1044210600): using "default" list
Dec 10 15:08:43.155: AAA/AUTHEN/START (1044210600): Method=tacacs_serv (tacacs+)
Dec 10 15:08:43.155: TAC+: send AUTHEN/START packet ver=192 id=1044210600
Dec 10 15:08:43.457: TAC+: ver=192 id=1044210600 received AUTHEN status = GETPASS
Dec 10 15:08:43.457: AAA/AUTHEN (1044210600): status = GETPASS
% Error in authentication.
I am testing this on a 2960, running 12.2(44)SE6. Could this be a bug?
12-10-2013 07:27 AM
Hi David,
% Error in authentication
at enable authentication usually means that the privilege level (maximum) is not 15.
Cause, when you type in "enable" it's actually "enable 15"
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed
12-10-2013 07:46 AM
Below is the config of the enabl15 user in the Tacacs config file:
user = $enabl15$ {
login = cleartext 802.11boingo
priv-lvl = 15
}
I did at you suggestion add the priv_lvl line. It did not change the result.
Below is the most recent debug:
CCG-WLA-TEST-SWT-1>ena
Password:
Dec 10 15:41:55.857: AAA: parse name=tty0 idb type=-1 tty=-1
Dec 10 15:41:55.857: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Dec 10 15:41:55.857: AAA/MEMORY: create_user (0x1E6AA88) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Dec 10 15:41:55.865: AAA/AUTHEN/START (3771241761): port='tty0' list='' action=LOGIN service=ENABLE
Dec 10 15:41:55.865: AAA/AUTHEN/START (3771241761): using "default" list
Dec 10 15:41:55.865: AAA/AUTHEN/START (3771241761): Method=tacacs_serv (tacacs+)
Dec 10 15:41:55.865: TAC+: send AUTHEN/START packet ver=192 id=-523725535
Dec 10 15:41:56.167: TAC+: ver=192 id=-523725535 received AUTHEN status = GETPASS
Dec 10 15:41:56.167: AAA/AUTHEN (3771241761): status = GETPASS
% Error in authentication.
Thanks again...
12-10-2013 07:50 AM
Hi David,
if you notice the debug:
Dec 10 15:41:55.857: AAA/MEMORY: create_user (0x1E6AA88) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
So enable authentication being done for testuser, so the privilege should also be inside the user: testuser.
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed
12-10-2013 08:07 AM
I added the priv-lvl to enable15:
user = $enabl15$ {
login = cleartext 802.11boingo
priv-lvl = 15
It is also in the testuser config:
user = testuser {
login = PAM
member = admin
service = exec
priv-lvl = 15
}
It is also in the group config:
group = admin {
# group members who don't have their own login password will be
# looked up in /etc/passwd
#login = file /etc/passwd
login = PAM
# group members who have no expiry date set will use this one
#expires = "Jan 1 1997"
# only allow access to specific routers
acl = default
# Needed for the router to make commands available to user (subject
# to authorization if so configured on the router
service = exec {
priv-lvl = 15
#default service = permit
}
Below is the latest debug:
CCG-WLA-TEST-SWT-1>ena
Password:
Dec 10 16:06:45.755: AAA: parse name=tty0 idb type=-1 tty=-1
Dec 10 16:06:45.755: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Dec 10 16:06:45.755: AAA/MEMORY: create_user (0x1F3CB4C) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): port='tty0' list='' action=LOGIN service=ENABLE
Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): using "default" list
Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): Method=tacacs_serv (tacacs+)
Dec 10 16:06:45.755: TAC+: send AUTHEN/START packet ver=192 id=-1121100826
Dec 10 16:06:46.057: TAC+: ver=192 id=-1121100826 received AUTHEN status = GETPASS
Dec 10 16:06:46.057: AAA/AUTHEN (3173866470): status = GETPASS
% Error in authentication.
12-10-2013 04:01 PM
Hi David,
So here is the thing, I know how to set maximum and default privilege levels on the ACS( Cisco Access control system)
Eg:
The same way, it would be different in the tac_plus server that you are using.
The configuration you have used is I suppose for default privilege level which will not help in our scenario.
Now, I am not sure of how to configure maximum privilege on the tac_plus side.
I do have a suggestion if you are interested in skipping the enable authentication mode and doing the authorization based on privilege levels.
Let me know if you are, then I can suggest you that config on the IOS side.
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide