ACS, tacacs+ and management access to router
I would like to test tacacs+ authentication on routers.
R1#sh run aaa
!
aaa authentication login ACS group tacacs+
aaa authentication enable default group tacacs+
!
!
!
!
!
!
tacacs-server host 192.168.157.100 key cisco
aaa new-model
aaa session-id common
!
!
R1#
R1#sh run | b line vty 0 4
line vty 0 4
login authentication ACS
!
On ACS I added R1 as ND and ‘user1’ to the local database.
telnet 192.168.157.100
R1#
*Aug 27 15:37:05.071: TPLUS: Queuing AAA Authentication request 49 for processing
*Aug 27 15:37:05.075: TPLUS: processing authentication start request id 49
*Aug 27 15:37:05.079: TPLUS: Authentication start packet created for 49()
*Aug 27 15:37:05.079: TPLUS: Using server 192.168.157.100
*Aug 27 15:37:05.087: TPLUS(00000031)/0/NB_WAIT/685E7C1C: Started 5 sec timeout
*Aug 27 15:37:05.099: TPLUS(00000031)/0/NB_WAIT: socket event 2
*Aug 27 15:37:05.103: TPLUS(00000031)/0/NB_WAIT: wrote entire 37 bytes request
*Aug 27 15:37:05.107: TPLUS(00000031)/0/READ: socket event 1
*Aug 27 15:37:05.111: TPLUS(00000031)/0/READ: Would block while reading
R1#
*Aug 27 15:37:05.119: TPLUS(00000031)/0/READ: socket event 1
*Aug 27 15:37:05.123: TPLUS(00000031)/0/READ: read entire 12 header bytes (expect 16 bytes data)
*Aug 27 15:37:05.123: TPLUS(00000031)/0/READ: socket event 1
*Aug 27 15:37:05.127: TPLUS(00000031)/0/READ: read entire 28 bytes response
*Aug 27 15:37:05.127: TPLUS(00000031)/0/685E7C1C: Processing the reply packet
*Aug 27 15:37:05.127: TPLUS: Received authen response status GET_USER (7)
R1#
*Aug 27 15:37:10.667: TPLUS: Queuing AAA Authentication request 49 for processing
*Aug 27 15:37:10.671: TPLUS: processing authentication continue request id 49
*Aug 27 15:37:10.675: TPLUS: Authentication continue packet generated for 49
*Aug 27 15:37:10.675: TPLUS(00000031)/0/WRITE/685E7C1C: Started 5 sec timeout
*Aug 27 15:37:10.679: TPLUS(00000031)/0/WRITE: wrote entire 22 bytes request
*Aug 27 15:37:10.691: TPLUS(00000031)/0/READ: socket event 1
*Aug 27 15:37:10.695: TPLUS(00000031)/0/READ: read entire 12 header bytes (expect 16 bytes data)
*Aug 27 15:37:10.695: TPLUS(00000031)/0/READ: socket event 1
R1#
*Aug 27 15:37:10.699: TPLUS(00000031)/0/READ: read entire 28 bytes response
*Aug 27 15:37:10.699: TPLUS(00000031)/0/685E7C1C: Processing the reply packet
*Aug 27 15:37:10.699: TPLUS: Received authen response status GET_PASSWORD (8)
R1#
*Aug 27 15:37:13.499: TPLUS: Queuing AAA Authentication request 49 for processing
*Aug 27 15:37:13.503: TPLUS: processing authentication continue request id 49
*Aug 27 15:37:13.507: TPLUS: Authentication continue packet generated for 49
*Aug 27 15:37:13.511: TPLUS(00000031)/0/WRITE/685E7C1C: Started 5 sec timeout
*Aug 27 15:37:13.515: TPLUS(00000031)/0/WRITE: wrote entire 22 bytes request
*Aug 27 15:37:13.551: TPLUS(00000031)/0/READ: socket event 1
*Aug 27 15:37:13.551: TPLUS(00000031)/0/READ: read entire 12 header bytes (expect 6 bytes data)
*Aug 27 15:37:13.555: TPLUS(00000031)/0/READ: socket event 1
R1#
*Aug 27 15:37:13.555: TPLUS(00000031)/0/READ: read entire 18 bytes response
*Aug 27 15:37:13.555: TPLUS(00000031)/0/685E7C1C: Processing the reply packet
*Aug 27 15:37:13.559: TPLUS: Received authen response status PASS (2)
R1#
As we see I received positive response. Now I try to enter to exec mode:
R1>en
password:
% Error in authentication.
R1>
R1#
*Aug 27 15:39:25.795: TAC+: send AUTHEN/START packet ver=192 id=731471408
*Aug 27 15:39:25.799: TAC+: Using default tacacs server-group "tacacs+" list.
