Authorization behavior between a network device and TACACS+ server

troydongoff · ‎07-10-2012

I have a question concerning AAA communication. In my scenario client switch is configured via AAA to communicate with a TACACS+ server. Generally speaking as a user logs into the device authentication takes place. During authorization the privilege level is validated for the user to provide them with the associated commands allowed for that privilege level. My question is, when a command is executed on the switch by said user, does it have to validate that command/privilege level directly with the TACACS+ server each time a new command is issued or during the authorization process is a user profile supplied to the switch with it's privilege level from the TACACS+ server and stored in memory temporarily until the user connection is dissolved, keeping those validations local instead of traversing the network each time a command is executed at the switch level?

Karsten Iwen · ‎07-10-2012

If you are doing command-authorization through TACACS+, then every command has to be authorized individually. So authorization on TACACS+ is very different from Authorization with RADIUS where the Authorization-attributes are completely sent with the Authentication-Reply.

johnlloyd_13 · ‎07-10-2012

hi,

i agree with karsten, the TACACS+ server is consulted everytime a command is issued on a cisco device (router or switch). see sample debug aaa authorization output below.

ROUTER1#debug aaa authorization

AAA Authorization debugging is on

ROUTER1#

*Jul 10 12:41:20.139: AAA/BIND(0000000B): Bind i/f

*Jul 10 12:41:20.143: AAA/AUTHEN/LOGIN (0000000B): Pick method list 'TEST_LOGIN'

*Jul 10 12:41:20.151: TPLUS: Queuing AAA Authentication request 11 for processing

*Jul 10 12:41:20.155: TPLUS: processing authentication start request id 11

*Jul 10 12:41:20.155: TPLUS: Authentication start packet created for 11()

*Jul 10 12:41:20.155: TPLUS: Using server 192.168.10.2

*Jul 10 12:41:20.163: TPLUS(0000000B)/0/NB_WAIT/65013E74: Started 5 sec timeout

ROUTER1#

*Jul 10 12:41:25.163: TPLUS(0000000B)/0/NB_WAIT/65013E74: timed out

*Jul 10 12:41:25.163: TPLUS(0000000B)/0/NB_WAIT/65013E74: timed out, clean up

*Jul 10 12:41:25.163: TPLUS(0000000B)/0/65013E74: Processing the reply packet

ROUTER1#

*Jul 10 12:41:55.919: AAA/AUTHOR (0xB): Pick method list 'default'

*Jul 10 12:41:55.923: TPLUS: Queuing AAA Authorization request 11 for processing

*Jul 10 12:41:55.927: TPLUS: processing authorization request id 11

*Jul 10 12:41:55.927: TPLUS: Protocol set to None .....Skipping

*Jul 10 12:41:55.931: TPLUS: Sending AV service=shell

*Jul 10 12:41:55.931: TPLUS: Sending AV cmd*

*Jul 10 12:41:55.931: TPLUS: Authorization request created for 11(Admin)

*Jul 10 12:41:55.931: TPLUS: Using server 192.168.10.2

*Jul 10 12:41:55.935: TPLUS(0000000B)/0/IDLE/65013E74: got immediate connect on new 0

*Jul 10 12:41:55.935: TPLUS(0000000B)/0/WRITE/65013E74: Started 5 sec timeout

ROUTER1#

*Jul 10 12:41:55.935: TPLUS(0000000B)/0/WRITE: write to 192.168.10.2 failed with errno 257((ENOTCONN))

*Jul 10 12:41:55.935: TPLUS: Protocol set to None .....Skipping

*Jul 10 12:41:55.939: TPLUS: Sending AV service=shell

*Jul 10 12:41:55.939: TPLUS: Sending AV cmd*

*Jul 10 12:41:55.939: TPLUS: Authorization request created for 11(Admin)

ROUTER1#

*Jul 10 12:42:00.935: TPLUS(0000000B)/0/WRITE/65013E74: timed out

*Jul 10 12:42:00.935: TPLUS(0000000B)/0/WRITE/65013E74: timed out, clean up

*Jul 10 12:42:00.935: TPLUS(0000000B)/0/65013E74: Processing the reply packet

*Jul 10 12:42:00.939: AAA/AUTHOR/EXEC(0000000B): processing AV cmd= <<<

*Jul 10 12:42:00.939: AAA/AUTHOR/EXEC(0000000B): processing AV priv-lvl=15 <<<

*Jul 10 12:42:00.943: AAA/AUTHOR/EXEC(0000000B): Authorization successful <<<