Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3572
Views
0
Helpful
5
Replies

ASR9k issue with tacacs+

Go to solution
startx001
Level 1
Level 1

‎06-04-2015 07:08 AM

Hi all ,

i have a issue with tacacs on ASR9k  with ACS 5.6  . ( other routers/ switches running IOS working with no issue ) 

Issue i that i can login to ASR9k , but authorization dont work . 

Only conf t command is working , nothing other , even i dont have one single comamnd in configure mode .

other , sh run dont show nothing , etc... 

Bellow is config from ASR 

 

tacacs source-interface MgmtEth0/RSP0/CPU0/0 vrf mgmt
tacacs-server host x.x.x.x port 49
aaa accounting exec TEST_list start-stop group TEST_tacacs
aaa accounting commands TEST_list start-stop group TEST_tacacs
aaa group server tacacs+ TEST_tacacs
vrf mgmt
server-private a.b.c.d port 49
  key 7 ( hidden ) 
aaa authorization exec TEST_list group TEST_tacacs local
aaa authorization commands TEST_list group TEST_tacacs none
aaa authentication login TEST_list group TEST_tacacs local

line default
login authentication TEST_list

 

Is config wrong ?

 

KR

VZ

 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
xthuijs
Cisco Employee
Cisco Employee
In response to startx001

‎06-05-2015 05:38 AM

can you provide me a :

show user task

and debug tacacs

  authentication  TACACS+ Authentication Debugging
  authorization   TACACS+ Authorization Debugging
  detail          More detailed TACACS+ AAA processing
  <cr>            

I suspect that you have no task group assigned to the user which causes the command to be permitted, but the taskgroup is not allowed to display anything from config, hence empty output.

you may need to add the taskgroup root-system for instance to the user profile.

xander

View solution in original post

0 Helpful

Go to solution
xthuijs
Cisco Employee
Cisco Employee
In response to startx001

‎06-05-2015 06:57 AM

hey vz,

for cli based tacacs an example would look like this:

service = exec {
    task = "#root-system"
}
 

in the ACS/gui you will need to browse to the box for the exec-service and in the text box add the "task=#root-system"

you need to relogin obviously with the user and you can verify the applied task group with the show user task.

oh, one other "tip". make sure there is a local user and local fallback etc because if the tacacs server is unavailable or the config on tacacs is incorrect we may lock ourselves out and the pw recovery is a tedious process for XR (as it should be i guess :).

see also here: https://supportforums.cisco.com/document/61306/asr9000xr-using-task-groups-and-understanding-priv-levels-and-authorization

I also added 2 pictures to visualize an ACS configuration (the priv level is optional, just there for completion in the picture)

cheers!

xander

View solution in original post

Preview file
528 KB
Preview file
119 KB
0 Helpful
5 Replies 5

Go to solution
xthuijs
Cisco Employee
Cisco Employee

‎06-04-2015 08:05 AM

hi VZ, yeah because you have named method lists, you also need to add the following command:

RP/0/RSP0/CPU0:A9K-BNG(config)#line default authorization exec TEST


cheers!

xander

0 Helpful

Go to solution
startx001
Level 1
Level 1
In response to xthuijs

‎06-05-2015 04:21 AM

Still same problem , when trying to issue show run it dont show nothing.

Command set on ACS is configured to permit show run .

 

KR

VZ

0 Helpful

Go to solution
xthuijs
Cisco Employee
Cisco Employee
In response to startx001

‎06-05-2015 05:38 AM

can you provide me a :

show user task

and debug tacacs

  authentication  TACACS+ Authentication Debugging
  authorization   TACACS+ Authorization Debugging
  detail          More detailed TACACS+ AAA processing
  <cr>            

I suspect that you have no task group assigned to the user which causes the command to be permitted, but the taskgroup is not allowed to display anything from config, hence empty output.

you may need to add the taskgroup root-system for instance to the user profile.

xander

0 Helpful

Go to solution
startx001
Level 1
Level 1
In response to xthuijs

‎06-05-2015 06:39 AM

I think you right , 

How to do this to  the users on  tacacs 

 

KR

VZ

0 Helpful

Go to solution
xthuijs
Cisco Employee
Cisco Employee
In response to startx001

‎06-05-2015 06:57 AM

hey vz,

for cli based tacacs an example would look like this:

service = exec {
    task = "#root-system"
}
 

in the ACS/gui you will need to browse to the box for the exec-service and in the text box add the "task=#root-system"

you need to relogin obviously with the user and you can verify the applied task group with the show user task.

oh, one other "tip". make sure there is a local user and local fallback etc because if the tacacs server is unavailable or the config on tacacs is incorrect we may lock ourselves out and the pw recovery is a tedious process for XR (as it should be i guess :).

see also here: https://supportforums.cisco.com/document/61306/asr9000xr-using-task-groups-and-understanding-priv-levels-and-authorization

I also added 2 pictures to visualize an ACS configuration (the priv level is optional, just there for completion in the picture)

cheers!

xander

Preview file
528 KB
Preview file
119 KB
0 Helpful
Customers Also Viewed These Support Documents