tacacs dont work work with IOS 12.2
287 views
Skip to first unread message
Patrick Ong
May 11, 2015, 4:40:56 AM5/11/15
to event-driv...@googlegroups.com
Created a non mavis user account - patrick2
to login on to a box with IOS 12.2, got authorization failed at login prompt (hmm..).
But no such issue on 12.4
<here 12.2>
Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 19-Jul-07 18:15 by nachen
Image text-base: 0x00003000, data-base: 0x01100000
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SEE4, RELEASE SOFTWARE (fc1)
...
<on 12.2 radius server is turn on by default. aaa do not refer to it>
radius-server source-ports 1645-1646
<authorization failed at prompt>
User Access Verification
Username: patrick2
Password:
% Authorization failed.
Connection closed by foreign host.
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: Start authorization request
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: cfg_get: checking user/group patrick2, tag (NULL)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: cfg_get: checking user/group eng_provision, tag (NULL)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: cfg_get: checking user/group patrick2, tag (NULL)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: cfg_get: checking user/group eng_provision, tag (NULL)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: user 'patrick2' found
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: cfg_get: checking user/group patrick2, tag (NULL)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: patr...@10.0.254.251: not found: svcname=shell@world protocol=
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: patr...@10.0.254.251: not found: svcname=shell@world protocol=
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: patr...@10.0.254.251: not found: svcname=shell protocol=
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: cfg_get: checking user/group eng_provision, tag (NULL)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: patr...@10.0.254.251: not found: svcname=shell@world protocol=
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: patr...@10.0.254.251: not found: svcname=shell@world protocol=
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: patr...@10.0.254.251: found: svcname=shell protocol=
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: nas:service=shell (passed thru)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: nas:cmd* (passed thru)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: nas:absent srv:shell:roles="network-admin vsan-admin" -> add shell:roles="network-admin vsan-admin" (k)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: added 1 args
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: Writing AUTHOR/PASS_ADD size=57
<end here>
to login on to a box with IOS 12.2, got authorization failed at login prompt (hmm..).
But no such issue on 12.4
<here 12.2>
Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 19-Jul-07 18:15 by nachen
Image text-base: 0x00003000, data-base: 0x01100000
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SEE4, RELEASE SOFTWARE (fc1)
...
<on 12.2 radius server is turn on by default. aaa do not refer to it>
radius-server source-ports 1645-1646
<authorization failed at prompt>
User Access Verification
Username: patrick2
Password:
% Authorization failed.
Connection closed by foreign host.
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: Start authorization request
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: cfg_get: checking user/group patrick2, tag (NULL)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: cfg_get: checking user/group eng_provision, tag (NULL)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: cfg_get: checking user/group patrick2, tag (NULL)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: cfg_get: checking user/group eng_provision, tag (NULL)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: user 'patrick2' found
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: cfg_get: checking user/group patrick2, tag (NULL)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: patr...@10.0.254.251: not found: svcname=shell@world protocol=
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: patr...@10.0.254.251: not found: svcname=shell@world protocol=
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: patr...@10.0.254.251: not found: svcname=shell protocol=
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: cfg_get: checking user/group eng_provision, tag (NULL)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: patr...@10.0.254.251: not found: svcname=shell@world protocol=
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: patr...@10.0.254.251: not found: svcname=shell@world protocol=
