Solved: Re: Custom attribute in ACS4.2 patch 17

p.hruby · ‎05-30-2013

I have optional custom attribute in my ACS group to be able to enter config mode on ACE: shell:Admin*Admin default-domain

Privilege level 15 is also part of exec configuration.

Recently I applied patch 17 on ACS 4.2(0) Build 124. Since then I can not login with privilege level 15 into IOS routers/switches.

It looks like IOS box considers this custom attribute as a mandatory now.

---------------------------------------------------------------------------------------------------

IOS debug (Cat6500,12.2(33)SXJ4 ):

May 27 13:23:56.819: TPLUS: Authorization request created for 61929(pehruby)

May 27 13:23:56.819: TPLUS: using previously set server 10.105.24.44 from group tacacs+

May 27 13:23:56.819: TPLUS(0000F1E9)/0/NB_WAIT/550052A4: Started 5 sec timeout

May 27 13:23:56.819: TPLUS(0000F1E9)/0/NB_WAIT: socket event 2

May 27 13:23:56.819: TPLUS(0000F1E9)/0/NB_WAIT: wrote entire 62 bytes request

May 27 13:23:56.819: TPLUS(0000F1E9)/0/READ: socket event 1

May 27 13:23:56.823: TPLUS(0000F1E9)/0/READ: Would block while reading

May 27 13:23:56.823: TPLUS(0000F1E9)/0/READ: socket event 1

May 27 13:23:56.823: TPLUS(0000F1E9)/0/READ: read entire 12 header bytes (expect 51 bytes data)

May 27 13:23:56.823: TPLUS(0000F1E9)/0/READ: socket event 1

May 27 13:23:56.823: TPLUS(0000F1E9)/0/READ: read entire 63 bytes response

May 27 13:23:56.823: TPLUS(0000F1E9)/0/550052A4: Processing the reply packet

May 27 13:23:56.823: TPLUS: Processed AV priv-lvl=15

May 27 13:23:56.823: TPLUS: Failed to decode unknown AV shell - FAIL

May 27 13:23:56.823: TPLUS(0000F1E9)/0/REQ_WAIT/550052A4: timed out

May 27 13:23:56.823: TPLUS: Protocol set to None .....Skipping

May 27 13:23:56.823: TPLUS: Sending AV service=shell

May 27 13:23:56.823: TPLUS: Sending AV cmd*

TCS.log from ACS (different time, the same attempt):

TCS 05/27/2013 11:59:39 I 0043 5088 0x15 <<< PACKET TO CLIENT:10.106.11.114 TYPE:AUTHOR/PASS_ADD, SEQ 2, FLAGS 1

TCS 05/27/2013 11:59:39 I 0043 5088 0x15 SESSIONID -998342923 (0xc47e7ef5), DATALEN 51 (0x33)

TCS 05/27/2013 11:59:39 I 0043 5088 0x15 type=AUTHOR/REPLY status=1 (AUTHOR/PASS_ADD)

TCS 05/27/2013 11:59:39 I 0043 5088 0x15 msg_len=0, data_len=0 arg_cnt=2

TCS 05/27/2013 11:59:39 I 0043 5088 0x15 arg[0] size=11 =priv-lvl=15

TCS 05/27/2013 11:59:39 I 0043 5088 0x15 arg[1] size=32 =shell:Admin*Admin default-domain

TCS 05/27/2013 11:59:39 I 0043 5088 0x15 End >>>

------------------------------------------------------------------------------------------------------------------------

IOS debug (C1841, 12.3(14)T7 ):

May 30 12:21:58.248: AAA/BIND(00000A52): Bind i/f

May 30 12:21:58.272: AAA/AUTHOR (0xA52): Pick method list 'acs'

May 30 12:21:58.272: TPLUS: Queuing AAA Authorization request 2642 for processing

May 30 12:21:58.272: TPLUS: processing authorization request id 2642

May 30 12:21:58.272: TPLUS: Protocol set to None .....Skipping

May 30 12:21:58.276: TPLUS: Sending AV service=shell

May 30 12:21:58.276: TPLUS: Sending AV cmd*

May 30 12:21:58.276: TPLUS: Authorization request created for 2642(ph)

May 30 12:21:58.276: TPLUS: using previously set server 10.105.24.44 from group tacacs+

May 30 12:21:58.276: TPLUS(00000A52)/0/NB_WAIT/656FB000: Started 5 sec timeout

May 30 12:21:58.276: TPLUS(00000A52)/0/NB_WAIT: socket event 2

May 30 12:21:58.276: TPLUS(00000A52)/0/NB_WAIT: wrote entire 59 bytes request

May 30 12:21:58.276: TPLUS(00000A52)/0/READ: socket event 1

May 30 12:21:58.276: TPLUS(00000A52)/0/READ: Would block while reading

May 30 12:21:58.280: TPLUS(00000A52)/0/READ: socket event 1

May 30 12:21:58.280: TPLUS(00000A52)/0/READ: read entire 12 header bytes (expect 51 bytes data)

May 30 12:21:58.280: TPLUS(00000A52)/0/READ: socket event 1

May 30 12:21:58.280: TPLUS(00000A52)/0/READ: read entire 63 bytes response

May 30 12:21:58.280: TPLUS(00000A52)/0/656FB000: Processing the reply packet

May 30 12:21:58.280: TPLUS: Processed AV priv-lvl=15

May 30 12:21:58.280: TPLUS: Failed to decode AV shell:Admin*Admin default-domain - PASS - PASS

May 30 12:21:58.284: AAA/AUTHOR/EXEC(00000A52): processing AV cmd=

May 30 12:21:58.284: AAA/AUTHOR/EXEC(00000A52): Authorization successful

ACS.log:

TCS 05/30/2013 12:21:58 I 0043 1280 0x0 <<< RECEIVED FROM CLIENT:10.106.0.50 TYPE=AUTHOR, SEQ=1, FLAGS=1

TCS 05/30/2013 12:21:58 I 0043 1280 0x0 SESSIONID 1990425999 (0x76a37d8f), DATALEN 47 (0x2f)

TCS 05/30/2013 12:21:58 I 0043 1280 0x0 type=AUTHOR, priv_lvl=1, authen=1

TCS 05/30/2013 12:21:58 I 0043 1280 0x0 METHOD=tacacs+

TCS 05/30/2013 12:21:58 I 0043 1280 0x0 SVC=1 USER_LEN=2 PORT_LEN=6 REM_ADDR_LEN=12 ARG_CNT=2

TCS 05/30/2013 12:21:58 I 0043 1280 0x0 USER=ph

TCS 05/30/2013 12:21:58 I 0043 1280 0x0 PORT=tty195

TCS 05/30/2013 12:21:58 I 0043 1280 0x0 REM_ADDR=10.106.33.22

TCS 05/30/2013 12:21:58 I 0043 1280 0x0 arg[0](size=13)=service=shell

TCS 05/30/2013 12:21:58 I 0043 1280 0x0 arg[1](size=4)=cmd*

TCS 05/30/2013 12:21:58 I 0043 1280 0x0 END >>>

TCS 05/30/2013 12:21:58 I 0850 3244 0xf Single Connect thread 1 allocated work

TCS 05/30/2013 12:21:58 I 0143 3244 0xf Author Data: phtty19510.106.33.22service=shellcmd.=13362timezone=MEZservi

TCS 05/30/2013 12:21:58 I 0163 3244 0xf -- Extracted service info

TCS 05/30/2013 12:21:58 I 0189 3244 0xf -- Checked NARs

TCS 05/30/2013 12:21:58 I 0199 3244 0xf -- Set up Reqs:

TCS 05/30/2013 12:21:58 I 0209 3244 0xf -- Got Profiles

TCS 05/30/2013 12:21:58 I 0261 3244 0xf -- executed

TCS 05/30/2013 12:21:58 I 0263 3244 0xf -- command set clean done

TCS 05/30/2013 12:21:58 I 0265 3244 0xf -- NDG release done

TCS 05/30/2013 12:21:58 I 0043 3244 0xf <<< PACKET TO CLIENT:10.106.0.50 TYPE:AUTHOR/PASS_ADD, SEQ 2, FLAGS 1

TCS 05/30/2013 12:21:58 I 0043 3244 0xf SESSIONID 1990425999 (0x76a37d8f), DATALEN 51 (0x33)

TCS 05/30/2013 12:21:58 I 0043 3244 0xf type=AUTHOR/REPLY status=1 (AUTHOR/PASS_ADD)

TCS 05/30/2013 12:21:58 I 0043 3244 0xf msg_len=0, data_len=0 arg_cnt=2

TCS 05/30/2013 12:21:58 I 0043 3244 0xf arg[0] size=11 =priv-lvl=15

TCS 05/30/2013 12:21:58 I 0043 3244 0xf arg[1] size=32 =shell:Admin*Admin default-domain

TCS 05/30/2013 12:21:58 I 0043 3244 0xf End >>>

Putty session:

login as: ph

ph@10.106.0.16's password: <------ (10.106.0.16 and 10.106.0.50 are IP addresses of the same router)

1841_hra_lab>

1841_hra_lab> <------ I'm not in enable mode (priv.level 15)

--------------------------------------------------------------------------------------------------------------------

Unfortunalety I haven't got logs/debugs from the period before update, when everything was ok.

I guess the problem is somewhere in this argument which goes from ACS to client:

TCS 05/30/2013 12:21:58 I 0043 3244 0xf arg[1] size=32 =shell:Admin*Admin default-domain

Anyone can tell me how this argument with optional parametr should looks like?

Perhaps *shell:Admin*Admin default-domain?

Petr

Jatin Katyal · ‎05-30-2013

Hi Petr,

You're running into a defect.

CSCth75577 ACS incorrectly sends optional custom TACACS+ attributes

Symptom:

TACACS+ Authorization from IOS fails if customer attributes (even optional attributes) are configured on the ACS user group. The login will work but any attributes passed will not be honored.

Conditions:

ACS 4.2.0.124 patch 16

ACS 4.2.1.15 patch 2

Workaround:

Downgrade to a previous ACS patch.

This has been fixed in

ACS 4.2.1.15 patch 3 or later.

Upgrade the ACS to 4.2.1.15 and apply the latest patch 10.

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

Jatin Katyal · ‎05-30-2013

Hi Petr,

You're running into a defect.

CSCth75577 ACS incorrectly sends optional custom TACACS+ attributes

Symptom:

TACACS+ Authorization from IOS fails if customer attributes (even optional attributes) are configured on the ACS user group. The login will work but any attributes passed will not be honored.

Conditions:

ACS 4.2.0.124 patch 16

ACS 4.2.1.15 patch 2

Workaround:

Downgrade to a previous ACS patch.

This has been fixed in

ACS 4.2.1.15 patch 3 or later.

Upgrade the ACS to 4.2.1.15 and apply the latest patch 10.

Jatin Katyal
- Do rate helpful posts -

~Jatin

p.hruby · ‎05-30-2013

Hi Jatin,

thanks a lot!

What is the proper way to downgrade to the previous patch? Should I apply Acs-4.2.0.124.15-SW.zip directy over my current installation which contains Patch 17?

Petr

Message was edited by: Petr Hruby

Jatin Katyal · ‎05-30-2013

Do you ACS appliance or software running on windows server?

Jatin Katyal
- Do rate helpful posts -

~Jatin

p.hruby · ‎05-30-2013

Software running on windows server.

P.

Jatin Katyal · ‎05-30-2013

Petr,

we do have a rollback command for acs appliance. However, in case of acs windows it's not recommended to install the previous patch over the existing/latest patch. I'd suggest you to upgrade.

You may download the upgrade image and patch from the below listed link:

http://tools.cisco.com/squish/bF79B

Executable of ACS v4.2.1.15

ACS-4.2.1.15-BIN-K9.zip

ACS 4.2.1.15.10 cumulative patch

Acs-4.2.1.15.10-SW.zip

NOTE: Please take backup of your current configuration before you proceed with the upgrade.

In case you're not comfortable with the above procedure, please open a TAC case.

Jatin Katyal

- Do rate helpful posts -

~Jatin