Solved: TACACS authorization failure

davinci · ‎03-12-2021

Hello,

I can authenticate into my 3560 switch but when I attempt to use my TACACS r/w account then I am receiving these errors below. EDIT: I can make changes with my external r/o and r/w accounts. All of my other switches are working without issue (read only TACACS accounts and r/w TACACS accounts work fine).

Is the problem with my config? IOS bug? TACACS server issue?

sh version
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE12, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Thu 28-Sep-17 02:04 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

switch uptime is 1 hour, 19 minutes
System returned to ROM by power-on
System image file is "flash:c3560-ipservicesk9-mz.122-55.SE12.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable

username tester privilege 15 secret xxxxxxxxxxxxxxxxx

aaa group server tacacs+ XXXXX
server-private q.r.s.t key xxxxx
server-private a.b.c.d key xxxxx
server-private e.f.g.h. key xxxxx
!
aaa authentication attempts login 2
aaa authentication password-prompt Fallback_Password:
aaa authentication username-prompt Fallback_Username:
aaa authentication login default group XXXX local
aaa authorization config-commands
aaa authorization exec default group XXXX local
aaa authorization commands 15 default group XXXX local
aaa authorization network default group YYYY
aaa accounting update newinfo
aaa accounting exec default start-stop group XXXX
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group XXXXX
aaa accounting system default start-stop group XXXX

switch#conf t
Tacacs session has expired.Please re-login to continue.

davinci · ‎03-15-2021

i found the solution. I had to swap the order of the TACACS servers in the TACACS group list. Once I did that, normal authorization commenced.

View solution in original post

balaji.bandi · ‎03-13-2021

You can increase the time in TACACS Server

timeout [timeout integer]

You can also use if-authenticated for authorization commands :

aaa authorization commands 15 default group XXXXX if-authenticated

Note: start with basic features and increase to advanced level, make sure you have local always enabled - test before writing config-if not you need to go password recovery process.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

davinci · ‎03-13-2021

But what is the issue with authorization failure? I can authenticate with TACACS servers with both r/o and r/w accounts. However I'm able to get into config mode with both r/o and r/w accounts. Neither accounts allow me to make changes though once inside configure mode.

davinci · ‎03-13-2021

The auth issue is that both r/o and r/w accounts can enter global configuration mode. However, neither account can make changes within global configuration mode. The auth behavior is bizarre.

balaji.bandi · ‎03-13-2021

we do not have any visibility of how your TACACS / Radius configured for the Authorisation profile.

what are you using ISE / ACS or any other product.

are you looking any granular filter if not remove below command and test it

no aaa authorization config-commands

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

davinci · ‎03-13-2021

TACACS server is aruba clearpass

balaji.bandi · ‎03-13-2021

TACACS server is aruba clearpass

not that I have hands-on it, but most TACACS / Radius works on the same RFC model with a different GUI, this is more of an authorization issue for the users. you need to check the logs at the TACACS server when you issue the commands, what is the error you see on the Aruba side.

suggest 2 thread which helps you - have you remove that command suggest before and test it?

https://community.arubanetworks.com/blogs/vikramsaruba1/2015/04/07/how-to-perform-management-authentication-of-cisco-switch-against-clearpass

https://www.arubanetworks.com/techdocs/ClearPass/6.7/Aruba_DeployGd_HTML/Content/HP%20Switch%20Integration/Switch_mgmt_TACACS.htm

https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=13506

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

davinci · ‎03-13-2021

I tried adding your command suggestion:

aaa authorization commands 15 default group XXXXX if-authenticated

however, the issue persists. I notice that when I login with r/o account, I still retain r/w rights. See this below:

switch#conf t

Tacacs session has expired.Please re-login to continue.

Enter configuration commands, one per line. End with CNTL/Z.
switch(config)#int loo
switch(config)#int loopback 1
Tacacs session has expired.Please re-login to continue.

switch(config-if)#ip add
switch(config-if)#ip address 172.16.222.222 255.255.255.255

switch#sh ip int brief
Interface IP-Address OK? Method Status Protocol
VlanX unassigned YES NVRAM administratively down down
VlanZ x.x.x.x YES NVRAM up up
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/2 unassigned YES unset up up
GigabitEthernet0/3 unassigned YES unset down down
GigabitEthernet0/4 unassigned YES unset up up
GigabitEthernet0/5 unassigned YES unset up up
GigabitEthernet0/6 unassigned YES unset down down
GigabitEthernet0/7 unassigned YES unset down down
GigabitEthernet0/8 unassigned YES unset down down
GigabitEthernet0/9 unassigned YES unset administratively down down
GigabitEthernet0/10 unassigned YES unset administratively down down
GigabitEthernet0/11 unassigned YES unset administratively down down
GigabitEthernet0/12 unassigned YES unset administratively down down
GigabitEthernet0/13 unassigned YES unset administratively down down
GigabitEthernet0/14 unassigned YES unset administratively down down
GigabitEthernet0/15 unassigned YES unset administratively down down
GigabitEthernet0/16 unassigned YES unset administratively down down
GigabitEthernet0/17 unassigned YES unset administratively down down
GigabitEthernet0/18 unassigned YES unset administratively down down
GigabitEthernet0/19 unassigned YES unset administratively down down
GigabitEthernet0/20 unassigned YES unset administratively down down
GigabitEthernet0/21 unassigned YES unset administratively down down
GigabitEthernet0/22 unassigned YES unset administratively down down
GigabitEthernet0/23 unassigned YES unset administratively down down
GigabitEthernet0/24 unassigned YES unset administratively down down
GigabitEthernet0/25 unassigned YES unset administratively down down
GigabitEthernet0/26 unassigned YES unset administratively down down
GigabitEthernet0/27 unassigned YES unset administratively down down
GigabitEthernet0/28 unassigned YES unset administratively down down
Loopback0 unassigned YES NVRAM up up
Loopback1 172.16.222.222 YES manual up up

balaji.bandi · ‎03-13-2021

however, the issue persists. I notice that when I login with r/o account, I still retain r/w rights.

This is more to do with how TACACS configured, spend some time read the vendor document of ARUBA, the document's clear steps - how you can go granular user rights for R/O and R/W with admin access. you need to add TACACS timeout if frequently time out

you need also look at TACACS logs rather than only switch side.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎03-13-2021

I wonder about the syntax of the command aaa authorization config-commands. In my experience authorization commands like this usually specify a method list (tacacs servers, if-authenticated, none, etc). Are you sure that your other devices use this same syntax and that it works on them?

HTH

Rick

davinci · ‎03-13-2021

the other switches which work fine have aaa authorization config-commands in their config. I tested removing that from my problem switch but the issue still persists.

Richard Burts · ‎03-14-2021

Thanks for the additional information. If you have removed authorization config-commands and the problem continues then we need to look for other explanations. In reading through the discussion again I would agree with the suggestion that you check the logs on your tacacs servers and see if they have any log messages that relate to this.

Can you confirm that you are logging in with an ID that is authenticated by tacacs and not with an ID that can be authenticated locally? Would you post the output of the command show tacacs?

In your description of the problem you say that you are not abe to make config changes. But in one of your posts we see the messages but it appears that you are, in fact, able to make changes

switch#conf t

Tacacs session has expired.Please re-login to continue.

Enter configuration commands, one per line. End with CNTL/Z.
switch(config)#int loo
switch(config)#int loopback 1
Tacacs session has expired.Please re-login to continue.

switch(config-if)#ip add
switch(config-if)#ip address 172.16.222.222 255.255.255.255

can you provide clarification about this?

HTH

Rick

davinci · ‎03-14-2021

yes, sorry for confusion. yes, i am absolutely authenticating with an external tacacs account and not a local account. I am able to make changes with both r/o and r/w external tacacs accounts.

switch#show tacacs

Tacacs+ Server - private : x.x.x.x/49
Socket opens: 32
Socket closes: 31
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 46
Total Packets Recv: 46

Tacacs+ Server - private : a.b.c.d/49
Socket opens: 53
Socket closes: 53
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 53
Total Packets Recv: 53

Richard Burts · ‎03-14-2021

Thanks for the clarification. This sounds more and more like a bug in the code. Are there any other switches in your network that run this version of code?

Probably the next step in investigating this would be to run debug tacacs and debug aaa authorization.

HTH

Rick

davinci · ‎03-14-2021

This is the only switch running this version of IOS. Here are results of debug aaa authorization, debug aaa authentication and debug tacacs. For testing purposes, I logged in with my r/o tacacs account and then entered into global config mode.

*Mar 2 22:25:43: TAC+: using previously set server x.x.30.20 from group TACACS
*Mar 2 22:25:43: TAC+: Opening TCP/IP to x.x.30.20/49 timeout=5
*Mar 2 22:25:43: TAC+: Opened TCP/IP handle 0x578EEA8 to x.x.30.20/49 using source x.x.20.10
*Mar 2 22:25:43: TAC+: Opened x.x.30.20 index=1
*Mar 2 22:25:43: TAC+: x.x.30.20 -- request for nonexistent server
*Mar 2 22:25:43: TAC+: Closing TCP/IP 0x578EEA8 connection to x.x.30.20/49
*Mar 2 22:25:43: TAC+: Using default tacacs server-group "TACACS" list.
*Mar 2 22:25:43: TAC+: Opening TCP/IP to x.x.30.20/49 timeout=5
*Mar 2 22:25:43: TAC+: Opened TCP/IP handle 0x4604634 to x.x.30.20/49 using source x.x.20.10
*Mar 2 22:25:43: TAC+: x.x.30.20 (3560166303) AUTHOR/START queued
*Mar 2 22:25:43: TAC+: (3560166303) AUTHOR/START processed
*Mar 2 22:25:43: TAC+: (-734800993): received author response status = UNKNOWN
*Mar 2 22:25:43: TAC+: Closing TCP/IP 0x4604634 connection to x.x.30.20/49
*Mar 2 22:25:49: AAA: parse name=tty2 idb type=-1 tty=-1
*Mar 2 22:25:49: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
*Mar 2 22:25:49: AAA/MEMORY: create_user (0x581F300) user='username' ruser='switch' ds0=0 port='tty2' rem_addr='x.x.57.47' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
*Mar 2 22:25:49: tty2 AAA/AUTHOR/CMD (1718819105): Port='tty2' list='' service=CMD
*Mar 2 22:25:49: AAA/AUTHOR/CMD: tty2 (1718819105) user='username'
*Mar 2 22:25:49: tty2 AAA/AUTHOR/CMD (1718819105): send AV service=shell
*Mar 2 22:25:49: tty2 AAA/AUTHOR/CMD (1718819105): send AV cmd=debug
*Mar 2 22:25:49: tty2 AAA/AUTHOR/CMD (1718819105): send AV cmd-arg=aaa
*Mar 2 22:25:49: tty2 AAA/AUTHOR/CMD (1718819105): send AV cmd-arg=authentication
*Mar 2 22:25:49: tty2 AAA/AUTHOR/CMD (1718819105): send AV cmd-arg=<cr>
*Mar 2 22:25:49: tty2 AAA/AUTHOR/CMD (1718819105): found list "default"
