Solved: Catalyst C6509 aaa post authorization status = error

dynamitec1 · ‎03-05-2013

ACS ver: 5.2

L3 Switch: C6509

IOS version: s72033-ipservices_wan-mz.122-33.SXI7.bin

All C6509 has the following aaa config:

username cisco-admin privilege 15 secret 5 #$%^&*gfnEhts$5678#

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host xx.xx.xxx.12

tacacs-server timeout 15

tacacs-server directed-request

tacacs-server key blahblahblah

DSW4 remote session, note the prompt:

Username (asking for local username)

DSW3 remote session, note the prompt:

username (right off the bat, I know this is asking for the tacacs account)

DSW2 remote session, note the prompt:

username (right off the bat, I know this is asking for the tacacs account)

I can ping my ACS server from either DSW.

debug aaa authorization results:

DSW4

Mar 5 16:47:32.660: AAA/AUTHOR (915254943): Post authorization status = ERROR

Mar 5 16:47:32.660: tty1 AAA/AUTHOR/CMD (915254943): Method=LOCAL

Mar 5 16:47:32.660: AAA/AUTHOR (915254943): Post authorization status = PASS_ADD

DSW3 and DSW2

Mar 5 08:44:26.475 pacific: AAA/BIND(000003E3): Bind i/f

Mar 5 08:44:26.475 pacific: AAA/AUTHEN/LOGIN (000003E3): Pick method list 'default'

Mar 5 08:44:32.411 pacific: AAA/AUTHOR (0x3E3): Pick method list 'default'

Mar 5 08:44:32.415 pacific: AAA/AUTHOR/EXEC(000003E3): processing AV cmd=

Mar 5 08:44:32.415 pacific: AAA/AUTHOR/EXEC(000003E3): processing AV priv-lvl=15

Mar 5 08:44:32.415 pacific: AAA/AUTHOR/EXEC(000003E3): Authorization successful

Hundreds of other ASW that I manage have the same config and have no problems authentication thru tacacs.

I've been digging thru support community forum to see if anything matches my issue, no luck. Any input is highly appreciated.

Thank you.

Jatin Katyal · ‎04-18-2013

You wrote that you already checked the keys in your post under other thread, However, debugs are still complaining about bad keys. Could you verify it again. While configuring key, avoid copy/paste.

Apr 18 15:19:17.629: TAC+: Invalid AUTHOR/START packet (check keys)

Also, I don't see an error from the ACS. Please add that as well if you issue persist.

Regards,

Jatin Katyal

- Do rate helpful posts -

~Jatin

View solution in original post

Jatin Katyal · ‎04-17-2013

Could you please provide the following information:

1.] Output of debugs

debug aaa authentication

debug tacacs

2.] test aaa group tacacs leg

3.] Error message from the ACS 5.x - tacacs authentication.

Jatin Katyal

- Do rate helpful posts -

~Jatin

dynamitec1 · ‎04-18-2013

J,

Attached is the debug output.

Also, I ran traceroute from other DSW and random ASW, see results below:

DSW4#traceroute 10.10.128.121

Type escape sequence to abort.
Tracing the route to 10.10.128.121

1 * * *
2 * * *
3 * * *
4 * * *
5 * * *

DSW2#traceroute 10.10.128.119
1 131.34.128.119 0 msec 0 msec 0 msec

I ran traceroute from all other switches, they all found the route to 10.10.128.121 via DSW1
Tracing the route to 10.10.128.121

1 10.10.10.24 0 msec 4 msec 0 msec

I might just create a static route to 10.10.128.121 from the two DSW that is having this issue. FYI, we are using eigrp.

Jatin Katyal · ‎04-18-2013

You wrote that you already checked the keys in your post under other thread, However, debugs are still complaining about bad keys. Could you verify it again. While configuring key, avoid copy/paste.

Apr 18 15:19:17.629: TAC+: Invalid AUTHOR/START packet (check keys)

Also, I don't see an error from the ACS. Please add that as well if you issue persist.

Regards,

Jatin Katyal

- Do rate helpful posts -

~Jatin

dynamitec1 · ‎04-19-2013

J,

Thank you very much for asking about the ACS error!

So, I went to ACS dashboard [Authentication TACACS - Today and Yesterday]. Found multiple errors with reference to our HSRP standby/virtual IP. It was denying packets from 128.1, 128.2, and 128.3.

DESCRIPTION

A TACACS+ packet was received with a source IP Address that did not match any configured Network Device or AAA Client

RESOLUTION

Verify that the Network Device or AAA client is configured in Network Resources > Network Devices and AAA Clients >

I examined the IP on Network Devices and AAA clients, and added those three IP referenced above. Originally, I only had the Management VLAN IP range for network devices and AAA clients, and the ACS/LMS IPs. License we have is only good for 500 devices, manangement VLAN IP range was /23 [we're not using all IP, so I reverted back to /24].

J: Thank you for asking the RIGHT QUESTION!

All is well!!!