9200 17.03.03 IOSXE TACACS+ Issue

soportefibratel · ‎06-17-2021

Hello all,

I have an issue with a newly deployed 9200. When I logon using TACACS+ if I try to change any configuration or perform a show run, i get "Command authorization failed”. I also have a local user with privilege 15.

My AAA configuration on the switch is as follows:

!
aaa new-model
!

aaa authentication login default group tacacs+ local
aaa authentication login VTY group default
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!
aaa session-id common

!

ip ssh version 2

!

tacacs-server directed-request
tacacs server XX.XX.XX.XX
address ipv4 XX.XX.XX.XX
key 7 XXXXXXXXXXXXXXXXXXXXXX
tacacs server XX.XX.XX.XX
address ipv4 XX.XX.XX.XX
key 7 XXXXXXXXXXXXXXXXXXXXXX

!

line vty 0 4
exec-timeout 25 0
transport input ssh
line vty 5 15
exec-timeout 25 0
transport input ssh

Can you please help me on my missing configuration? I have a working 9200 on version 16.12 without the following lines:

aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

But removing those lines on the new switch won´t fix the issue for me

Thanks in advance

Regards

balaji.bandi · ‎06-17-2021

"Command authorization failed”. - command authorisation issue with TACACS - so you need priv to execute commands.

This my working config for many Cat 9300 should work :

aaa new-model
!
tacacs-server directed-request
tacacs server Server 1
address ipv4 x.x.x.x
key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
tacacs server Server 2
address ipv4 x.x.x.x
key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa group server tacacs+ BBGROUP
server name server1
server name server2
ip tacacs source-interface XXXX (interface name)
!
aaa authentication login default group BBGROUP local
aaa authorization config-commands
aaa authorization exec default group BBGROUP local
aaa authorization commands 0 default group BBGROUP local
aaa authorization commands 1 default group BBGROUP local
aaa authorization commands 15 default group BBGROUP local
aaa accounting exec default start-stop group BBGROUP
aaa accounting commands 0 default start-stop group BBGROUP
aaa accounting commands 1 default start-stop group BBGROUP
aaa accounting commands 15 default start-stop group BBGROUP

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

balaji.bandi · ‎06-17-2021

i missed before if this is 17.3 small syntax may be changed :

check :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-3/configuration_guide/sec/b_173_sec_9200_cg/configuring_tacacs_.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

soportefibratel · ‎06-22-2021

Hi Balaji,

I followed that guide, but unfortunately It didn´t work for me.

Regards

balaji.bandi · ‎06-22-2021

Can you post the config and show tacacs from switch.

what you see Logs in ISE ? have you done any debug ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

soportefibratel · ‎06-22-2021

Hi,

This is the debug performed:

SWANONIMIZED#sho debug
General OS:
TACACS access control debugging is on
TACACS+ authorization debugging is on
Packet Infra debugs:

Ip Address Port
------------------------------------------------------|----------

SWANONIMIZED#
Jun 22 13:08:20.866: TAC+: Using default tacacs server-group "tacacs+" list.
Jun 22 13:08:20.866: % TAC+: Index :1 | Count : 0

Jun 22 13:08:20.866: % TAC+:server handle : 00000005

Jun 22 13:08:20.867: % TAC+:server name : 10.20.30.40
Jun 22 13:08:20.867: % TAC+:server addr : 10.20.30.40

Jun 22 13:08:20.867: TAC+: Opening TCP/IP to 10.20.30.40/49 timeout=5
Jun 22 13:08:20.883: TAC+: Opened TCP/IP handle 0x4CE9CF28 to 10.20.30.40/49 using source UNKNOWN
Jun 22 13:08:20.883: TAC+: 10.20.30.40 (2743643924) AUTHOR/START queued
Jun 22 13:08:20.983: TAC+: (2743643924) AUTHOR/START processed
Jun 22 13:08:20.983: TAC+: received bad AUTHOR packet: type = 0, expected 2
Jun 22 13:08:20.983: TAC+: Invalid AUTHOR/START packet (check keys).
Jun 22 13:08:20.983: TAC+: Closing TCP/IP 0x4CE9CF28 connection to 10.20.30.40/49
Jun 22 13:08:20.984: TAC+: Using default tacacs server-group "tacacs+" list.
Jun 22 13:08:20.984: % TAC+: Index :2 | Count : 2

Jun 22 13:08:20.984: % TAC+:server handle : 00000006

Jun 22 13:08:20.984: % TAC+:server name : 11.22.33.44
Jun 22 13:08:20.984: % TAC+:server addr : 11.22.33.44

Jun 22 13:08:20.984: TAC+: Opening TCP/IP to 11.22.33.44/49 timeout=5
Jun 22 13:08:21.001: TAC+: Opened TCP/IP handle 0x46F487F0 to 11.22.33.44/49 using source UNKNOWN
Jun 22 13:08:21.001: TAC+: 11.22.33.44 (2743643924) AUTHOR/START queued
Jun 22 13:08:21.099: TAC+: (2743643924) AUTHOR/START processed
Jun 22 13:08:21.099: TAC+: received bad AUTHOR packet: type = 0, expected 2
Jun 22 13:08:21.099: TAC+: Invalid AUTHOR/START packet (check keys).
Jun 22 13:08:21.099: TAC+: Closing TCP/IP 0x46F487F0 connection to 11.22.33.44/49
Jun 22 13:08:21.100: TAC+: Using default tacacs server-group "tacacs+" list.
SWANONIMIZED#
SWANONIMIZED#
SWANONIMIZED#
SWANONIMIZED#
Jun 22 13:09:21.576: TPLUS: Queuing AAA Authentication request 54 for processing
Jun 22 13:09:21.576: TPLUS(00000036) login timer started 1020 sec timeout
Jun 22 13:09:21.576: TPLUS: processing authentication start request id 54
Jun 22 13:09:21.576: TPLUS: Authentication start packet created for 54(cdsfzttrta)
Jun 22 13:09:21.576: TPLUS: Using server 10.20.30.40
Jun 22 13:09:21.577: TPLUS(00000036)/0/NB_WAIT/4BCAD354: Started 5 sec timeout
Jun 22 13:09:21.592: TPLUS(00000036)/0/NB_WAIT: socket event 2
Jun 22 13:09:21.592: TPLUS(00000036)/0/NB_WAIT: wrote entire 47 bytes request
Jun 22 13:09:21.592: TPLUS(00000036)/0/READ: socket event 1
Jun 22 13:09:21.592: TPLUS(00000036)/0/READ: Would block while reading
Jun 22 13:09:21.627: TPLUS(00000036)/0/READ: socket event 1
Jun 22 13:09:21.627: TPLUS(00000036)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Jun 22 13:09:21.627: TPLUS(00000036)/0/READ: socket event 1
Jun 22 13:09:21.627: TPLUS(00000036)/0/READ: read entire 28 bytes response
Jun 22 13:09:21.628: TPLUS(00000036)/0/4BCAD354: Processing the reply packet
Jun 22 13:09:21.628: TPLUS: Received authen response status GET_PASSWORD (8)
Jun 22 13:09:27.357: TPLUS: Queuing AAA Authentication request 54 for processing
Jun 22 13:09:27.358: TPLUS(00000036) login timer started 1020 sec timeout
Jun 22 13:09:27.358: TPLUS: processing authentication continue request id 54
Jun 22 13:09:27.358: TPLUS: Authentication continue packet generated for 54
Jun 22 13:09:27.358: TPLUS(00000036)/0/WRITE/4BCAD354: Started 5 sec timeout
Jun 22 13:09:27.358: TPLUS(00000036)/0/WRITE: wrote entire 30 bytes request
Jun 22 13:09:27.396: TPLUS(00000036)/0/READ: socket event 1
Jun 22 13:09:27.397: TPLUS(00000036)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Jun 22 13:09:27.397: TPLUS(00000036)/0/READ: socket event 1
Jun 22 13:09:27.397: TPLUS(00000036)/0/READ: read entire 18 bytes response
Jun 22 13:09:27.397: TPLUS(00000036)/0/4BCAD354: Processing the reply packet
Jun 22 13:09:27.397: TPLUS: Received authen response status PASS (2)
