cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1482
Views
0
Helpful
1
Replies
Highlighted

ASR-9010 - 5.3.3 - TACACS Authorization loophole

Good day,

 

I hope someone can assist.

I have denied the command: "route-policy" with arguments "default_policy_pass_all" on our Cisco ACS.

 

When someone tries to create/edit this policy they enter "route-policy default_policy_pass_all"

They then type "end-policy" and they receive "Command authorization failed" as expected and the command is not allowed.

 

However, when they create/edit this policy and enter, "route-policy default_policy_pass_all" and hit CTRL + C on the keyboard, they are able to commit thus editing the policy and breaking services.

 

It seems like this is an XR software issue because the ASR never asks the ACS for authorization for entering the command "route-policy default_policy_pass_all"

 

Has anyone seen this before or have a better way of blocking commands?

 

RP/0/RSP1/CPU0:router1#conf t
Fri Sep 22 12:48:28.403 SAST
RP/0/RSP1/CPU0:router1(config)#route-policy default_policy_pass_all
Fri Sep 22 12:48:29.919 SAST
% WARNING: Policy object route-policy default_policy_pass_all' exists! Reconfiguring it via CLI will replace current definition. Use 'abort to cancel.
RP/0/RSP1/CPU0:router1(config-rpl)#end-policy
Command authorization failed
% Incomplete command.
RP/0/RSP1/CPU0:router1(config-rpl)#
RP/0/RSP1/CPU0:router1#conf t
Fri Sep 22 12:48:36.252 SAST
RP/0/RSP1/CPU0:router1(config)#route-policy default_policy_pass_all
Fri Sep 22 12:48:37.877 SAST
% WARNING: Policy object route-policy default_policy_pass_all' exists! Reconfiguring it via CLI will replace current definition. Use 'abort to cancel.
RP/0/RSP1/CPU0:router1(config-rpl)#
RP/0/RSP1/CPU0:router1(config)#sh configuration
Fri Sep 22 12:48:42.677 SAST
Building configuration...
!! IOS XR Configuration 5.3.3
!
route-policy default_policy_pass_all
end-policy
!
end

RP/0/RSP1/CPU0:router1(config)#

 

Kind Regards,

Hendrik

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASR-9010 - 5.3.3 - TACACS Authorization loophole

Good day,

 

In case anyone else has seen this issue:

So Cisco TAC confirmed that this issue is fixed in XR 6.1.4

 

https://cdetsng.cisco.com/webui/#view=CSCvb91497

 

Kind Regards,

Hendrik

View solution in original post

1 REPLY 1

Re: ASR-9010 - 5.3.3 - TACACS Authorization loophole

Good day,

 

In case anyone else has seen this issue:

So Cisco TAC confirmed that this issue is fixed in XR 6.1.4

 

https://cdetsng.cisco.com/webui/#view=CSCvb91497

 

Kind Regards,

Hendrik

View solution in original post

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards