[tac_plus] Is it possible to handle anonymous authorization requests?

[Martin T]

Hi!

I have two Cisco 3750-E series switches in a stacked configuration.
When I connect to "Master" switch over console port, then I'm able to
authenticate and authorize without issues. When I connect to "Member"
switch over console port, then I'm not able to authorize. I see that
switch sends the authorization(type 2) packet to TACACS+ server:

014310: May 24 15:34:57.824 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login
Success [user: ] [Source: UNKNOWN] [localport: 0] at 15:34:57 UTC Thu
May 24 2018
014352: May 24 15:35:58.258 UTC: T+: Version 192 (0xC0), type 2, seq
1, encryption 1
014353: May 24 15:35:58.258 UTC: T+: session_id 3904028160
(0xE8B2BE00), dlen 40 (0x28)
014354: May 24 15:35:58.258 UTC: T+: AUTHOR, priv_lvl:1, authen:1
method:enable
014355: May 24 15:35:58.258 UTC: T+: svc:1 user_len:0 port_len:4
rem_addr_len:9 arg_cnt:2
014356: May 24 15:35:58.258 UTC: T+: user:
014357: May 24 15:35:58.258 UTC: T+: port:  tty4
014358: May 24 15:35:58.258 UTC: T+: rem_addr:  127.0.0.4
014359: May 24 15:35:58.258 UTC: T+: arg[0]: size:13 service=shell
014360: May 24 15:35:58.258 UTC: T+: arg[1]: size:4 cmd*
014361: May 24 15:35:58.267 UTC: T+: End Packet


..and TACACS+ server replies with FAIL. I also did the packet capture
in TACACS+ server and saw exactly the same behavior. As seen above,
"user" field is empty. Also, the TACACS+ server logs that "user '' not
found, denied by default".

Any ideas, why master switch skips sending the authorization request?
Why is the "user" field of member switch authentication request empty?
Most importantly, is there a workaround to handle anonymous
authorization requests? I tried with "anonymous-enable = permit" under
host level, but this did not help. Authorization-related configuration
in the switch is "aaa authorization exec default group tacacs+
if-authenticated".



thanks,
Martin