Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
0
Helpful
4
Replies

TACACS AUTHORIZATION ISSUE

al_fredo79
Level 1
Level 1

‎05-30-2018 03:37 AM - edited ‎03-08-2019 03:10 PM

Hi all,

 

I am addressing to you hoping someone could help me out in an issue that honestly i do not  know how to get resolve.

 

The thing is that i am testing a customer profile which has been enable under tacacs. This customer would be able to make some configuration on a CPE Cisco 3945 whereas would be other that cannot .

 

C3900 Software (C3900-UNIVERSALK9-M), Version 15.1(4)M3, RELEASE 

ROM: System Bootstrap, Version 15.0(1r)M13, RELEASE SOFTWARE (fc1)

c3900-universalk9-mz.SPA.151-4.M3.bin" 

Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 987136K/61440K bytes of 
Processor board ID FCZ1543713X

 

As an example of the issue: if  I type "show clock" on exec mode, from the output of debug tacacs , i can see that the cpe sends an authorizarition messages which is proccessed by the tacacs router, giving a response back as it has to be.

 

TC3945EH#show clock
Command authorization failed.  <<< is OK customer should not access

TC3945EH#
May 30 12:14:07.641 summert: TAC+: using previously set server 10.128.206.217 from group tacacs+
May 30 12:14:07.641 summert: TAC+: lookup 10.128.206.217 in DNS local cache
May 30 12:14:07.641 summert: TAC+: Using default tacacs server-group "tacacs+" list.
May 30 12:14:07.641 summert: TAC+: Opening TCP/IP to 10.128.206.217/49 timeout=5
May 30 12:14:07.645 summert: TAC+: Opened TCP/IP handle 0x1AB9304 to 10.128.206.217/49 using source 10.130.62.114
May 30 12:14:07.645 summert: TAC+: 10.128.206.217 (2223170801) AUTHOR/START queued
May 30 12:14:07.845 summert: TAC+: (2223170801) AUTHOR/START processed <<< OK
May 30 12:14:07.845 summert: TAC+: (-2071796495): received author response status = FAIL<< OK
May 30 12:14:07.845 summert: TAC+: Closing TCP/IP 0x1AB9304 connection to 10.128.206.217/49

 

However, here comes the issue, after entering in global config mode, if we type any comand  (even those that the customer should non have access) , the cpe does not send any authoritation messages but only accounting messages, so that the tacacs cannot deny those commands that the customer should not be able to access.

 

TC3945EH#conf t
Enter configuration commands, one per line. End with CNTL/Z.
TC3945EH(config)#
May 30 12:14:32.461 summert: TAC+: using previously set server 10.128.206.217 from group tacacs+
May 30 12:14:32.461 summert: TAC+: lookup 10.128.206.217 in DNS local cache
May 30 12:14:32.461 summert: TAC+: Using default tacacs server-group "tacacs+" list.
May 30 12:14:32.461 summert: TAC+: Opening TCP/IP to 10.128.206.217/49 timeout=5
May 30 12:14:32.461 summert: TAC+: Opened TCP/IP handle 0x1AB9304 to 10.128.206.217/49 using source 10.130.62.114
May 30 12:14:32.461 summert: TAC+: 10.128.206.217 (293153580) AUTHOR/START queued OK
May 30 12:14:32.661 summert: TAC+: (293153580) AUTHOR/START processed << OK
May 30 12:14:32.661 summert: TAC+: (293153580): received author response status = PASS_ADD
May 30 12:14:32.661 summert: TAC+: Closing TCP/IP 0x1AB9304 connection to 10.128.206.217/49

If we type the command below, it should be deny, but as you can see, the cpe does not send the authoritation message to the tacacs, only the accounting message.

