Authorization silently stops soon after login
47 views
Skip to first unread message
nilie
Apr 20, 2012, 11:22:00 PM4/20/12
to Event-Driven Servers
Hello Marc,
Recently, you helped me solve a problem related to usage of aaa realms
and I was quite happy until I discovered a strange behavior.
Three or maybe four minutes after a successful login, command
authorization silently (and brutally) stops. No matter what command I
try to issue, I get "Command not authorized" at the switch command
line. After I kill the ssh session (there is no way I can get out of
it otherwise), everything is back to normal, again for a few minutes.
There's nothing in the authorization file nor in syslog file.
Any idea on what may be happening here ?
Thanks,
Nicu ILIE
Recently, you helped me solve a problem related to usage of aaa realms
and I was quite happy until I discovered a strange behavior.
Three or maybe four minutes after a successful login, command
authorization silently (and brutally) stops. No matter what command I
try to issue, I get "Command not authorized" at the switch command
line. After I kill the ssh session (there is no way I can get out of
it otherwise), everything is back to normal, again for a few minutes.
There's nothing in the authorization file nor in syslog file.
Any idea on what may be happening here ?
Thanks,
Nicu ILIE
Marc Huber
Apr 21, 2012, 6:28:36 AM4/21/12
to Event-Driven Servers
Hi Nicu,
there are several things you could try:
A) Enable aaa debugging on the switch.
B) Run tac_plus with debug = PACKET AUTHOR
C) Check whether both
printf "0 TACPLUS\n4 yourusername\n49 AUTHOR\n=\n" |
mavis_tacplus_passwd.pl
and
printf "0 TACPLUS\n4 yourusername\n8 yourpassword\n49 AUTH\n=
\n" | mavis_tacplus_passwd.pl
return the group list you'd expect
Cheers,
Marc
there are several things you could try:
A) Enable aaa debugging on the switch.
B) Run tac_plus with debug = PACKET AUTHOR
C) Check whether both
printf "0 TACPLUS\n4 yourusername\n49 AUTHOR\n=\n" |
mavis_tacplus_passwd.pl
and
printf "0 TACPLUS\n4 yourusername\n8 yourpassword\n49 AUTH\n=
\n" | mavis_tacplus_passwd.pl
return the group list you'd expect
Cheers,
Marc
nilie
Apr 21, 2012, 11:01:47 PM4/21/12
to Event-Driven Servers
On Apr 21, 6:28 am, Marc Huber <marc.j.hu...@googlemail.com> wrote:
> Hi Nicu,
>
> there are several things you could try:
>
> A) Enable aaa debugging on the switch.
>
> B) Run tac_plus with debug = PACKET AUTHOR
>
> C) Check whether both
>
> printf "0 TACPLUS\n4 yourusername\n49 AUTHOR\n=\n" |
> mavis_tacplus_passwd.pl
>
> and
>
> printf "0 TACPLUS\n4 yourusername\n8 yourpassword\n49 AUTH\n=
> \n" | mavis_tacplus_passwd.pl
>
> return the group list you'd expect
>
> Cheers,
>
> Marc
>
A) Not much help here, when authorization fails there's no way I can
see what happens. I guess I'll have to tell Cisco switch to log debug
messages to a syslog server which I couldn't do for the moment.
C) Everything seems to be normal :
*******************************
[root@wszen01 mavis]# printf "0 TACPLUS\n4 ilien\n49 AUTHOR\n=\n" | ./
mavis_tacplus_passwd.pl
0 TACPLUS
4 ilien
6 ACK
47 ilien,wheel,telecom-admin
49 AUTHOR
=0
[root@wszen01 mavis]# printf "0 TACPLUS\n4 ilien\n8 MyPassw\n49 AUTH\n=
\n" | ./mavis_tacplus_passwd.pl
0 TACPLUS
4 ilien
6 ACK
8 MyPassw
36 MyPassw
47 ilien,wheel,telecom-admin
49 AUTH
=0
*******************************
B) Here's a snippet of the log file with the options you suggested. I
trimmed it right to the point where authorization stops, everything
before that works but not after :
*********************************
7/66216bc0: New session
7/c06b2166: ---<start packet>---
7/c06b2166: key used: ******
7/c06b2166: version: 192, type: 2, seq no: 1, flags: unencrypted
7/c06b2166: session id: c06b2166 data length: 101
