01-13-2016 02:31 AM - edited 03-10-2019 11:23 PM
Hi,
We are using ACS 5.7 in our environment, I need to add a router for authentication and authorization in this ACS.
when I added the device, its getting authenticated and going to "User Exec" mode. not to "PRIVILIGED" mode. please let me know how can we do that this device needs to authenticated and go to privileged mode.
Thanks,
Rajkumar
Solved! Go to Solution.
01-13-2016 09:25 AM
Hi Raj,
With Radius we actually push Radius-IETF attribute service-type (6) with a value administrative. Please check the screen shot:
01-13-2016 04:40 AM
Rajkumar,
You need to add exec authorization to the roer, something like this:
aaa authorization exec default group tacacs+ local
Then configure a shell profile on ACS that will grant privilege level 15, and an authorization policy that will use that shell profile.
Javier Henderson
Cisco Systems
01-13-2016 05:23 AM
Hi Javier,
The switch doesn't use Tacacs+, it uses radius.......
How we can configure ACS for Radius devices
Thanks,
Rajkumar.
01-13-2016 05:37 AM
The same principle applies:
aaa authentication exec default group radius local
Then on ACS define a network authorization profile to grant privilege level 15, and tie it to an authorization rule for RADIUS.
01-13-2016 05:46 AM
Thanks Javier, I looked at switch front, everything looks fine only.
I am in ACS..... Network Access -> Authorization Profiles -> Create Profile
then Should need to add something in radius attributes to get privilege 15.
Basically how can I create profile with Privilege 15......
Thanks,
Rajkumar
01-13-2016 09:25 AM
01-13-2016 01:45 PM
Thanks Jatin, It works :)
I have another query, could you please help to get this sort out.
How can I apply command sets in radius authorization rule, basically I wanted to have L1, L2, L3 authorization done for radius devices in ACS. for example For L1 I need to have only show command visible and for L3 - All commands.
I know that this can be done through "command sets", but I cant call command sets in network access rules.
is there a way we can achieve it
Thanks,
Rajkumar
01-13-2016 02:46 PM
Awesome !!
Unfortunately, command authorization is not supported with radius. You have to use TACACS protocol and good thing is ACS supports both.
Take a look here. Perfect example to address your query if you really want to use tacacs:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html
- Jatin
01-14-2016 05:04 AM
Hi Jatin,
Could you please help me on the below,
Now I have a device configured for tacacs+ and its getting authenticated. but again its going to "User Exec" mode not to "Pri Exec" mode.
I created a shell profile "PRI 15" as default "15" and Maximum "15" and assigned the shell profile to the authorization rule. but the access is not getting to "Pri Exec" mode.
I can see the hit count on this rule when ever I am accessing the switch. but every time I am accessing the switch it get increased with vaule of 2(2,4,6,8)
I was checking the TACACS authentication logs, it looks like the authentication happened successfully.
Any suggestions?
Thanks,
Rajkumar
01-14-2016 06:37 AM
Please share:
1.] Show run | in aaa from the switch/Router.
2.] Check ACS logs in Tacacs authorization and see what error are you seeing there.
3.] Debug aaa tacacs & debug aaa authorization from the switch / router
- Jatin
01-14-2016 06:43 AM
please check the below details
aaa new-model
aaa group server tacacs+ TACACS-PLUS
aaa authentication login default group TACACS-PLUS local
aaa authentication login ConLine local group radius
aaa authentication enable default group TACACS-PLUS enable none
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization exec default group TACACS-PLUS none
aaa authorization exec my-authradius group radius if-authenticated
aaa accounting exec default start-stop group TACACS-PLUS
aaa session-id common
01-14-2016 06:55 AM
aaa authorization exec default group TACACS-PLUS none
The command we need on the switch is there. Lets check the ACS and switch logs.
- Jatin
01-18-2016 09:54 AM
Hi Jatin,
I cant see anything in TACACS Authorization report. it looks like the authorization is not getting applied when the request comes
Any ide, How this can be fixed
Thanks,
Rajkumar
01-18-2016 10:21 AM
Pls share Debug tacacs & debug aaa authorization from the switch / router.
