From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Sat Mar 07 2009 - 22:34:02 ARST
Hi there,
I hope some of you can help me with this.
I have set up my router so that It can authenticate agains the TACACS and
authorizate exe with TACACS also. So far so good:
Rack1R4#sh run | sec aaa
aaa new-model
aaa authentication login default group tacacs+
aaa authentication login CON0 none
aaa authorization exec default group tacacs+
aaa session-id common
Rack1R4#
Rack1R4(config)#do sh run | sec privilege
privilege exec level 2 show running-config
privilege exec level 2 show
privilege level 15
Rack1R4(config)#
From R5:
Rack1R5#telnet 150.1.4.4
Trying 150.1.4.4 ... Open
Username: ezorrilla-2
Password:
Rack1R4#sh privilege
Current privilege level is 2
Rack1R4#
Now, As soon as I enter the command :"Rack1R4(config)#aaa authorization
commands 2 default local", then I get the next error:
Rack1R4#sh ip int brief
% Authorization failed.
% Incomplete command.
Rack1R4#sh run
% Authorization failed.
% Incomplete command.
Rack1R4#
Rack1R4(config)#
Mar 7 19:26:23.069: AAA: parse name=tty322 idb type=-1 tty=-1
Mar 7 19:26:23.069: AAA: name=tty322 flags=0x11 type=5 shelf=0 slot=0
adapter=0 port=322 channel=0
Mar 7 19:26:23.069: AAA/MEMORY: create_user (0x473AD3B4) user='ezorrilla-2'
ruser='Rack1R4' ds0=0 port='tty322' rem_addr='132.1.45.5' authen_type=ASCII
service=NONE priv=2 initial_task_id='0', vrf= (id=0)
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): Port='tty322' list=''
service=CMD
Mar 7 19:26:23.069: AAA/AUTHOR/CMD: tty322(1930842668) user='ezorrilla-2'
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): send AV service=shell
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): send AV cmd=show
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): send AV
cmd-arg=running-config
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): send AV cmd-arg=<cr>
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): found list "default"
Mar 7 19:26:23.069: tty322 AAA/AUTHOR/CMD(1930842668): Metho
Rack1R4(configd=LOCAL
Mar 7 19:26:23.069: AAA/AUTHOR/LOCAL: no entry for ezorrilla-2
Mar 7 19:26:23.073: AAA/AUTHOR (1930842668): Post authorization status =
ERROR
Mar 7 19:26:23.073: tty322 AAA/AUTHOR/CMD(1930842668): Method=NOT_SET
Mar 7 19:26:23.073: tty322 AAA/AUTHOR/CMD(1930842668): no methods left to
try
Mar 7 19:26:23.073: AAA/AUTHOR (1930842668): Post authorization status =
ERROR
Mar 7 19:26:23.073: AAA/MEMORY: free_user (0x473AD3B4) user='ezorrilla-2'
ruser='Rack1R4' port='tty322' rem_addr='132.1.45.5' authen_type=ASCII
service=NONE priv=2 vrf= (id=0))#
Rack1R4(config)#
Debugs show me that ezorrilla-2 is not there, so As soon as I enter the
username it works:
Rack1R4(config)#username ezorrilla-2
Rack1R4(config)#
Telnet from R5:
Rack1R5#telnet 150.1.4.4
Trying 150.1.4.4 ... Open
Username: ezorrilla-2
Password:
Rack1R4#sh privilege
Current privilege level is 2
Rack1R4#
Rack1R4#sh run
Building configuration...
Current configuration : 173 bytes
<output-omited>
Rack1R4#
Question, do I need to enter the username in global config so that "aaa
authorization commands 2 default local" can work ? Is it not just about the
command ? I gues it does nothing to do with the username.
I could be wrong. -:(
Any help would be appreciated,
Regards
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:04 ART