Re: Problem with TACACS Authorization (Router - Cisco ACS)

Hi Ed,

I know this is a basic question (so excuse me) but starting from basics to
cover the ground well here :-)

I take it you have also enabled "Shell (exec)" option after the "Priv lvl"
as well on the User/Group profile, right?

Thanks,

On Thu, Mar 11, 2010 at 6:08 PM, Edouard Zorrilla <ezorrilla_at_tsf.com.pe>wrote:

> Hi,
>
> Have any of you have seen this issue before ?. Let me tell you, I have set
> up
> fine the ACS and also the router so that it get authenticated so far. The
> issue appears when I enable authorization exec on the router, I have also
> enabled it on the ACS within the "TACACS+ Settings", making sure that
> "privilege level" is checked and with a value of 15. So far so good. The
> issue
> appears there, as soon as I enable authorization exec I receive a message
> when
> I try to login :
>
> login as: ez
> Using keyboard-interactive authentication.
> Password:
> % Authorization failed
>
> When I got that message I saw that I successfully pass the authentication
> on
> the ACS : "03/11/2010 09:55:44 Authen OK ez ", but I am unable to access
> the
> router because a "authorization failed" message. Performing some debugs on
> the
> IOS, I got the next when I enable "debug aaa authorization" :
>
>
> CA0272#
> Mar 11 2010 09:21:07 PST: AAA/BIND(00000015): Bind i/f
> Mar 11 2010 09:21:10 PST: AAA/AUTHOR (0x15): Pick method list 'default' -
> FAIL
> Mar 11 2010 09:21:10 PST: AAA/AUTHOR/EXEC(00000015): Authorization FAILED
> CA0272#
>
> And when I enable "debug tacacs authorization", I got the message :
>
> CA0272#
> Mar 11 2010 09:21:45 PST: TPLUS: Queuing AAA Authorization request 22 for
> processing
> Mar 11 2010 09:21:45 PST: TPLUS: processing authorization request id 22
> Mar 11 2010 09:21:45 PST: TPLUS: Protocol set to None .....Skipping
> Mar 11 2010 09:21:45 PST: TPLUS: Sending AV service=shell
> Mar 11 2010 09:21:45 PST: TPLUS: Sending AV cmd*
> Mar 11 2010 09:21:45 PST: TPLUS: Authorization request created for 22(ez)
> Mar 11 2010 09:21:45 PST: TPLUS: using previously set server 10.128.0.220
> from
> group tacacs+
> Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/IDLE/840EFD84: got immediate
> connect on new 0
> Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE/840EFD84: Started 5 sec
> timeout
> Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE: wrote entire 56 bytes
> request
> Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/840EFD84: Processing the reply
> packet
> CA0272#
>
> The current device that I am using is :
>
> 0272#sh version | i IOS
> Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version
> 12.4(24)T2, RELEASE SOFTWARE (fc2)
>
> 0272#sh inventory
> NAME: "881", DESCR: "881 chassis, Hw Serial#: xxxxxxx, Hw Revision: 1.0"
> PID: CISCO881-SEC-K9 , VID: V01 , SN: xxxxx
> 0272#
>
> Also I have realized that sometimes it works and sometimes it does not, it
> seems to be a bug with the ACS but I do not see on the web site any issue
> related to my problem. I am using ACS Release 4.1(1) Build 23 Patch 4.
>
> I have tested this deveices with out any configuration and it works fine,
> so I
> could think that the problem is the config on the routers but I get droped
> by
> the ACS not by the router. I am not sure if the problem could be the ACS or
> the routers theyself. Currently they have already enabled DMVPN , CBAC and
> urlfilter with WebSense Server.
>
> Let me know your thought.,
>
> Regards
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net