cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2677
Views
0
Helpful
1
Replies

tclsh and TACACS+

nasvos
Level 1
Level 1

Is there a trick to getting tcl scripts (or even just the tclsh command) to work in a TACACS+ environment?  I was trying to run a tcl script that I copied to the device, and got "command authoriziation failed".  Running tclsh by itself and trying to exec a command yielded the same results, even after setting the event manager user to the currently logged in user.

I tried this on two different deviecs, a 6500 running 12.2.33SXI9 and a 4900M running 12.2.54SG1.  The failed commands show up in tacacs with no username and as async...

Example:

ttnet-ch-rocore-1>en

Password:

ttnet-ch-rocore-1#tclsh

ttnet-ch-rocore-1(tcl)#exec "show ver"

Command authorization failed.

ch-rocore-1(tcl)#exit

ch-rocore-1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

ch-rocore-1(config)#event manager session cli user xXxXx

ch-rocore-1(config)#exit

ch-rocore-1#tclsh

ch-rocore-1(tcl)#exec "show ver"

Command authorization failed.

AAA config:

aa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 noauth none

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 1 noauth none

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization commands 15 noauth none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa session-id common

Thanks!

-Nick

1 Reply 1

Joe Clarke
Cisco Employee
Cisco Employee

This is CSCsu65401, which is not fixed in your versions of code.  Might I suggest you use EEM Tcl?  With EEM, you have tighter control over how AAA is used (using the event manager session cli user command).  I'm not sure what your end goal is, but I'm sure you could accomplish it using either EEM applets or Tcl scripts.

Review Cisco Networking for a $25 gift card