7/c06b2166: AUTHOR priv_lvl=1 authen=1 method=none (1) svc=0
7/c06b2166: user_len=5 port_len=4 rem_addr_len=14 arg_cnt=5
7/c06b2166: user (len: 5): ilien
7/c06b2166: 0000 69 6c 69 65 6e
ilien
7/c06b2166: port (len: 4): tty1
7/c06b2166: 0000 74 74 79 31
tty1
7/c06b2166: rem_addr (len: 14): 10.154.151.187
7/c06b2166: 0000 31 30 2e 31 35 34 2e 31 35 31 2e 31 38 37
10.154.1 51.187
7/c06b2166: arg[0] (len: 13): service=shell
7/c06b2166: 0000 73 65 72 76 69 63 65 3d 73 68 65 6c 6c
service= shell
7/c06b2166: arg[1] (len: 8): cmd=show
7/c06b2166: 0000 63 6d 64 3d 73 68 6f 77
cmd=show
7/c06b2166: arg[2] (len: 18): cmd-arg=interfaces
7/c06b2166: 0000 63 6d 64 2d 61 72 67 3d 69 6e 74 65 72 66 61 63 cmd-
arg= interfac
7/c06b2166: 0010 65 73 es
7/c06b2166: arg[3] (len: 14): cmd-arg=status
7/c06b2166: 0000 63 6d 64 2d 61 72 67 3d 73 74 61 74 75 73 cmd-
arg= status
7/c06b2166: arg[4] (len: 12): cmd-arg=<cr>
7/c06b2166: 0000 63 6d 64 2d 61 72 67 3d 3c 63 72 3e cmd-
arg= <cr>
7/c06b2166: ---<end packet>---
7/66216bc0: Start authorization request
7/66216bc0: cfg_get: checking user/group ilien, tag (NULL)
7/66216bc0: cfg_get: checking user/group telecom-admin, tag (NULL)
7/66216bc0: cfg_get: checking user/group ilien, tag (NULL)
7/66216bc0: cfg_get: checking user/group telecom-admin, tag (NULL)
7/66216bc0: user 'ilien' found
7/66216bc0: cfg_get: checking user/group ilien, tag (NULL)
7/66216bc0: il...@10.154.160.132: not found: svcname=shell@wada-rsw
cmd=show
7/66216bc0: il...@10.154.160.132: not found: svcname=shell cmd=show
7/66216bc0: cfg_get: checking user/group telecom-admin, tag (NULL)
7/66216bc0: il...@10.154.160.132: not found: svcname=shell@wada-rsw
cmd=show
7/66216bc0: il...@10.154.160.132: found: svcname=shell cmd=show
7/66216bc0: il...@10.154.160.132: show: default is permit
7/66216bc0: Writing AUTHOR/PASS_ADD size=18
8/5bc94a9d: New session
8/9d4ac95b: ---<start packet>---
8/9d4ac95b: key used: ******
8/9d4ac95b: version: 192, type: 2, seq no: 1, flags: unencrypted
8/9d4ac95b: session id: 9d4ac95b data length: 89
8/9d4ac95b: AUTHOR priv_lvl=15 authen=1 method=none (1) svc=0
8/9d4ac95b: user_len=5 port_len=4 rem_addr_len=14 arg_cnt=4
8/9d4ac95b: user (len: 5): ilien
8/9d4ac95b: 0000 69 6c 69 65 6e
ilien
8/9d4ac95b: port (len: 4): tty1
8/9d4ac95b: 0000 74 74 79 31
tty1
8/9d4ac95b: rem_addr (len: 14): 10.154.151.187
8/9d4ac95b: 0000 31 30 2e 31 35 34 2e 31 35 31 2e 31 38 37
10.154.1 51.187
8/9d4ac95b: arg[0] (len: 13): service=shell
8/9d4ac95b: 0000 73 65 72 76 69 63 65 3d 73 68 65 6c 6c
service= shell
8/9d4ac95b: arg[1] (len: 13): cmd=configure
8/9d4ac95b: 0000 63 6d 64 3d 63 6f 6e 66 69 67 75 72 65
cmd=conf igure
8/9d4ac95b: arg[2] (len: 16): cmd-arg=terminal
8/9d4ac95b: 0000 63 6d 64 2d 61 72 67 3d 74 65 72 6d 69 6e 61 6c cmd-
arg= terminal
8/9d4ac95b: arg[3] (len: 12): cmd-arg=<cr>
8/9d4ac95b: 0000 63 6d 64 2d 61 72 67 3d 3c 63 72 3e cmd-
arg= <cr>
8/9d4ac95b: ---<end packet>---
8/5bc94a9d: Start authorization request
8/5bc94a9d: user 'ilien' not found, denied by default
8/5bc94a9d: Writing AUTHOR/FAIL size=18
*********************************
As you can see, the last authorization request is different from the
first one. I takes about 2 to 3 minutes for authorization to stop and
if I kill the ssh session and get back in, I can work again for about
the same amount of time.
Thanks a lot,
Nicu
Marc Huber
Apr 22, 2012, 4:56:00 AM4/22/12
to Event-Driven Servers
Hi Nicu,
thanks, another wrong-realm issue. Fixed in
http://www.pro-bono-publico.de/projects/src/DEVEL.201204221054.tar.bz2
Cheers,
Marc
thanks, another wrong-realm issue. Fixed in
http://www.pro-bono-publico.de/projects/src/DEVEL.201204221054.tar.bz2
Cheers,
Marc
Reply all
Reply to author
Forward
0 new messages