*Mar 2 22:25:49: tty2 AAA/AUTHOR/CMD (1718819105): Method=TACACS (tacacs+)
*Mar 2 22:25:49: AAA/AUTHOR/TAC+: (1718819105): user=username
*Mar 2 22:25:49: AAA/AUTHOR/TAC+: (1718819105): send AV service=shell
*Mar 2 22:25:49: AAA/AUTHOR/TAC+: (1718819105): send AV cmd=debug
*Mar 2 22:25:49: AAA/AUTHOR/TAC+: (1718819105): send AV cmd-arg=aaa
*Mar 2 22:25:49: AAA/AUTHOR/TAC+: (1718819105): send AV cmd-arg=authentication
*Mar 2 22:25:49: AAA/AUTHOR/TAC+: (1718819105): send AV cmd-arg=<cr>
*Mar 2 22:25:49: TAC+: using previously set server x.x.30.20 from group TACACS
*Mar 2 22:25:49: TAC+: Opening TCP/IP to x.x.30.20/49 timeout=5
*Mar 2 22:25:49: TAC+: Opened TCP/IP handle 0x581E768 to x.x.30.20/49 using source x.x.20.10
*Mar 2 22:25:49: TAC+: Opened x.x.30.20 index=1
*Mar 2 22:25:49: TAC+: x.x.30.20 -- request for nonexistent server
*Mar 2 22:25:49: TAC+: Closing TCP/IP 0x581E768 connection to x.x.30.20/49
*Mar 2 22:25:49: TAC+: Using default tacacs server-group "TACACS" list.
*Mar 2 22:25:49: TAC+: Opening TCP/IP to x.x.30.20/49 timeout=5
*Mar 2 22:25:49: TAC+: Opened TCP/IP handle 0x56AF108 to x.x.30.20/49 using source x.x.20.10
*Mar 2 22:25:49: TAC+: x.x.30.20 (1718819105) AUTHOR/START queued
*Mar 2 22:25:49: TAC+: (1718819105) AUTHOR/START processed
*Mar 2 22:25:49: TAC+: (1718819105): received author response status = UNKNOWN
*Mar 2 22:25:49: TAC+: Closing TCP/IP 0x56AF108 connection to x.x.30.20/49
*Mar 2 22:25:49: AAA/AUTHOR (1718819105): Post authorization status = UKNOWN
*Mar 2 22:25:49: AAA/MEMORY: free_user (0x581F300) user='username' ruser='switch' port='tty2' rem_addr='x.x.57.47' authen_type=ASCII service=NONE priv=15
*Mar 2 22:25:51: AAA: parse name=tty2 idb type=-1 tty=-1
*Mar 2 22:25:51: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
*Mar 2 22:25:51: AAA/MEMORY: create_user (0x581EC24) user='username' ruser='switch' ds0=0 port='tty2' rem_addr='x.x.57.47' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): Port='tty2' list='' service=CMD
*Mar 2 22:25:51: AAA/AUTHOR/CMD: tty2 (3419537086) user='username'
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): send AV service=shell
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): send AV cmd=configure
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): send AV cmd-arg=terminal
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): send AV cmd-arg=<cr>
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): found list "default"
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): Method=TACACS (tacacs+)
*Mar 2 22:25:51: AAA/AUTHOR/TAC+: (3419537086): user=username
*Mar 2 22:25:51: AAA/AUTHOR/TAC+: (3419537086): send AV service=shell
*Mar 2 22:25:51: AAA/AUTHOR/TAC+: (3419537086): send AV cmd=configure
*Mar 2 22:25:51: AAA/AUTHOR/TAC+: (3419537086): send AV cmd-arg=terminal
*Mar 2 22:25:51: AAA/AUTHOR/TAC+: (3419537086): send AV cmd-arg=<cr>
*Mar 2 22:25:51: TAC+: using previously set server x.x.30.20 from group TACACS
*Mar 2 22:25:51: TAC+: Opening TCP/IP to x.x.30.20/49 timeout=5
*Mar 2 22:25:51: TAC+: Opened TCP/IP handle 0x4604634 to x.x.30.20/49 using source x.x.20.10
*Mar 2 22:25:51: TAC+: Opened x.x.30.20 index=1
*Mar 2 22:25:51: TAC+: x.x.30.20 -- request for nonexistent server
*Mar 2 22:25:51: TAC+: Closing TCP/IP 0x4604634 connection to x.x.30.20/49
*Mar 2 22:25:51: TAC+: Using default tacacs server-group "TACACS" list.
*Mar 2 22:25:51: TAC+: Opening TCP/IP to x.x.30.20/49 timeout=5
*Mar 2 22:25:51: TAC+: Opened TCP/IP handle 0x56AF108 to x.x.30.20/49 using source x.x.20.10
*Mar 2 22:25:51: TAC+: x.x.30.20 (3419537086) AUTHOR/START queued
*Mar 2 22:25:51: TAC+: (3419537086) AUTHOR/START processed
*Mar 2 22:25:51: TAC+: (-875430210): received author response status = UNKNOWN
*Mar 2 22:25:51: TAC+: Closing TCP/IP 0x56AF108 connection to x.x.30.20/49
*Mar 2 22:25:51: AAA/AUTHOR (3419537086): Post authorization status = UKNOWN
*Mar 2 22:25:51: AAA/MEMORY: free_user (0x581EC24) user='username' ruser='switch' port='tty2' rem_addr='x.x.57.47' authen_type=ASCII service=NONE priv=15
*Mar 2 16:25:53: %SYS-5-CONFIG_I: Configured from console by username on vty1 (x.x.57.47)
*Mar 2 22:25:55: AAA: parse name=tty2 idb type=-1 tty=-1
*Mar 2 22:25:55: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
*Mar 2 22:25:55: AAA/MEMORY: create_user (0x581EC24) user='username' ruser='switch' ds0=0 port='tty2' rem_addr='x.x.57.47' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
*Mar 2 22:25:55: tty2 AAA/AUTHOR/CMD (1044955446): Port='tty2' list='' service=CMD
*Mar 2 22:25:55: AAA/AUTHOR/CMD: tty2 (1044955446) user='username'
*Mar 2 22:25:55: tty2 AAA/AUTHOR/CMD (1044955446): send AV service=shell
*Mar 2 22:25:55: tty2 AAA/AUTHOR/CMD (1044955446): send AV cmd=show
*Mar 2 22:25:55: tty2 AAA/AUTHOR/CMD (1044955446): send AV cmd-arg=logging
*Mar 2 22:25:55: tty2 AAA/AUTHOR/CMD (1044955446): send AV cmd-arg=<cr>
*Mar 2 22:25:55: tty2 AAA/AUTHOR/CMD (1044955446): found list "default"
*Mar 2 22:25:55: tty2 AAA/AUTHOR/CMD (1044955446): Method=TACACS (tacacs+)
*Mar 2 22:25:55: AAA/AUTHOR/TAC+: (1044955446): user=username
*Mar 2 22:25:55: AAA/AUTHOR/TAC+: (1044955446): send AV service=shell
*Mar 2 22:25:55: AAA/AUTHOR/TAC+: (1044955446): send AV cmd=show
*Mar 2 22:25:55: AAA/AUTHOR/TAC+: (1044955446): send AV cmd-arg=logging
*Mar 2 22:25:55: AAA/AUTHOR/TAC+: (1044955446): send AV cmd-arg=<cr>
*Mar 2 22:25:55: TAC+: using previously set server x.x.30.20 from group TACACS
*Mar 2 22:25:55: TAC+: Opening TCP/IP to x.x.30.20/49 timeout=5
*Mar 2 22:25:55: TAC+: Opened TCP/IP handle 0x460371C to x.x.30.20/49 using source x.x.20.10
*Mar 2 22:25:55: TAC+: Opened x.x.30.20 index=1
*Mar 2 22:25:55: TAC+: x.x.30.20 -- request for nonexistent server
*Mar 2 22:25:55: TAC+: Closing TCP/IP 0x460371C connection to x.x.30.20/49
*Mar 2 22:25:55: TAC+: Using default tacacs server-group "TACACS" list.
*Mar 2 22:25:55: TAC+: Opening TCP/IP to x.x.30.20/49 timeout=5