Re: Problem with TACACS Authorization (Router - Cisco ACS)

Hi Ed,

I just ran a quick test for you on my setup (although ACS verison is 4.2)
and IOS is below:

R3#
R3#sh ver | i IOS
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(20)T, RELEASE SOFTWARE (fc3)
R3#
*Mar 12 12:07:30.802: AAA/BIND(00000006): Bind i/f
*Mar 12 12:07:35.466: AAA/AUTHOR (0x6): Pick method list 'default'
*Mar 12 12:07:35.470: TPLUS: Queuing AAA Authorization request 6 for
processing
*Mar 12 12:07:35.470: TPLUS: processing authorization request id 6
*Mar 12 12:07:35.470: TPLUS: Protocol set to None .....Skipping
*Mar 12 12:07:35.470: TPLUS: Sending AV service=shell
*Mar 12 12:07:35.470: TPLUS: Sending AV cmd*
*Mar 12 12:07:35.470: TPLUS: Authorization request created for 6(USER2)
*Mar 12 12:07:35.470: TPLUS: using previously set server 10.0.0.100 from
group tacacs+
*Mar 12 12:07:35.474: TPLUS(00000006)/0/NB_WAIT/488DCC54: Started 5 sec
timeout
*Mar 12 12:07:35.490: TPLUS(00000006)/0/NB_WAIT: socket event 2
*Mar 12 12:07:35.490: TPLUS(00000006)/0/NB_WAIT: wrote entire 59 bytes
request
*Mar 12 12:07:35.490: TPLUS(00000006)/0/READ: socket event 1
*Mar 12 12:07:35.490: TPLUS(00000006)/0/READ: Would block while reading
*Mar 12 12:07:35.522: TPLUS(00000006)/0/READ: socket event 1
*Mar 12 12:07:35.522: TPLUS(00000006)/0/READ: read entire 12 header bytes
(expect 17 bytes data)
*Mar 12 12:07:35.522: TPLUS(00000006)/0/READ: socket event 1
*Mar 12 12:07:35.522: TPLUS(00000006)/0/READ: read entire 29 bytes response
*Mar 12 12:07:35.522: TPLUS(00000006)/0/488DCC54: Processing the reply
packet
*Mar 12 12:07:35.522: TPLUS: Processed AV priv-lvl=2
*Mar 12 12:07:35.522: TPLUS: received authorization response for 6: PASS
*Mar 12 12:07:35.526: AAA/AUTHOR/EXEC(00000006): processing AV cmd=
*Mar 12 12:07:35.526: AAA/AUTHOR/EXEC(00000006): processing AV priv-lvl=2
*Mar 12 12:07:35.526: AAA/AUTHOR/EXEC(00000006): Authorization successful
R3#

Looks strange, the only difference is that debug line you have highlighted.

Just another check, could it be that command authorization has been turned
on for the User/Group profile on ACS and something is getting sent down and
interfering with whats going on on the console? - just a though!

Let us know please.

Sadiq

On Thu, Mar 11, 2010 at 6:36 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:

> Edouard,
>
> This really looks to be that you haven't checked exec shell in ACS for
> authentication. Are you sure of it because it is upon shell request that
> it
> is failing.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Technical Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
> Telephone: +1.810.326.1444, ext. 208
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S,
> Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security &
> Service
> Provider) Certification Training with locations throughout the United
> States, Europe and Australia. Be sure to check out our online communities
> at
> www.ipexpert.com/communities and our public website at www.ipexpert.com
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Edouard Zorrilla
> Sent: Thursday, March 11, 2010 1:08 PM
> To: Cisco certification; security_at_groupstudy.com
> Subject: Problem with TACACS Authorization (Router - Cisco ACS)
>
> Hi,
>
> Have any of you have seen this issue before ?. Let me tell you, I have set
> up
> fine the ACS and also the router so that it get authenticated so far. The
> issue appears when I enable authorization exec on the router, I have also
> enabled it on the ACS within the "TACACS+ Settings", making sure that
> "privilege level" is checked and with a value of 15. So far so good. The
> issue
> appears there, as soon as I enable authorization exec I receive a message
> when
> I try to login :
>
> login as: ez
> Using keyboard-interactive authentication.
> Password:
> % Authorization failed
>
> When I got that message I saw that I successfully pass the authentication
> on
> the ACS : "03/11/2010 09:55:44 Authen OK ez ", but I am unable to access
> the
> router because a "authorization failed" message. Performing some debugs on
> the
> IOS, I got the next when I enable "debug aaa authorization" :
>
>
> CA0272#
> Mar 11 2010 09:21:07 PST: AAA/BIND(00000015): Bind i/f
> Mar 11 2010 09:21:10 PST: AAA/AUTHOR (0x15): Pick method list 'default' -
> FAIL
> Mar 11 2010 09:21:10 PST: AAA/AUTHOR/EXEC(00000015): Authorization FAILED
> CA0272#
>
> And when I enable "debug tacacs authorization", I got the message :
>
> CA0272#
> Mar 11 2010 09:21:45 PST: TPLUS: Queuing AAA Authorization request 22 for
> processing
> Mar 11 2010 09:21:45 PST: TPLUS: processing authorization request id 22
> Mar 11 2010 09:21:45 PST: TPLUS: Protocol set to None .....Skipping
> Mar 11 2010 09:21:45 PST: TPLUS: Sending AV service=shell
> Mar 11 2010 09:21:45 PST: TPLUS: Sending AV cmd*
> Mar 11 2010 09:21:45 PST: TPLUS: Authorization request created for 22(ez)
> Mar 11 2010 09:21:45 PST: TPLUS: using previously set server 10.128.0.220
> from
> group tacacs+
> Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/IDLE/840EFD84: got immediate
> connect on new 0
> Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE/840EFD84: Started 5 sec
> timeout
> Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/WRITE: wrote entire 56 bytes
> request
> Mar 11 2010 09:21:45 PST: TPLUS(00000016)/0/840EFD84: Processing the reply
> packet
> CA0272#
>
> The current device that I am using is :
>
> 0272#sh version | i IOS
> Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version
> 12.4(24)T2, RELEASE SOFTWARE (fc2)
>
> 0272#sh inventory
> NAME: "881", DESCR: "881 chassis, Hw Serial#: xxxxxxx, Hw Revision: 1.0"
> PID: CISCO881-SEC-K9 , VID: V01 , SN: xxxxx
> 0272#
>
> Also I have realized that sometimes it works and sometimes it does not, it
> seems to be a bug with the ACS but I do not see on the web site any issue
> related to my problem. I am using ACS Release 4.1(1) Build 23 Patch 4.
>
> I have tested this deveices with out any configuration and it works fine,
> so
> I
> could think that the problem is the config on the routers but I get droped
> by
> the ACS not by the router. I am not sure if the problem could be the ACS or
> the routers theyself. Currently they have already enabled DMVPN , CBAC and
> urlfilter with WebSense Server.
>
> Let me know your thought.,
>
> Regards
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net