andry_9876 Posted September 17, 2018 Posted September 17, 2018 (edited) Доброго дня. Не удается подружить Nexus 5010 c сервером Cisco ACS (протокол TACACS+). N5-C5010-BF-I# sh ver Software BIOS: version 1.5.0 loader: version N/A kickstart: version 5.2(1)N1(9a) system: version 5.2(1)N1(9a) power-seq: Module 1: version v1.2 BIOS compile time: 11/30/10 kickstart image file is: bootflash:///n5000-uk9-kickstart.5.2.1.N1.9a.bin kickstart compile time: 4/7/2016 5:00:00 [04/07/2016 17:46:22] system image file is: bootflash:///n5000-uk9.5.2.1.N1.9a.bin system compile time: 4/7/2016 5:00:00 [04/07/2016 19:56:59] Hardware cisco Nexus5010 Chassis ("20x10GE/Supervisor") Intel(R) Celeron(R) M CPU with 2065504 kB of memory. System version: 5.2(1)N1(9a) Настройки TACACS: ip tacacs source-interface mgmt0 tacacs-server timeout 6 tacacs-server host 10.10.0.250 key 0 key-key aaa group server tacacs+ SPCOM server 10.10.0.250 use-vrf management source-interface mgmt0 aaa authentication login default group SPCOM local aaa authorization config-commands default group SPCOM local aaa authorization commands default group SPCOM local aaa accounting default group SPCOM local tacacs-server directed-request Прочие настройки: vrf context management ip route 0.0.0.0/0 10.10.0.1 ... interface mgmt0 vrf member management ip address 10.10.2.20/16 Дебаг говорит: 2018 Sep 17 16:11:05 N5K-C5010-BF-II last message repeated 2 times 2018 Sep 17 16:11:29 N5K-C5010-BF-II last message repeated 2 times 2018 Sep 17 16:11:29 N5K-C5010-BF-II %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user USER from 10.0.0.144 - login 2018 Sep 17 16:11:34 N5K-C5010-BF-II %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by USER on 10.0.0.144@pts/0 2018 Sep 17 16:11:41 N5K-C5010-BF-II %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond Сервер TACACS доступен: N5K-C5010-BF-II# ping 10.10.0.250 vrf management PING 10.10.0.250 (10.10.0.250): 56 data bytes 64 bytes from 10.10.0.250: icmp_seq=0 ttl=63 time=3.315 ms 64 bytes from 10.10.0.250: icmp_seq=1 ttl=63 time=2.927 ms 64 bytes from 10.10.0.250: icmp_seq=2 ttl=63 time=3.126 ms 64 bytes from 10.10.0.250: icmp_seq=3 ttl=63 time=3.091 ms 64 bytes from 10.10.0.250: icmp_seq=4 ttl=63 time=3.122 ms --- 10.10.0.250 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 2.927/3.116/3.315 ms Edited September 18, 2018 by andry_9876 опечатка Вставить ник Quote
andry_9876 Posted September 19, 2018 Author Posted September 19, 2018 Обмен между коммутатором и сервером ACS проходит: N5-C5010-BF-I# etha loc int mgmt capture-filter "host 10.10.0.250" Capturing on eth0 2018-09-19 11:56:46.850199 10.10.1.20 -> 10.10.0.250 TCP 42855 > tacacs [SYN] Seq=0 Len=0 MSS=1460 WS=0 TSV=2398447 TSER=0 2018-09-19 11:56:46.851567 10.10.0.250 -> 10.10.1.20 TCP tacacs > 42855 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 TSV=1905513751 TSER=2398447 WS=7 2018-09-19 11:56:46.853343 10.10.1.20 -> 10.10.0.250 TCP 42855 > tacacs [ACK] Seq=1 Ack=1 Win=17376 Len=0 TSV=2398447 TSER=1905513751 2018-09-19 11:56:46.855126 10.10.1.20 -> 10.10.0.250 TACACS+ Q: Authentication 2018-09-19 11:56:46.855666 10.10.0.250 -> 10.10.1.20 TCP tacacs > 42855 [ACK] Seq=1 Ack=52 Win=14592 Len=0 TSV=1905513756 TSER=2398447 2018-09-19 11:56:46.859760 10.10.0.250 -> 10.10.1.20 TCP tacacs > 42855 [FIN, ACK] Seq=1 Ack=52 Win=14592 Len=0 TSV=1905513758 TSER=2398447 2018-09-19 11:56:46.860504 10.10.1.20 -> 10.10.0.250 TCP 42855 > tacacs [ACK] Seq=52 Ack=2 Win=17376 Len=0 TSV=2398447 TSER=1905513758 2018-09-19 11:56:46.861171 10.10.1.20 -> 10.10.0.250 TCP 42855 > tacacs [FIN, ACK] Seq=52 Ack=2 Win=17376 Len=0 TSV=2398447 TSER=1905513758 2018-09-19 11:56:46.863868 10.10.0.250 -> 10.10.1.20 TCP tacacs > 42855 [ACK] Seq=2 Ack=53 Win=14592 Len=0 TSV=1905513762 TSER=2398447 N5-C5010-BF-I# 9 packets captured Вставить ник Quote
