Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16334
Views
0
Helpful
7
Replies

Cisco Switch aaa Console Authentication

CSCO10675262_2
Level 1
Level 1

‎12-01-2010 02:00 AM - edited ‎03-06-2019 02:17 PM

Hi,

I am trying to create a aaa authentication for console via local username created on the Cisco 3750 switch. I am not able to login into the switch using console via local authentication. I keep getting the error "authorization failed" message. I have attached my configuration for reference.

aaa new-model
tacacs-server host 192.168.1.1 key 123456
aaa group server tacacs+ aaa1
server 192.168.1.1
ip tacacs source-interface Vlan10
exit
aaa authentication login default group aaa1 local
aaa authentication login Console local

aaa authorization config-commands
aaa authorization exec default group aaa1 local
aaa authorization commands 1 default group aaa1 local
aaa authorization commands 15 default group aaa1 local
aaa authorization exec Console none

aaa authorization console

aaa accounting session-duration ntp-adjusted
aaa accounting update newinfo
aaa accounting exec default start-stop group aaa1
aaa accounting commands 1 default start-stop group aaa1
aaa accounting commands 15 default start-stop group aaa1
aaa accounting connection default start-stop group aaa1

username cisco privilege 15 password cisco1234

line con 0
login authentication Console

authorization exec Console
exit

I have no issues logging into the switch via vty except for console, I am not able to get the switch to make use of the local user database. The firmware used is 12.2(53)SE2. Not too sure what else is required on the configuration.

Thanks.

Labels:
0 Helpful
7 Replies 7

Calvin Ryver
Level 1
Level 1

‎12-01-2010 02:47 AM

try changing

aaa authorization exec Console none

to

aaa authorization exec console if-authenticated

0 Helpful

CSCO10675262_2
Level 1
Level 1
In response to Calvin Ryver

‎12-01-2010 02:53 AM

Hi Calvin,

I have tried the command, however it is still giving the same error output. I did a debug and I noticed it has the same error message which I have tried to setup tacacs previously:

006087: Dec  1 2010 18:49:19.449 SGT: AAA/BIND(00000049): Bind i/f 
006088: Dec  1 2010 18:49:19.449 SGT: AAA/AUTHEN/LOGIN (00000049): Pick method list 'Console'
006089: Dec  1 2010 18:49:23.803 SGT: AAA/AUTHOR (0x49): Pick method list 'default'
006090: Dec  1 2010 18:49:23.811 SGT: AAA/AUTHOR/EXEC(00000049): Authorization FAILED

I am confused as to how come the switch would make use of the default list instead of the configured authenticaiton/authorization list?

Thanks.

0 Helpful

Calvin Ryver
Level 1
Level 1
In response to CSCO10675262_2

‎12-01-2010 03:12 AM

change

aaa authorization console

to

aaa authorization Console

then enable debug tacacs and debug aaa authorization

0 Helpful

CSCO10675262_2
Level 1
Level 1
In response to Calvin Ryver

‎12-01-2010 03:22 AM

Hi Calvin,

Thanks for the update. For the aaa authorization console command, not too sure if you are aware that the "console" is a command instead of a named list. I have attached a reference of the command:

switch(config)#aaa authorization ? 
  auth-proxy       For Authentication Proxy Services
  cache            For AAA cache configuration
  commands         For exec (shell) commands.
  config-commands  For configuration mode commands.
  configuration    For downloading configurations from AAA server
  console          For enabling console authorization
  exec             For starting an exec (shell).
  network          For network services. (PPP, SLIP, ARAP)
  reverse-access   For reverse access connections
  template         Enable template authorization

I have tried to change it to aaa authorization Console, however when I looked at the running configuration; it is still showing the same "aaa authorization console".

I have attached a copy of the debug below for reference:

006281: Dec  1 2010 19:16:04.667 SGT: AAA/BIND(0000004B): Bind i/f 
006282: Dec  1 2010 19:16:04.667 SGT: AAA/AUTHEN/LOGIN (0000004B): Pick method list 'Console'
006283: Dec  1 2010 19:16:10.170 SGT: AAA/AUTHOR (0x4B): Pick method list 'default'
006284: Dec  1 2010 19:16:10.170 SGT: TPLUS: Queuing AAA Authorization request 75 for processing
006285: Dec  1 2010 19:16:10.170 SGT: TPLUS: processing authorization request id 75
006286: Dec  1 2010 19:16:10.170 SGT: TPLUS: Protocol set to None .....Skipping
006287: Dec  1 2010 19:16:10.170 SGT: TPLUS: Sending AV service=shell
006288: Dec  1 2010 19:16:10.170 SGT: TPLUS: Sending AV cmd*
006289: Dec  1 2010 19:16:10.170 SGT: TPLUS: Authorization request created for 75(cisco)
006290: Dec  1 2010 19:16:10.170 SGT: TPLUS: Using server 192.168.1.1
006291: Dec  1 2010 19:16:10.170 SGT: TPLUS(0000004B)/0/NB_WAIT/63221E8: Started 5 sec timeout
006292: Dec  1 2010 19:16:10.178 SGT: TPLUS(0000004B)/0/NB_WAIT: socket event 2
006293: Dec  1 2010 19:16:10.178 SGT: TPLUS(0000004B)/0/NB_WAIT: wrote entire 57 bytes request
006294: Dec  1 2010 19:16:10.178 SGT: TPLUS(0000004B)/0/READ: socket event 1
006295: Dec  1 2010 19:16:10.178 SGT: TPLUS(0000004B)/0/READ: Would block while reading
006296: Dec  1 2010 19:16:10.178 SGT: TPLUS(0000004B)/0/READ: socket event 1
006297: Dec  1 2010 19:16:10.186 SGT: TPLUS(0000004B)/0/READ: read entire 12 header bytes (expect 46 bytes data)
006298: Dec  1 2010 19:16:10.186 SGT: TPLUS(0000004B)/0/READ: socket event 1
006299: Dec  1 2010 19:16:10.186 SGT: TPLUS(0000004B)/0/READ: read entire 58 bytes response
006300: Dec  1 2010 19:16:10.186 SGT: TPLUS(0000004B)/0/63221E8: Processing the reply packet
006301: Dec  1 2010 19:16:10.186 SGT: TPLUS: received authorization response for 75: FAIL
006302: Dec  1 2010 19:16:10.186 SGT: AAA/AUTHOR/EXEC(0000004B): Authorization FAILED