- Jatin
01-18-2016 10:31 AM
Log Buffer (4096 bytes):
8:34.026 GMT: TPLUS: processing authentication start request id 1037
Jan 18 18:28:34.026 GMT: TPLUS: Authentication start packet created for 1037(admin-rkandasa)
Jan 18 18:28:34.026 GMT: TPLUS: Using server 10.242.14.24
Jan 18 18:28:34.026 GMT: TPLUS(0000040D)/0/NB_WAIT/5C74EC8: Started 5 sec timeout
Jan 18 18:28:34.169 GMT: TPLUS(0000040D)/0/NB_WAIT: socket event 2
Jan 18 18:28:34.169 GMT: TPLUS(0000040D)/0/NB_WAIT: wrote entire 50 bytes request
Jan 18 18:28:34.169 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:34.169 GMT: TPLUS(0000040D)/0/READ: Would block while reading
Jan 18 18:28:34.311 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:34.311 GMT: TPLUS(0000040D)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Jan 18 18:28:34.311 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:34.311 GMT: TPLUS(0000040D)/0/READ: read entire 28 bytes response
Jan 18 18:28:34.311 GMT: TPLUS(0000040D)/0/5C74EC8: Processing the reply packet
Jan 18 18:28:34.311 GMT: TPLUS: Received authen response status GET_PASSWORD (8)
Jan 18 18:28:38.086 GMT: TPLUS: Queuing AAA Authentication request 1037 for processing
Jan 18 18:28:38.086 GMT: TPLUS: processing authentication continue request id 1037
Jan 18 18:28:38.086 GMT: TPLUS: Authentication continue packet generated for 1037
Jan 18 18:28:38.086 GMT: TPLUS(0000040D)/0/WRITE/5C74EC8: Started 5 sec timeout
Jan 18 18:28:38.086 GMT: TPLUS(0000040D)/0/WRITE: wrote entire 26 bytes request
Jan 18 18:28:38.279 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:38.279 GMT: TPLUS(0000040D)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Jan 18 18:28:38.279 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:38.279 GMT: TPLUS(0000040D)/0/READ: read entire 18 bytes response
Jan 18 18:28:38.279 GMT: TPLUS(0000040D)/0/5C74EC8: Processing the reply packet
Jan 18 18:28:38.279 GMT: TPLUS: Received authen response status PASS (2)
Jan 18 18:28:38.522 GMT: AAA/AUTHOR (0000040D): Method list id=79000002 not configured. Skip author
Jan 18 18:28:38.522 GMT: TPLUS: Queuing AAA Accounting request 1037 for processing
Jan 18 18:28:38.522 GMT: TPLUS: processing accounting request id 1037
Jan 18 18:28:38.522 GMT: TPLUS: Sending AV task_id=1019
Jan 18 18:28:38.522 GMT: TPLUS: Sending AV timezone=GMT
Jan 18 18:28:38.522 GMT: TPLUS: Sending AV service=shell
Jan 18 18:28:38.522 GMT: TPLUS: Sending AV start_time=1453141718
Jan 18 18:28:38.522 GMT: TPLUS: Accounting request created for 1037(admin-rkandasa)
Jan 18 18:28:38.522 GMT: TPLUS: Using server 10.242.14.24
Jan 18 18:28:38.522 GMT: TPLUS(0000040D)/0/NB_WAIT/5C74EC8: Started 5 sec timeout
Jan 18 18:28:38.665 GMT: TPLUS(0000040D)/0/NB_WAIT: socket event 2
Jan 18 18:28:38.665 GMT: TPLUS(0000040D)/0/NB_WAIT: wrote entire 113 bytes request
Jan 18 18:28:38.665 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:38.665 GMT: TPLUS(0000040D)/0/READ: Would block while reading
Jan 18 18:28:38.808 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:38.808 GMT: TPLUS(0000040D)/0/READ: read entire 12 header bytes (expect 5 bytes data)
Jan 18 18:28:38.808 GMT: TPLUS(0000040D)/0/READ: socket event 1
Jan 18 18:28:38.808 GMT: TPLUS(0000040D)/0/READ: read entire 17 bytes response
Jan 18 18:28:38.808 GMT: TPLUS(0000040D)/0/5C74EC8: Processing the reply packet
Jan 18 18:28:38.808 GMT: TPLUS: Received accounting response with status PASS
Jan 18 18:28:40.762 GMT: AAA/AUTHOR: auth_need : user= 'admin-rkandasa' ruser= 'GBMASW15'rem_addr= '10.100.3.133' priv= 0 list= '' AUTHOR-TYPE= 'command'
Jan 18 18:28:40.762 GMT: AAA: parse name=tty3 idb type=-1 tty=-1
Jan 18 18:28:40.762 GMT: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
Jan 18 18:28:40.762 GMT: AAA/MEMORY: create_user (0x5B98918) user='admin-rkandasa' ruser='NULL' ds0=0 port='tty3' rem_addr='10.100.3.133' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Jan 18 18:28:51.240 GMT: AAA/MEMORY: free_user (0x5B98918) user='NULL' ruser='NULL' port='tty3' rem_addr='10.100.3.133' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
GBMASW15#sh debug
General OS:
TACACS access control debugging is on
AAA Authorization debugging is on
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide