Re: AAA cli authorization fails on standby supervisor - CAT4K

LuensmannIT · ‎09-18-2023

Hi, there

I've a couple of WS-C4507R+E switches (Version 03.08.07.E.152-4.E7) with installed standby supervisor engine.
After attaching to the standby supervisor engine ("attach module 4", "session module 4") I'm getting cli authorization fails if I try to execute a privileged command.

I found the Bug CSCtr65315 (https://quickview.cloudapps.cisco.com/quickview/bug/CSCtr65315 / https://bst.cisco.com/bugsearch/bug/CSCtr65315) which describes my problem pretty well, but targets Nexus 7K (N7K).

Is anyone aware of this bug hitting C4K Switches also?
Any recommandation how to solve this issue?

HOSTNAME#attach module 4
Connecting to standby virtual console
Type "exit" or "quit" to end this session

HOSTNAME-standby-console#verify bootflash:/cat4500es8-universalk9.SPA.03.08.07.E.152-4.E7.bin
% Authorization failed.

HOSTNAME-standby-console#show run
% Authorization failed.

HOSTNAME-standby-console#show version
-> works

marce1000 · ‎09-18-2023

- Also try HOSTNAME-standby-console#show logging ; in order to check if additional info's are logged when the authorization fails ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

LuensmannIT · ‎09-18-2023

This command also leads to a % Authorization failed.
Show logging on the primary sub does not show an entry.
debug aaa authorization also shows nothing.

marce1000 · ‎09-18-2023

- As it could be a bug for the WS-C4507R+E switches too ; you may try the latest advisory software release and check if that can help ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

paul driver · ‎09-18-2023

Hello
If it isn't a bug and depending on you AAA configuration, its possible you are authenticating to tacacs but no being authorised, which could be negated by appending "if-authenticated" to the authorization commands

Any chance you can isolate the switch's and then gain access via local creds and remove or amend tacacs, also check your authentication server (ISE/ACS) for missing/changed ACLs

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

LuensmannIT · ‎09-19-2023

> also check your authentication server (ISE/ACS) for missing/changed ACLs
TACACS+ (ISE 2.6) live logs only shows the passed Authorization for the attach module command.
I do not see any logs regarding the commands throwing a "% Authorization failed"

Overview

Request Type	Authorization
Status	Pass

Message Text	Device-Administration: Command Authorization succeeded
Username	XXXXX
Authorization Policy	Tacacs >> XXXXX
Shell Profile
Matched Command Set	PERMIT_ALL
Command From Device	attach module 4

ACACS Protocol

Authentication Method	None
Authentication Privilege Level	15
Authentication Type	ASCII
Authentication Service	None

Regarding your other hints i will reply later.

LuensmannIT · ‎09-28-2023

> Any chance you can isolate the switch's and then gain access via local creds and remove or amend tacacs

unfortunately not before mid of october. I will respond as soon as i manage to get one switch isolated