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: patr...@10.0.254.251: found: svcname=shell protocol=
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: nas:service=shell (passed thru)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: nas:cmd* (passed thru)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: nas:absent srv:shell:roles="network-admin vsan-admin" -> add shell:roles="network-admin vsan-admin" (k)
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: added 1 args
May 11 15:14:27 mudskipper tac_plus[29977]: 5/370a88bd: Writing AUTHOR/PASS_ADD size=57
<end here>
Patrick Ong
May 11, 2015, 5:19:07 AM5/11/15
to event-driv...@googlegroups.com
The way 12.2 handle aaa differ
https://supportforums.cisco.com/discussion/10493941/authorization-failed-3560-after-ios-upgrade
https://supportforums.cisco.com/discussion/10493941/authorization-failed-3560-after-ios-upgrade
Patrick Ong
May 11, 2015, 5:21:39 AM5/11/15
to event-driv...@googlegroups.com
May 11 17:19:59.056 SGT: AAA/AUTHEN/CONT (628960053): continue_login (user='patrick2')
May 11 17:19:59.056 SGT: AAA/AUTHEN (628960053): status = GETPASS
May 11 17:19:59.056 SGT: AAA/AUTHEN (628960053): Method=tacacs+ (tacacs+)
May 11 17:19:59.056 SGT: TAC+: send AUTHEN/CONT packet id=628960053
May 11 17:19:59.257 SGT: TAC+: ver=192 id=628960053 received AUTHEN status = PASS
May 11 17:19:59.257 SGT: AAA/AUTHEN (628960053): status = PASS
May 11 17:19:59.257 SGT: tty2 AAA/AUTHOR/EXEC (3185597292): Port='tty2' list='' service=EXEC
May 11 17:19:59.257 SGT: AAA/AUTHOR/EXEC: tty2 (3185597292) user='patrick2'
May 11 17:19:59.257 SGT: tty2 AAA/AUTHOR/EXEC (3185597292): send AV service=shell
May 11 17:19:59.257 SGT: tty2 AAA/AUTHOR/EXEC (3185597292): send AV cmd*
May 11 17:19:59.257 SGT: tty2 AAA/AUTHOR/EXEC (3185597292): found list "default"
May 11 17:19:59.257 SGT: tty2 AAA/AUTHOR/EXEC (3185597292): Method=tacacs+ (tacacs+)
May 11 17:19:59.257 SGT: AAA/AUTHOR/TAC+: (3185597292): user=patrick2
May 11 17:19:59.257 SGT: AAA/AUTHOR/TAC+: (3185597292): send AV service=shell
May 11 17:19:59.257 SGT: AAA/AUTHOR/TAC+: (3185597292): send AV cmd*
May 11 17:19:59.458 SGT: TAC+: (3185597292): received author response status = PASS_ADD
May 11 17:19:59.458 SGT: AAA/AUTHOR (3185597292): Post authorization status = PASS_ADD
May 11 17:19:59.458 SGT: AAA/AUTHOR/EXEC: Processing AV service=shell
May 11 17:19:59.458 SGT: AAA/AUTHOR/EXEC: Processing AV cmd*
May 11 17:19:59.458 SGT: AAA/AUTHOR/EXEC: Processing AV shell:roles="network-admin vsan-admin"
May 11 17:19:59.458 SGT: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:roles="network-admin vsan-admin"
May 11 17:19:59.458 SGT: AAA/AUTHOR/EXEC: Authorization FAILED
May 11 17:20:01.463 SGT: AAA/MEMORY: free_user (0x1E0D7A0) user='patrick2' ruser='NULL' port='tty2' rem_addr='10.0.254.237' authen_type=ASCII service=LOGIN priv=1
May 11 17:19:59.056 SGT: AAA/AUTHEN (628960053): status = GETPASS
May 11 17:19:59.056 SGT: AAA/AUTHEN (628960053): Method=tacacs+ (tacacs+)
May 11 17:19:59.056 SGT: TAC+: send AUTHEN/CONT packet id=628960053
May 11 17:19:59.257 SGT: TAC+: ver=192 id=628960053 received AUTHEN status = PASS
May 11 17:19:59.257 SGT: AAA/AUTHEN (628960053): status = PASS
May 11 17:19:59.257 SGT: tty2 AAA/AUTHOR/EXEC (3185597292): Port='tty2' list='' service=EXEC
May 11 17:19:59.257 SGT: AAA/AUTHOR/EXEC: tty2 (3185597292) user='patrick2'
May 11 17:19:59.257 SGT: tty2 AAA/AUTHOR/EXEC (3185597292): send AV service=shell
May 11 17:19:59.257 SGT: tty2 AAA/AUTHOR/EXEC (3185597292): send AV cmd*
May 11 17:19:59.257 SGT: tty2 AAA/AUTHOR/EXEC (3185597292): found list "default"
May 11 17:19:59.257 SGT: tty2 AAA/AUTHOR/EXEC (3185597292): Method=tacacs+ (tacacs+)
May 11 17:19:59.257 SGT: AAA/AUTHOR/TAC+: (3185597292): user=patrick2
May 11 17:19:59.257 SGT: AAA/AUTHOR/TAC+: (3185597292): send AV service=shell
May 11 17:19:59.257 SGT: AAA/AUTHOR/TAC+: (3185597292): send AV cmd*
May 11 17:19:59.458 SGT: TAC+: (3185597292): received author response status = PASS_ADD
May 11 17:19:59.458 SGT: AAA/AUTHOR (3185597292): Post authorization status = PASS_ADD
May 11 17:19:59.458 SGT: AAA/AUTHOR/EXEC: Processing AV service=shell
May 11 17:19:59.458 SGT: AAA/AUTHOR/EXEC: Processing AV cmd*
May 11 17:19:59.458 SGT: AAA/AUTHOR/EXEC: Processing AV shell:roles="network-admin vsan-admin"
May 11 17:19:59.458 SGT: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:roles="network-admin vsan-admin"
May 11 17:19:59.458 SGT: AAA/AUTHOR/EXEC: Authorization FAILED
May 11 17:20:01.463 SGT: AAA/MEMORY: free_user (0x1E0D7A0) user='patrick2' ruser='NULL' port='tty2' rem_addr='10.0.254.237' authen_type=ASCII service=LOGIN priv=1
Patrick Ong
May 11, 2015, 5:26:23 AM5/11/15
to event-driv...@googlegroups.com
removed srv:shell:roles="network-admin vsan-admin and
able to login ..... errrr.r.r.r.r.
May 11 17:23:23.657 SGT: AAA/MEMORY: free_user (0x289E1B4) user='patrick2' ruser='NULL' port='tty2' rem_addr='10.0.254.237' authen_type=ASCII service=LOGIN priv=1
May 11 17:24:53.290 SGT: AAA: parse name=tty2 idb type=-1 tty=-1
May 11 17:24:53.290 SGT: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
May 11 17:24:53.290 SGT: AAA/MEMORY: create_user (0x289E1B4) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='10.0.254.237' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
May 11 17:24:53.290 SGT: AAA/AUTHEN/START (1331315096): port='tty2' list='' action=LOGIN service=LOGIN
May 11 17:24:53.290 SGT: AAA/AUTHEN/START (1331315096): using "default" list
May 11 17:24:53.290 SGT: AAA/AUTHEN/START (1331315096): Method=tacacs+ (tacacs+)
May 11 17:24:53.290 SGT: TAC+: send AUTHEN/START packet ver=192 id=1331315096
May 11 17:24:53.592 SGT: TAC+: ver=192 id=1331315096 received AUTHEN status = GETUSER
May 11 17:24:53.592 SGT: AAA/AUTHEN (1331315096): status = GETUSER
May 11 17:24:55.178 SGT: AAA/AUTHEN/CONT (1331315096): continue_login (user='(undef)')
May 11 17:24:55.178 SGT: AAA/AUTHEN (1331315096): status = GETUSER
May 11 17:24:55.178 SGT: AAA/AUTHEN (1331315096): Method=tacacs+ (tacacs+)
May 11 17:24:55.178 SGT: TAC+: send AUTHEN/CONT packet id=1331315096
May 11 17:24:55.379 SGT: TAC+: ver=192 id=1331315096 received AUTHEN status = GETPASS
May 11 17:24:55.379 SGT: AAA/AUTHEN (1331315096): status = GETPASS
May 11 17:24:57.711 SGT: AAA/AUTHEN/CONT (1331315096): continue_login (user='patrick2')
May 11 17:24:57.711 SGT: AAA/AUTHEN (1331315096): status = GETPASS
May 11 17:24:57.711 SGT: AAA/AUTHEN (1331315096): Method=tacacs+ (tacacs+)
May 11 17:24:57.711 SGT: TAC+: send AUTHEN/CONT packet id=1331315096
May 11 17:24:57.912 SGT: TAC+: ver=192 id=1331315096 received AUTHEN status = PASS
May 11 17:24:57.912 SGT: AAA/AUTHEN (1331315096): status = PASS
May 11 17:24:57.912 SGT: tty2 AAA/AUTHOR/EXEC (538400253): Port='tty2' list='' service=EXEC
May 11 17:24:57.912 SGT: AAA/AUTHOR/EXEC: tty2 (538400253) user='patrick2'
May 11 17:24:57.912 SGT: tty2 AAA/AUTHOR/EXEC (538400253): send AV service=shell
May 11 17:24:57.912 SGT: tty2 AAA/AUTHOR/EXEC (538400253): send AV cmd*
May 11 17:24:57.912 SGT: tty2 AAA/AUTHOR/EXEC (538400253): found list "default"
May 11 17:24:57.912 SGT: tty2 AAA/AUTHOR/EXEC (538400253): Method=tacacs+ (tacacs+)
May 11 17:24:57.912 SGT: AAA/AUTHOR/TAC+: (538400253): user=patrick2
May 11 17:24:57.912 SGT: AAA/AUTHOR/TAC+: (538400253): send AV service=shell
May 11 17:24:57.912 SGT: AAA/AUTHOR/TAC+: (538400253): send AV cmd*
May 11 17:24:58.114 SGT: TAC+: (538400253): received author response status = PASS_ADD
May 11 17:24:58.114 SGT: AAA/AUTHOR (538400253): Post authorization status = PASS_ADD
May 11 17:24:58.114 SGT: AAA/AUTHOR/EXEC: Authorization successful
able to login ..... errrr.r.r.r.r.
May 11 17:23:23.657 SGT: AAA/MEMORY: free_user (0x289E1B4) user='patrick2' ruser='NULL' port='tty2' rem_addr='10.0.254.237' authen_type=ASCII service=LOGIN priv=1
May 11 17:24:53.290 SGT: AAA: parse name=tty2 idb type=-1 tty=-1
May 11 17:24:53.290 SGT: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
May 11 17:24:53.290 SGT: AAA/MEMORY: create_user (0x289E1B4) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='10.0.254.237' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
May 11 17:24:53.290 SGT: AAA/AUTHEN/START (1331315096): port='tty2' list='' action=LOGIN service=LOGIN
May 11 17:24:53.290 SGT: AAA/AUTHEN/START (1331315096): using "default" list
May 11 17:24:53.290 SGT: AAA/AUTHEN/START (1331315096): Method=tacacs+ (tacacs+)
May 11 17:24:53.290 SGT: TAC+: send AUTHEN/START packet ver=192 id=1331315096
May 11 17:24:53.592 SGT: TAC+: ver=192 id=1331315096 received AUTHEN status = GETUSER
May 11 17:24:53.592 SGT: AAA/AUTHEN (1331315096): status = GETUSER
May 11 17:24:55.178 SGT: AAA/AUTHEN/CONT (1331315096): continue_login (user='(undef)')
May 11 17:24:55.178 SGT: AAA/AUTHEN (1331315096): status = GETUSER
May 11 17:24:55.178 SGT: AAA/AUTHEN (1331315096): Method=tacacs+ (tacacs+)
May 11 17:24:55.178 SGT: TAC+: send AUTHEN/CONT packet id=1331315096
May 11 17:24:55.379 SGT: TAC+: ver=192 id=1331315096 received AUTHEN status = GETPASS
May 11 17:24:55.379 SGT: AAA/AUTHEN (1331315096): status = GETPASS
May 11 17:24:57.711 SGT: AAA/AUTHEN/CONT (1331315096): continue_login (user='patrick2')
May 11 17:24:57.711 SGT: AAA/AUTHEN (1331315096): status = GETPASS
May 11 17:24:57.711 SGT: AAA/AUTHEN (1331315096): Method=tacacs+ (tacacs+)
May 11 17:24:57.711 SGT: TAC+: send AUTHEN/CONT packet id=1331315096
May 11 17:24:57.912 SGT: TAC+: ver=192 id=1331315096 received AUTHEN status = PASS
May 11 17:24:57.912 SGT: AAA/AUTHEN (1331315096): status = PASS
May 11 17:24:57.912 SGT: tty2 AAA/AUTHOR/EXEC (538400253): Port='tty2' list='' service=EXEC
May 11 17:24:57.912 SGT: AAA/AUTHOR/EXEC: tty2 (538400253) user='patrick2'
May 11 17:24:57.912 SGT: tty2 AAA/AUTHOR/EXEC (538400253): send AV service=shell
May 11 17:24:57.912 SGT: tty2 AAA/AUTHOR/EXEC (538400253): send AV cmd*
May 11 17:24:57.912 SGT: tty2 AAA/AUTHOR/EXEC (538400253): found list "default"
May 11 17:24:57.912 SGT: tty2 AAA/AUTHOR/EXEC (538400253): Method=tacacs+ (tacacs+)
May 11 17:24:57.912 SGT: AAA/AUTHOR/TAC+: (538400253): user=patrick2
May 11 17:24:57.912 SGT: AAA/AUTHOR/TAC+: (538400253): send AV service=shell
May 11 17:24:57.912 SGT: AAA/AUTHOR/TAC+: (538400253): send AV cmd*
May 11 17:24:58.114 SGT: TAC+: (538400253): received author response status = PASS_ADD
May 11 17:24:58.114 SGT: AAA/AUTHOR (538400253): Post authorization status = PASS_ADD
May 11 17:24:58.114 SGT: AAA/AUTHOR/EXEC: Authorization successful
Reply all
Reply to author
Forward
0 new messages