*Aug 27 15:39:25.799: TAC+: Opening TCP/IP to 192.168.157.100/49 timeout=5
*Aug 27 15:39:25.867: TAC+: Opened TCP/IP handle 0x6949CD48 to 192.168.157.100/49
*Aug 27 15:39:25.871: TAC+: 192.168.157.100 (731471408) AUTHEN/START/LOGIN/ASCII queued
*Aug 27 15:39:26.071: TAC+: (731471408) AUTHEN/START/LOGIN/ASCII processed
*Aug 27 15:39:26.079: TAC+: ver=192 id=731471408 received AUTHEN status = GETPASS
R1#
*Aug 27 15:39:30.543: TAC+: send AUTHEN/CONT packet id=731471408
*Aug 27 15:39:30.543: TAC+: 192.168.157.100 (731471408) AUTHEN/CONT queued
*Aug 27 15:39:30.743: TAC+: (731471408) AUTHEN/CONT processed
*Aug 27 15:39:30.747: TAC+: ver=192 id=731471408 received AUTHEN status = FAIL
*Aug 27 15:39:30.751: TAC+: Closing TCP/IP 0x6949CD48 connection to 192.168.157.100/49
R1#
There is something wrong with authentication. Let’s check logs on ACS.
I found one entry related to my problem:
Authentication Details
Status: Failed
Failure Reason: 13029 Requested privilege level too high
Logged At: Jan 1, 2014 3:05 AM
ACS Time: Jan 1, 2014 3:05 AM
ACS Instance: acs
Authentication Method: PAP_ASCII
Authentication Type: ASCII
Privilege Level: 15
User
Username: user1
Remote Address: 192.168.157.1
Network Device
Network Device: r1
Network Device IP Address: 192.168.157.11
Network Device Groups: Device Type:All Device Types, Location:All Locations
I have to change ‘assigned’ and ‘max’ privilege level:
Policy Elements->Authorization and Permissions->Device Administration->Shell Profiles:
in my case I set 8 and 15.
Next I have to add this profile to ‘Device Administration Authorization Policy’:
Access Policies->Access Services->Default Device Admin->Authorization.
Then I test ‘enable’ once again:
R1>en
password:
R1#
*Aug 27 20:10:14.282: TAC+: send AUTHEN/START packet ver=192 id=-2094635717
*Aug 27 20:10:14.282: TAC+: Using default tacacs server-group "tacacs+" list.
*Aug 27 20:10:14.286: TAC+: Opening TCP/IP to 192.168.157.100/49 timeout=5
*Aug 27 20:10:14.302: TAC+: Opened TCP/IP handle 0x675570A0 to 192.168.157.100/49
*Aug 27 20:10:14.306: TAC+: 192.168.157.100 (2200331579) AUTHEN/START/LOGIN/ASCII queued
*Aug 27 20:10:14.506: TAC+: (2200331579) AUTHEN/START/LOGIN/ASCII processed
*Aug 27 20:10:14.510: TAC+: ver=192 id=-2094635717 received AUTHEN status = GETPASS
R1#
*Aug 27 20:10:17.154: TAC+: send AUTHEN/CONT packet id=-2094635717
*Aug 27 20:10:17.158: TAC+: 192.168.157.100 (2200331579) AUTHEN/CONT queued
*Aug 27 20:10:17.358: TAC+: (2200331579) AUTHEN/CONT processed
*Aug 27 20:10:17.362: TAC+: ver=192 id=-2094635717 received AUTHEN status = PASS
*Aug 27 20:10:17.362: TAC+: Closing TCP/IP 0x675570A0 connection to 192.168.157.100/49
R1#
But I see I’m placed in privilege level 15, not 8, as I configured.
R1#sh priv
Current privilege level is 15
R1#
To be placed in correct privilege level I have to add following authorization command:
aaa authorization exec default group tacacs+
Let’s try once again:
telnet 192.168.157.11
Trying 192.168.157.11 ... Open
username: user1
password:
R1#sh priv
Current privilege level is 8
R1#
Now I would like to add some limits for available commands for user1. Assume the user should be able to enter into config mode and be able to shutdown all FastEthernet interfaces.
First I have to add authorization command:
R1(config)#aaa authorization commands 15 default group tacacs+
R1(config)#aaa authorization config-commands
On ACS I have to add one ‘Command Sets’:
permit configuration terminal
permit interface FastEthernet
permit shutdown
Don’t forget to add ‘Command Sets’ to Authorization Policy results. Last step is update Authorization Policy.
username: user1
password:
R1#sh priv
Current privilege level is 8
R1#configure terminal
^
% Invalid input detected at '^' marker.
R1#en
password:
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface Loo0
Command authorization failed.
R1(config)#interface Fas
R1(config)#interface FastEthernet ?
<0-7> FastEthernet interface number
R1(config)#interface FastEthernet1/0
R1(config-if)#ip add
R1(config-if)#ip address 1.1.1.1 255.255.255.0
Command authorization failed.
R1(config-if)#shu
R1(config-if)#shutdown
R1(config-if)#no shu
R1(config-if)#no shutdown
Command authorization failed.
R1(config-if)#
As you see we accomplished all requirements, user1 is able to issue only selected commands.