11-07-2014 01:47 AM
I have recently upgraded from 1.3.7.18 to version 1.4.0.88 on my several SG300-28P switches. I am using TACACS authentication. My account is a part of "admins" group which has been set "priv-lvl = 15" (inside tac_plus.conf configuration). This means, that before upgrade I get privilege 15 level access immediately (shell ending with "#" sign) without need to use "enable". But after upgrade to 1.4.0.88 I have lost authorization function and login behavior looks following:
$ ssh dist-sw testuser@dist-sw's password: Password: ss Verification Username: Password: ss Verification Username: dist-sw>
(note: I have to enter password only once - requested on second line above, the rest username/password requests were just displayed automatically followed until the "dist-sw>" line without need of my interaction)
Yes, I read release notes and there is mentioned new functionality:
AAA authentication – Added a control for authorization so the user can decide whether to do authentication-only or authentication + authorization. When upgrading from previous versions, the default becomes authentication-only.
So I have added new command to switch configuration: "aaa authentication enable authorization default tacacs enable" which should enable authorization over same channel like authentication (i.e. using tacacs). But it is not working either and I have to use "enable" command in order to get privilege 15 level access.
With using RADIUS authentication the behavior is different (better from user point of view), byt seems not working correctly as well: no matter if I apply "aaa authentication enable authorization default radius enable" command or not, I get privilege 15 level access immediately (radius is sending Cisco-AVPair = "shell:priv-lvl=15" within access-accept response).
Has anyone working tacacs aaa authorization on 1.4.0.88? Or are you observing same behavior? For me its looking like bug.
thanks!
michal11-10-2014 12:36 AM
Hi Michal,
I have no TACACS to test but it will be very good idea to open official ticket with Small Business team so they can communicate with engineering team:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Regards,
Aleksandra
11-18-2014 02:08 PM
this just happened to me today as well. SF-30048P same firmware
ill post if i get it figured out.
for me, i can ssh in as user (after pressing enter on the "login as:" prompt, and then entering login on the "User Name:" prompt
but older f/w does that too)
i just cannot get into enable mode
when i connect via web with tacacs account im good.
eg:
login as: [press enter]
User Name:test
Password:*********
SF30048P>en
Password:*********
Password:*********
Password:*********
authentication failed
SF30048P>
11-18-2014 02:37 PM
Hi aaron
it looks quite similar. I managed to get it finally work once I tried to reproduce issue for Cisco TAC. Once I have entered those two commands in a row:
aaa authentication enable default tacacs enable aaa authentication enable authorization default tacacs enable
...then authorization started finally work me. no need to reload device. for me it was looking like first time that command "aaa authentication enable authorization default tacacs enable" was not applied to environment.
11-18-2014 02:50 PM
hey thanks!
and for the benefit of those that could access the web in lvl15 but not the shell,
in the web, i went to Security, Management Access Authentication, selected SSH in the Application list, and checked off "enable" under Authorization
(i rarely use the web but i was locked out of enable mode.)
voila! its working
12-10-2014 02:38 AM
Hello,Aaron.
May be you help me, can not setting acces from SSH and web with RADIUS.
Couldn't you hel pe - show runnig config
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide