[tac_plus] Is it possible to handle anonymous authorization requests?

heasley heas at shrubbery.net
Thu May 24 22:12:03 UTC 2018


Thu, May 24, 2018 at 07:20:39PM +0300, Martin T:
> Hi!
> 
> I have two Cisco 3750-E series switches in a stacked configuration.
> When I connect to "Master" switch over console port, then I'm able to
> authenticate and authorize without issues. When I connect to "Member"
> switch over console port, then I'm not able to authorize. I see that
> switch sends the authorization(type 2) packet to TACACS+ server:
> 
> 014310: May 24 15:34:57.824 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login
> Success [user: ] [Source: UNKNOWN] [localport: 0] at 15:34:57 UTC Thu
> May 24 2018
> 014352: May 24 15:35:58.258 UTC: T+: Version 192 (0xC0), type 2, seq
> 1, encryption 1
> 014353: May 24 15:35:58.258 UTC: T+: session_id 3904028160
> (0xE8B2BE00), dlen 40 (0x28)
> 014354: May 24 15:35:58.258 UTC: T+: AUTHOR, priv_lvl:1, authen:1
> method:enable
> 014355: May 24 15:35:58.258 UTC: T+: svc:1 user_len:0 port_len:4
> rem_addr_len:9 arg_cnt:2
> 014356: May 24 15:35:58.258 UTC: T+: user:
> 014357: May 24 15:35:58.258 UTC: T+: port:  tty4
> 014358: May 24 15:35:58.258 UTC: T+: rem_addr:  127.0.0.4
> 014359: May 24 15:35:58.258 UTC: T+: arg[0]: size:13 service=shell
> 014360: May 24 15:35:58.258 UTC: T+: arg[1]: size:4 cmd*
> 014361: May 24 15:35:58.267 UTC: T+: End Packet
> 
> 
> ..and TACACS+ server replies with FAIL. I also did the packet capture
> in TACACS+ server and saw exactly the same behavior. As seen above,
> "user" field is empty. Also, the TACACS+ server logs that "user '' not
> found, denied by default".
> 
> Any ideas, why master switch skips sending the authorization request?
> Why is the "user" field of member switch authentication request empty?

Does the console ask for a username?  does it require different configuration
to enable aaa such as configured under 'line tty4' rather than line con?

> Most importantly, is there a workaround to handle anonymous
> authorization requests? I tried with "anonymous-enable = permit" under
> host level, but this did not help. Authorization-related configuration
> in the switch is "aaa authorization exec default group tacacs+
> if-authenticated".

I'd lean toward a bug in ios or missing config, but the tacacs protocol
clearly allows the the username to omitted.  tbh, i dont know if the
daemon allows an empty user; its not in the manpage that I compiled.  I'd
have to look through the code, whcih i can't do ATM.  perhaps, try the
special user DEFAULT or "".



More information about the tac_plus mailing list