TC3945EH(config)#interface gigabitEthernet 0/0
TC3945EH(config-if)#
May 30 12:14:58.249 summert: %PARSER-5-CFGLOG_LOGGEDCMD: User:xxxxx logged command:interface GigabitEthernet0/0
May 30 12:14:58.249 summert: TPLUS: Queuing AAA Accounting request 52 for processing
May 30 12:14:58.249 summert: TPLUS: processing accounting request id 52
May 30 12:14:58.249 summert: TPLUS: Sending AV task_id=458
May 30 12:14:58.249 summert: TPLUS: Sending AV timezone=summertime
May 30 12:14:58.249 summert: TPLUS: Sending AV service=shell
May 30 12:14:58.249 summert: TPLUS: Sending AV start_time=1527675298
May 30 12:14:58.249 summert: TPLUS: Sending AV priv-lvl=10
May 30 12:14:58.249 summert: TPLUS: Sending AV cmd=interface GigabitEthernet 0/0 
May 30 12:14:58.257 summert: TPLUS: Received accounting response with status PASS NON OK

 

The question is: this is a normal behavior of the router , not to send an authoritation messsage after entering in global config?

 

Is it an issue on the router config?

 

Is it an issue on the Tacacs server profile?

 

I add the router aaa config:

 

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common

 

Thanks in advance

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎05-30-2018 07:26 AM

My first response is to ask whether you have changed the level of any commands on this router? If so that could explain the behavior you are describing.

 

My second response is about this statement "If we type the command below, it should be deny". Why would you expect the interface command to be denied if the config t command was authorized?

 

My third response is to say that if you want to make it so that some users are permitted some commands while other users are not permitted those commands that the router config is pretty straight forward. The more complex part of achieving this is on the tacacs server. How does the server recognize the user, and to what group does it assign the user, and what commands are permitted to that group. You have not described any of that to us.

 

My fourth response is that you can achieve this differentiation when using the tacacs server. I notice that you specify the tacacs server as the primary method and specify local as the backup method. I am not sure that you can achieve the differentiation of commands using local authorization.

 

HTH

 

Rick

HTH

Rick
0 Helpful

al_fredo79
Level 1
Level 1
In response to Richard Burts

‎05-31-2018 05:35 AM

Hi Richard,

 

First of all , I would like to thank you for the interest shown on this subject, really appreciate.

 

Answering to your questions:

 

1. There has not been any change  level of any commands on this router.

 

2. The fact that the command configure terminal has to be authorize is due to the fact that the customer requested to us to be able  to make some configuration changes  on the router, for instance dhcp.

That is why we have to authorize the config t command. Now, in order to avoid any impact on the WAN side, we want not to authorize him to have access to the GigaEth0/0 interface , which is the WAN interface. However he would have access to the lan interface (to configure hsrp,vrrp).

The main point is that the router is able to send an authoritazion message for any command we type on exec mode, whereas it is not able to send an authoriization message after entering in global config mode. Tacacs server needs this auth message in order to determine whether or not authoraize certain commands.

 

So, if we want to deny access to the GigEth0/0, after entering in global config, if we type " interface Gigeth0/0" the router should send an auth message to the tacacs, so that the server could then proccess the request and then deny it. But it does not happend. (This is the main problem we are facing)

 

3 and 4. Customer can access to the router only through tacacs, non local.

 

Thanks again Richard

0 Helpful

al_fredo79
Level 1
Level 1
In response to Richard Burts

‎06-12-2018 03:54 AM

Hi Richard,

 

it' been a while. I just wanted to let you know that i found the solution and fortunately the issue is over.

 

It was just needed to enter , under tacacs config mode,the next command,:

aaa authorization config-commands <<< using this command, the router sends an authoritation request to the Tacacs server anytime you type any command regardless the priviledge level set on the tacasc user profile.

 

Thanks again for your replay

0 Helpful

paul driver
VIP
VIP
In response to al_fredo79

‎06-12-2018 05:18 AM - edited ‎06-12-2018 05:23 AM

Hello

Glad to hear you have got it sorted and thanks for letting the forum know?


Just like to reply to something you stated and that Richard picked upon , In that the user WILL have to use the local database of the device if/when the tacacs server is unavailable.

 

At the time those restricted commands, well wont be restricted, unless you apply restriction on a per user basis for the device utilizing the local privilege interface/configure/exec commands and relating them to a specific user/users locally.

 

res

Paul

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card