Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
912
Views
0
Helpful
0
Replies

TACACS authorization method

tedauction
Level 1
Level 1

‎05-26-2018 05:18 PM - edited ‎03-08-2019 03:09 PM

Hello, I am seeing some strange behaviour on my switch running TACACS.

Sometimes when command are authorized on my TACACS.net server, they do not include the actual command requested for authorization in the logs. Other times it does.

Here are examples of debug logs from TACACS.net server:

 

A COMMAND AUTHORIZATION WHERE THE ACTUAL COMMAND SHOWS IN THE LOGS: (nb. I have indicated differences commented with ******). The main difference seems to be the 'Authorization method i.e. a method of DEBUG logs the command correctly, while a method of TACACSPLUS does not. Does anyone have any insight ?

 

Received:
MajorVersion=12
MinorVersion=0
Type=Authorization
SeqNum=1
IsEncrypted=True
IsSingleConnect=False
SessionID=-273089716
DataLength=99
Authorization Method=Debug*******************
Priv lvl=1
Auth Type=Ascii
Service=None***************DIFFERENCE
User=lastresort
Port=tty3
Rem Addr=10.15.2.131
Args: service=shell cmd=show cmd-arg=cdp cmd-arg=neighbors cmd-arg=<cr>*********DIFFERENCE

<87> 2018-05-27 11:46:46 [10.21.8.5:58174] Authorization Entry #1 is being applied based on Client configuration
<87> 2018-05-27 11:46:46 [10.21.8.5:58174] Command show cdp neighbors <cr> passed expression .* (internal:^[\a\b\t\r\v\f\n\e\s]*.*[\a\b\t\r\v\f\n\e\s(<cr>)]*$), Allow=True
<87> 2018-05-27 11:46:46 [10.21.8.5:58174] Received 2 packets on connection
<87> 2018-05-27 11:46:46 [10.21.8.5:58174]
Sending:
MajorVersion=12
MinorVersion=0
Type=Authorization
SeqNum=2
IsEncrypted=True
IsSingleConnect=False
SessionID=-273089716
DataLength=6
Authorization Status=PassAdd
User=
Port=
Args:

 

 

A COMMAND AUTHORIZATION WHERE THE ACTUAL COMMAND DOES NOT SHOW IN THE LOGS:

Received:
MajorVersion=12
MinorVersion=0
Type=Authorization
SeqNum=1
IsEncrypted=True
IsSingleConnect=False
SessionID=-1726325463
DataLength=52
Authorization Method=TACACSPLUS*****************DIFFERENCE
Priv lvl=1
Auth Type=Ascii
Service=Login*******************DIFFERENCE
User=lastresort
Port=tty1
Rem Addr=10.15.2.131
Args: service=shell cmd**********DIFFERENCE

<87> 2018-05-27 11:54:27 [10.21.8.5:53709] Authorization Entry #1 is being applied based on Client configuration
<87> 2018-05-27 11:54:27 [10.21.8.5:53709] Client asked for AutoExec pairs. Returning PassAdd
<87> 2018-05-27 11:54:27 [10.21.8.5:53709] Received 2 packets on connection
<87> 2018-05-27 11:54:27 [10.21.8.5:53709]
Sending:
MajorVersion=12
MinorVersion=0
Type=Authorization
SeqNum=2
IsEncrypted=True
IsSingleConnect=False
SessionID=-1726325463
DataLength=18
Authorization Status=PassAdd
User=
Port=
Args: priv-lvl=15

 

 

 

Here is my TACACS configuration:

aaa new-model

aaa authorization console

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+

enable aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

ip tacacs source-interface Vlanx

tacacs-server host 10.21.250.212

tacacs-server timeout 10

tacacs-server key <xxx

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents