AAA

johnny_jiang

                                TACACS+ provide command authorization because of its protocol implementation while RADIUS does not.
aaa authentication enable default group tacacs+
->
After typing this command, 'enable' will go to tacacs+ server to check password. Meanwhile, tacacs+ server (Cisco secure ACS) enable setting will take effect (such as max privilege level for aaa client).
aaa authorization exec
->
Cisco IOS Shell execution authorization configuration will be checked.
aaa authorization command
->
Specified level (and upper lever) commands will be checked if authorized. Note that when this command is not belonged to current level, it will not be checked with aaa server since router cannot recognize the command.
for instance:
               
               
                isp>enable 10
Password:
isp#config t
       ^
% Invalid input detected at '^' marker.
isp#
config command does not belong to level 10.
isp#sh snmp
Command authorization failed.
% Incomplete command.
isp#
show command belongs to level 10, however after checking with tacacs+, it found this command is not authorized.
Note: Cisco IOS commands associate with corresponding privilege level.
Login Debug information
Mar  1 06:31:43.058: AAA/AUTHEN/LOGIN (0000002E): Pick method list 'default'
Mar  1 06:31:43.062: TPLUS: Queuing AAA Authentication request 46 for processing
Mar  1 06:31:43.070: TPLUS: processing authentication start request id 46
Mar  1 06:31:43.074: TPLUS: Authentication start packet created for 46()
Mar  1 06:31:43.074: TPLUS: Using server 192.168.217.10
Mar  1 06:31:43.090: TPLUS(0000002E)/0/NB_WAIT/669E8EC4: Started 60 sec timeout
Mar  1 06:31:43.262: TPLUS(0000002E)/0/NB_WAIT: socket event 2
Mar  1 06:31:43.266: TPLUS(0000002E)/0/NB_WAIT: wrote entire 29 bytes request
Username: johnny
Mar  1 06:31:43.270: TPLUS(0000002E)/0/READ: socket event 1
Mar  1 06:31:43.274: TPLUS(0000002E)/0/READ: Would block while reading
Mar  1 06:31:43.294: TPLUS(0000002E)/0/READ: socket event 1
Mar  1 06:31:43.294: TPLUS(0000002E)/0/READ: read entire 12 header bytes (expect
16 bytes data)
Mar  1 06:31:43.298: TPLUS(0000002E)/0/READ: socket event 1
Mar  1 06:31:43.298: TPLUS(0000002E)/0/READ: read entire 28 bytes response
Mar  1 06:31:43.302: TPLUS(0000002E)/0/669E8EC4: Processing the reply packet
Mar  1 06:31:43.306: TPLUS: Received authen response status GET_USER (7)
Mar  1 06:32:22.294: TPLUS: Queuing AAA Authentication request 47 for processingMar  1 06:32:22.302: TPLUS: processing authentication continue request id 47Mar  1 06:32:22.306: TPLUS: Authentication continue packet generated for 47Mar  1 06:32:22.306: TPLUS(0000002F)/0/WRITE/669F8F94: Started 60 sec timeoutMar  1 06:32:22.314: TPLUS(0000002F)/0/WRITE: wrote entire 22 bytes requestMar  1 06:32:22.434: TPLUS(0000002F)/0/READ: socket event 1Mar  1 06:32:22.434: TPLUS(0000002F)/0/READ: read entire 12 header bytes (expect 16 bytes data)Mar  1 06:32:22.438: TPLUS(0000002F)/0/READ: socket event 1
Mar  1 06:20:06.122: TPLUS(0000002D)/0/READ: read entire 28 bytes response
Mar  1 06:20:06.126: TPLUS(0000002D)/0/65AA8F88: Processing the reply packet
Mar  1 06:20:06.130: TPLUS: Received authen response status GET_PASSWORD (8)
Mar  1 06:20:06.138: TPLUS: Queuing AAA Authentication request 45 for processing
Mar  1 06:20:06.142: TPLUS: processing authentication continue request id 45
Mar  1 06:20:06.146: TPLUS: Authentication continue packet generated for 45
Mar  1 06:20:06.150: TPLUS(0000002D)/0/WRITE/662DE2E0: Started 60 sec timeout
Mar  1 06:20:06.154: TPLUS(0000002D)/0/WRITE: wrote entire 28 bytes request
Mar  1 06:20:06.286: TPLUS(0000002D)/0/READ: socket event 1
Mar  1 06:20:06.286: TPLUS(0000002D)/0/READ: read entire 12 header bytes (expect
6 bytes data)
Mar  1 06:20:06.290: TPLUS(0000002D)/0/READ: socket event 1
Mar  1 06:20:06.290: TPLUS(0000002D)/0/READ: read entire 18 bytes response
Mar  1 06:20:06.294: TPLUS(0000002D)/0/662DE2E0: Processing the reply packe
isp#t
Mar  1 06:20:06.294: TPLUS: Received authen response status PASS (2)
Mar  1 06:20:06.442: AAA/AUTHOR (0x2D): Pick method list 'default'
Mar  1 06:20:06.454: TPLUS: Queuing AAA Authorization request 45 for processing
Mar  1 06:20:06.458: TPLUS: processing authorization request id 45
Mar  1 06:20:06.462: TPLUS: Protocol set to None .....Skipping
Mar  1 06:20:06.466: TPLUS: Sending AV service=shell
Mar  1 06:20:06.466: TPLUS: Sending AV cmd*
Mar  1 06:20:06.470: TPLUS: Authorization request created for 45(johnny)
Mar  1 06:20:06.470: TPLUS: using previously set server 192.168.217.10 from grou
p tacacs+
Mar  1 06:20:06.486: TPLUS(0000002D)/0/NB_WAIT/669E8EC4: Started 60 sec timeout
Mar  1 06:20:06.558: TPLUS(0000002D)/0/NB_WAIT: socket event 2
Mar  1 06:20:06.566: TPLUS(0000002D)/0/NB_WAIT: wrote entire 65 bytes request
Mar  1 06:20:06.566: TPLUS(0000002D)/0/READ: socket event 1
Mar  1 06:20:06.570: TPLUS(0000002D)/0/READ: Would block while reading
Mar  1 06:20:06.842: TPL
isp#US(0000002D)/0/READ: socket event 1
Mar  1 06:20:06.842: TPLUS(0000002D)/0/READ: read entire 12 header bytes (expect
17 bytes data)
Mar  1 06:20:06.846: TPLUS(0000002D)/0/READ: socket event 1
Mar  1 06:20:06.850: TPLUS(0000002D)/0/READ: read entire 29 bytes response
Mar  1 06:20:06.850: TPLUS(0000002D)/0/669E8EC4: Processing the reply packet
Mar  1 06:20:06.854: TPLUS: Processed AV timeout=60
Mar  1 06:20:06.854: TPLUS: received authorization response for 45: PASS
Mar  1 06:20:06.866: AAA/AUTHOR/EXEC(0000002D): processing AV cmd=
Mar  1 06:20:06.870: AAA/AUTHOR/EXEC(0000002D): processing AV timeout=3600
Mar  1 06:20:06.870: AAA/AUTHOR/EXEC(0000002D): Authorization successful
Command Authorization debug information
Mar  1 06:21:15.058: tty226 AAA/AUTHOR/CMD(3529547746): Port='tty226' list='' se
rvice=CMD
Mar  1 06:21:15.058: AAA/AUTHOR/CMD: tty226(3529547746) user='johnny'
Mar  1 06:21:15.062: tty226 AAA/AUTHOR/CMD(3529547746): send AV service=shell
Mar  1 06:21:15.062: tty226 AAA/AUTHOR/CMD(3529547746): send AV cmd=show
isp#
Mar  1 06:21:15.066: tty226 AAA/AUTHOR/CMD(3529547746): send AV cmd-arg=snmp
Mar  1 06:21:15.066: tty226 AAA/AUTHOR/CMD(3529547746): send AV cmd-arg=
Mar  1 06:21:15.070: tty226 AAA/AUTHOR/CMD(3529547746): found list "default"
Mar  1 06:21:15.070: tty226 AAA/AUTHOR/CMD(3529547746): Method=tacacs+ (tacacs+)
Mar  1 06:21:15.074: AAA/AUTHOR/TAC+: (3529547746): user=johnny
Mar  1 06:21:15.074: AAA/AUTHOR/TAC+: (3529547746): send AV service=shell
Mar  1 06:21:15.078: AAA/AUTHOR/TAC+: (3529547746): send AV cmd=show
Mar  1 06:21:15.078: AAA/AUTHOR/TAC+: (3529547746): send AV cmd-arg=snmp
Mar  1 06:21:15.082: AAA/AUTHOR/TAC+: (3529547746): send AV cmd-arg=
isp#
Mar  1 06:21:15.422: TAC+: (-765419550): received author response status = FAIL
Mar  1 06:21:15.430: AAA/AUTHOR (3529547746): Post authorization status = FAIL
Mar  1 06:21:15.438: AAA/MEMORY: free_user (0x664509E0) user='johnny' ruser='isp
' port='tty226' rem_addr='192.168.217.10' authen_type=ASCII service=NONE priv=1
vrf= (id=0)
               
               
               
               

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u1/42903/showart_473876.html