Not too sure on what may be required to make the switch make use of the configured authorization list instead of the default list for console access?

Thanks.

0 Helpful

Calvin Ryver
Level 1
Level 1
In response to CSCO10675262_2

‎12-01-2010 04:36 AM

if you disable authorization for the console and only use authen then it should work

remove the

aaa author exec console

aaa author consoole

and in the line con 0

the

author exec console

it seems that in this code the author exec is only carried over in vty and tty lines and not the console

0 Helpful

CSCO10675262_2
Level 1
Level 1
In response to Calvin Ryver

‎12-01-2010 06:47 PM

Hi Calvin,

Thanks for the suggestion, however I am still seeing the same error. I have attached an ouput of the debug for reference:

006489: Dec  2 2010 10:43:17.270 SGT: AAA/BIND(0000004D): Bind i/f 
006490: Dec  2 2010 10:43:17.270 SGT: AAA/AUTHEN/LOGIN (0000004D): Pick method list 'Console'
006491: Dec  2 2010 10:43:25.440 SGT: AAA/AUTHOR (0x4D): Pick method list 'default'
006492: Dec  2 2010 10:43:25.440 SGT: TPLUS: Queuing AAA Authorization request 77 for processing
006493: Dec  2 2010 10:43:25.440 SGT: TPLUS: processing authorization request id 77
006494: Dec  2 2010 10:43:25.440 SGT: TPLUS: Protocol set to None .....Skipping
006495: Dec  2 2010 10:43:25.440 SGT: TPLUS: Sending AV service=shell
006496: Dec  2 2010 10:43:25.449 SGT: TPLUS: Sending AV cmd*
006497: Dec  2 2010 10:43:25.449 SGT: TPLUS: Authorization request created for 77(cisco)
006498: Dec  2 2010 10:43:25.449 SGT: TPLUS: Using server 192.168.1.1
006499: Dec  2 2010 10:43:25.449 SGT: TPLUS(0000004D)/0/NB_WAIT/1FC0B0: Started 5 sec timeout
006500: Dec  2 2010 10:43:25.449 SGT: TPLUS(0000004D)/0/NB_WAIT: socket event 2
006501: Dec  2 2010 10:43:25.449 SGT: TPLUS(0000004D)/0/NB_WAIT: wrote entire 57 bytes request
006502: Dec  2 2010 10:43:25.449 SGT: TPLUS(0000004D)/0/READ: socket event 1
006503: Dec  2 2010 10:43:25.449 SGT: TPLUS(0000004D)/0/READ: Would block while reading
006504: Dec  2 2010 10:43:25.457 SGT: TPLUS(0000004D)/0/READ: socket event 1
006505: Dec  2 2010 10:43:25.457 SGT: TPLUS(0000004D)/0/READ: read entire 12 header bytes (expect 46 bytes data)
006506: Dec  2 2010 10:43:25.457 SGT: TPLUS(0000004D)/0/READ: socket event 1
006507: Dec  2 2010 10:43:25.457 SGT: TPLUS(0000004D)/0/READ: read entire 58 bytes response
006508: Dec  2 2010 10:43:25.457 SGT: TPLUS(0000004D)/0/1FC0B0: Processing the reply packet
006509: Dec  2 2010 10:43:25.457 SGT: TPLUS: received authorization response for 77: FAIL
006510: Dec  2 2010 10:43:25.457 SGT: AAA/AUTHOR/EXEC(0000004D): Authorization FAILED

Would it possibly be a limitation/bug on the software to be able to authenticate only using default list?

Thanks.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to CSCO10675262_2

‎12-02-2010 02:05 AM

Hi,

If you have no named method for authentication/authorization set on a line then the method default is applied.

Your default method for authorization is tacacs+ so your switch is trying to get a pass response from your tacacs+ server which it doesn't get.

Try getting rid of  aaa authorization exec default command or replace tacacs+ by local and it should work.

Regards.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents