Unable to login directly at privilege level 15
1,000 views
Skip to first unread message
Kostas Zorbadelos
May 4, 2012, 8:33:33 AM5/4/12
to event-driv...@googlegroups.com
Hi all,
as a tacacs+ client I have a Cisco 887 with IOS version 15.1(4)m3
[advanced ip services]. The client has the following config
aaa group server tacacs+ mygroup
server <server IP>
aaa authentication login vty group mygroup local
aaa authentication enable default group mygroup enable
aaa authorization exec vty group mygroup local
aaa authorization commands 1 vty group mygroup local
aaa authorization commands 15 vty group mygroup local
aaa accounting exec vty start-stop group mygroup
aaa accounting commands 1 vty start-stop group mygroup
aaa accounting commands 15 vty start-stop group mygroup
tacacs-server host <server IP> key XXXXX
line vty 0 4
authorization commands 1 vty
authorization commands 15 vty
authorization exec vty
accounting commands 1 vty
accounting commands 15 vty
accounting exec vty
login authentication vty
On the tacacs+ server I have
tac_plus.cfg
group = level15 {
default service = permit
enable = login
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
user = cisco {
# password = clear cisco
login = clear cisco
member = level15
}
When I authenticate as cisco user, I do not get enable prompt by
default. I have to issue the 'en' command and give the user's
password. In other network elements, using Cisco ACS, we get directly an
enable prompt.
What am I missing? Can I have the desired functionality?
Any hints, are highly welcome :)
Regards,
Kostas
--
Kostas Zorbadelos
twitter:@kzorbadelos http://gr.linkedin.com/in/kzorba
----------------------------------------------------------------------------
() www.asciiribbon.org - against HTML e-mail & proprietary attachments
/\
Marc Huber
May 6, 2012, 9:48:13 AM5/6/12
to event-driv...@googlegroups.com, kzo...@otenet.gr
Hi,
no hints from
debug aaa authorization
on the router ?
Cheers,
Marc
no hints from
debug aaa authorization
on the router ?
Cheers,
Marc
Kostas Zorbadelos
May 7, 2012, 7:57:38 AM5/7/12
to Marc Huber, event-driv...@googlegroups.com
Marc Huber <marc.j...@googlemail.com> writes:
>
> Hi,
>
> no hints from
>
> debug aaa authorization
>
> on the router ?
>
> Cheers,
>
> Marc
>
Thanks for the hint Marc,
>
> Hi,
>
> no hints from
>
> debug aaa authorization
>
> on the router ?
>
> Cheers,
>
> Marc
>
seems we bumped into IOS buggy behavior. We fixed the issue, and just
for future list reference here are the tests conducted by a colleague.
It looks like we ran across some buggy behavior on the specific image
(c880data-universalk9-mz.151-4.M3.bin).
Test 1
------
config:
aaa authorization exec vty group opap local
line vty 0 4
authorization exec vty
result:
May 7 08:26:50.334: AAA/AUTHOR (00000045): Method list id=29000002
not configured. Skip author
comment:
IOS cannot recognise the configured "vty" method.
Test 2
------
config:
aaa authorization exec vty group opap local
! we add default method
aaa authorization exec default group opap local
line vty 0 4
! authorization method removed to test default method
result:
May 7 08:33:26.910: AAA/AUTHOR (0x46): Pick method list 'default'
May 7 08:33:26.950: AAA/AUTHOR/EXEC(00000046): processing AV cmd=
May 7 08:33:26.950: AAA/AUTHOR/EXEC(00000046): processing AV priv-lvl=15
May 7 08:33:26.950: AAA/AUTHOR/EXEC(00000046): Authorization successful
comment:
Default method is used as expected. Privilege 15 is applied and we get
a # prompt.
Test 3
------
config:
aaa authorization exec vty group opap local
aaa authorization exec default group opap local
line vty 0 4
! we apply "vty" method again
authorization exec vty
result:
May 7 08:34:18.286: AAA/AUTHOR (0x47): Pick method list 'vty'
May 7 08:34:18.322: AAA/AUTHOR/EXEC(00000047): processing AV cmd=
May 7 08:34:18.322: AAA/AUTHOR/EXEC(00000047): processing AV priv-lvl=15
May 7 08:34:18.322: AAA/AUTHOR/EXEC(00000047): Authorization successful
comment:
IOS now correctly applies "vty" method (!)
Test 4
------
config:
aaa authorization exec vty group opap local
! we remove default method
line vty 0 4
authorization exec vty
result:
May 7 08:35:48.530: AAA/AUTHOR (0x48): Pick method list 'vty'
May 7 08:35:48.558: AAA/AUTHOR/EXEC(00000048): processing AV cmd=
May 7 08:35:48.558: AAA/AUTHOR/EXEC(00000048): processing AV priv-lvl=15
May 7 08:35:48.558: AAA/AUTHOR/EXEC(00000048): Authorization successful
comment:
Black abyss of IOS. The bloody thing works with the initial
config. Confirmed working after reload too.
Reply all
Reply to author
Forward
0 new messages