|
-
August 4th, 2004, 02:53 PM
#11
Member
I'm sorry, I'm not really understanding what your saying....
Either that or your misunderstanding the problem...
If what you are saying is true then it shouldn't even authenticate when I log on through VTY correct? But, instead it authenticates and then comes back and says authorization has failed and the logs on the ACS also show this...
I have never logged on through the console port of this router... I have to do all the configs through the VTY (It's on the other side of town). Which is why once the commands requiring authorization are entered I lose my connection to the router, but (here's where the problem is) when I then go to log back into the router
(now it requires a username and password for it to authenticate with the ACS because the following commands have been entered:
aaa new-model
tacacs-server host XX.X.XX.XX single-connection (The ACS is setup for single connect I checked that already)
tacacs-server key XxXxXxXxX
tacacs-server timeout 20
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa authorization network default tacacs+
aaa authorization exec default tacacs+
aaa authorization config-commands
aaa authorization commands 15 default tacacs+)
What happens is I enter either username and password currently setup on the acs (bakerd and vankek which both have an enable privliedge of 15 on the NDG containing this device) It passes authentication with the ACS but fails authorization....
I know I'm probably starting to sound repetitive, I'm sorry. I'm just frustrated but thanking so much for the help you have provided thus far.
-_LeeBkr_-
-
August 4th, 2004, 03:11 PM
#12
Here's what we have:
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 1.2.3.4
tacacs-server key xXxXxXxX
The key difference is in the "if-authenticated" I think.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
August 4th, 2004, 03:30 PM
#13
Member
Correct me if I'm wrong but won't
aaa authorization commands 15 default group tacacs+ if-authenticated
Allow any user that authenticates to issue enable level 15 commands???
We don't want all of our users to be able to do that... But I will try the if-authenticated command...
I have to drive over to eagle circle though and reset the router... I forgot to issue the reload in 30 command and I called over there and no one will reload it for me....
Thanks SirDice (will be sending worthless newbie AP your way!! lol)
I'll let you know how it goes....
I probably won't be going over to eagle circle till lunch though
-
August 4th, 2004, 03:43 PM
#14
AFAIK the commands the user is actually allowed to use is controlled on the ACS server (I cannot check that because it's controlled by another party). That way some users can only issue view commands (but need enable privs to get to those view commands) while others are allowed to make configuration changes (i.e. enable/disable ports).
Oliver's Law:
Experience is something you don't get until just after you need it.
-
August 4th, 2004, 07:25 PM
#15
Member
Ok here is what's happening now
(Telneted in and did the following)
....
Test1#reload in 000:20
Reload scheduled in 20 minutes
Proceed with reload? [confirm]
Test1#config t
Enter configuration commands, one per line. End with CNTL/Z.
Test1(config)#aaa new-model
Test1(config)#tacacs-server host 10.x.xx.xx single-connection
Test1(config)#tacacs-server key _xxxxxx_xxxxxxx_xxxx_
Test1(config)#tacacs-server timeout 20
Test1(config)#
Test1(config)#aaa authentication login default
Test1(config)#aaa authentication enable default tacacs+
Test1(config)#
Test1(config)#line vty 0 4
Test1(config-line)#login authentication default
Test1(config-line)#exit
Test1(config)#line con 0
Test1(config-line)#login authentication default
Test1(config-line)#exit
Test1(config)#
Test1(config)#aaa authorization network default tacacs+
Test1(config)#aaa authorization exec default tacacs+ if-authenticated
Test1(config)#aaa authorization commands 15 default tacacs+ if-authenticated
Test1(config)#aaa authorization config-commands
Command authorization failed.
Test1(config)#exit
Test1#exit
User Access Verification
Username: bakerd
Password:
% Authorization failed.
That's straight out of HyperTerminal
The following is the ACS's version of what happened
08/04/2004 16:25:11 Authen OK bakerd Global 10.x.xx.xxx tty2 10.x.xx.x
08/04/2004 16:25:11 Author failed bakerd Global 10.x.xx.xxx .. Service denied service=shell cmd* tty2 10.x.xx.x
I'm sorry to take so much of your time but do you see what I could be missing?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