Jun 22 13:09:27.398: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cdsfzttrta] [Source: 10.10.10.10] [localport: 22] at 15:09:27 CEST Tue Jun 22 2021
Jun 22 13:09:27.427: TPLUS: Queuing AAA Authorization request 54 for processing
Jun 22 13:09:27.427: TPLUS(00000036) login timer started 1020 sec timeout
Jun 22 13:09:27.427: TPLUS: processing authorization request id 54
Jun 22 13:09:27.427: TPLUS: Protocol set to None .....Skipping
Jun 22 13:09:27.427: TPLUS: Sending AV service=shell
Jun 22 13:09:27.427: TPLUS: Sending AV cmd*
Jun 22 13:09:27.427: TPLUS: Authorization request created for 54(cdsfzttrta)
Jun 22 13:09:27.427: TPLUS: using previously set server 10.20.30.40 from group tacacs+
Jun 22 13:09:27.428: TPLUS(00000036)/0/NB_WAIT/4B7CB654: Started 5 sec timeout
Jun 22 13:09:27.443: TPLUS(00000036)/0/NB_WAIT: socket event 2
Jun 22 13:09:27.443: TPLUS(00000036)/0/NB_WAIT: wrote entire 66 bytes request
Jun 22 13:09:27.444: TPLUS(00000036)/0/READ: socket event 1
Jun 22 13:09:27.444: TPLUS(00000036)/0/READ: Would block while reading
Jun 22 13:09:27.463: TPLUS(00000036)/0/READ: socket event 1
Jun 22 13:09:27.463: TPLUS(00000036)/0/READ: read entire 12 header bytes (expect 18 bytes data)
Jun 22 13:09:27.463: TPLUS(00000036)/0/READ: socket event 1
Jun 22 13:09:27.464: TPLUS(00000036)/0/READ: read entire 30 bytes response
Jun 22 13:09:27.464: TPLUS(00000036)/0/4B7CB654: Processing the reply packet
Jun 22 13:09:27.464: TPLUS: Processed AV priv-lvl=15
Jun 22 13:09:27.464: TPLUS: received authorization response for 54: PASS
Jun 22 13:09:29.857: TAC+: using previously set server 10.20.30.40 from group tacacs+
Jun 22 13:09:29.857: TAC+: Opening TCP/IP to 10.20.30.40/49 timeout=5
Jun 22 13:09:29.874: TAC+: Opened TCP/IP handle 0x4CE9CF28 to 10.20.30.40/49 using source UNKNOWN
Jun 22 13:09:29.874: TAC+: Opened 10.20.30.40 index=1
Jun 22 13:09:29.875: TAC+: 10.20.30.40 (2070981886) AUTHOR/START queued
Jun 22 13:09:30.075: TAC+: (2070981886) AUTHOR/START processed
Jun 22 13:09:30.075: TAC+: (2070981886): received author response status = FAIL
Jun 22 13:09:30.075: TAC+: Closing TCP/IP 0x4CE9CF28 connection to 10.20.30.40/49

And below the tacacs+ config:

aaa new-model
!
!
aaa group server tacacs+ ANONIMOUS
!
aaa authentication login default group tacacs+ local
aaa authentication login VTY group default
aaa authentication login ANONIMOUS group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization exec ANONIMOUS group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 0 ANONIMOUS group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 1 ANONIMOUS group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization commands 15 ANONIMOUS group tacacs+ local
!
--More-- !
!
!
!
!
aaa session-id common
tacacs-server directed-request
tacacs server 10.20.30.40
address ipv4 10.20.30.40
key 7 06439C4701F78A000A42173D
tacacs server 11.22.33.44
address ipv4 11.22.33.44
key 7 06439C4701F78A000A42173D

Thanks and regards