zhenya` Posted September 19, 2018 Posted September 19, 2018 там скорее всего нужно еще слать cisco-av-pair shell:roles https://routing-bits.com/2011/05/24/nexus-user-roles/ Вставить ник Quote
andry_9876 Posted September 19, 2018 Author Posted September 19, 2018 По инструкции https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html#config2 настроил сервер, на коммутатор зашел, но команды не выполняются: N5-C5010-BF-I# conf t Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10) N5-C5010-BF-I# sh run Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10) N5-C5010-BF-I# Хотя дебаг говорит SUCCESS: 2018 Sep 19 14:25:30.452980 tacacs: process_rd_fd_set: calling callback for fd 7 2018 Sep 19 14:25:30.453019 tacacs: fsrv_sdb_process_msg: vdc-id[1] mts_opc[8421][MTS_OPC_TACACS_AAA_REQ] 0xbfc3579c 0xb57d7474 406 2018 Sep 19 14:25:30.453036 tacacs: Sending it to SDB-Dispatch 2018 Sep 19 14:25:30.453052 tacacs: Sdb-dispatch did not process 2018 Sep 19 14:25:30.453072 tacacs: No msg handler in FSRV for mts_opc[8421][MTS_OPC_TACACS_AAA_REQ] 2018 Sep 19 14:25:30.453087 tacacs: fsrv didnt consume 8421 opcode 2018 Sep 19 14:25:30.453101 tacacs: process_implicit_cfs_session_start: entering... 2018 Sep 19 14:25:30.453114 tacacs: process_implicit_cfs_session_start: exiting; we are in distribution disabled state 2018 Sep 19 14:25:30.453135 tacacs: process_aaa_tplus_request: entering for aaa session id 0 2018 Sep 19 14:25:30.453160 tacacs: process_aaa_tplus_request:Checking for state of mgmt0 port with servergroup SPCOM 2018 Sep 19 14:25:30.453178 tacacs: tacacs_servergroup_config: entering for server group, index 0 2018 Sep 19 14:25:30.453195 tacacs: tacacs_servergroup_config: GETNEXT_REQ for Protocol server group index:0 name: 2018 Sep 19 14:25:30.453236 tacacs: tacacs_pss2_move2key: rcode = 40480003 syserr2str = no such pss key 2018 Sep 19 14:25:30.453252 tacacs: tacacs_pss2_move2key: calling pss2_getkey 2018 Sep 19 14:25:30.453269 tacacs: tacacs_servergroup_config: GETNEXT_REQ got Protocol server group index:2 name:SPCOM 2018 Sep 19 14:25:30.453286 tacacs: tacacs_servergroup_config: got back the return value of Protocol group operation:SUCCESS 2018 Sep 19 14:25:30.453299 tacacs: tacacs_servergroup_config: returning retval 0 for Protocol server group:SPCOM 2018 Sep 19 14:25:30.453315 tacacs: process_aaa_tplus_request: Group SPCOM found. corresponding vrf is management 2018 Sep 19 14:25:30.453330 tacacs: process_aaa_tplus_request: checking for mgmt0 vrf:management against vrf:management of requested group 2018 Sep 19 14:25:30.453346 tacacs: process_aaa_tplus_request:port_check will be done 2018 Sep 19 14:25:30.453359 tacacs: create_tplus_req_state_machine(927): entering for aaa session id 0 2018 Sep 19 14:25:30.453374 tacacs: state machine count 0 2018 Sep 19 14:25:30.453387 tacacs: init_tplus_req_state_machine: entering for aaa session id 0 2018 Sep 19 14:25:30.453400 tacacs: init_tplus_req_state_machine(1323):tplus_ctx is NULL it should be if author and test 2018 Sep 19 14:25:30.453414 tacacs: tacacs_servergroup_config: entering for server groupSPCOM, index 0 2018 Sep 19 14:25:30.453430 tacacs: tacacs_servergroup_config: GET_REQ for Protocol server group index:0 name:SPCOM 2018 Sep 19 14:25:30.453443 tacacs: find_tacacs_servergroup: entering for server group SPCOM 2018 Sep 19 14:25:30.453464 tacacs: tacacs_pss2_move2key: rcode = 0 syserr2str = SUCCESS 2018 Sep 19 14:25:30.453479 tacacs: find_tacacs_servergroup: exiting for server group SPCOM index is 2 2018 Sep 19 14:25:30.453497 tacacs: tacacs_servergroup_config: GET_REQ: find_tacacs_servergroup error 0 for Protocol server group SPCOM 2018 Sep 19 14:25:30.453516 tacacs: tacacs_pss2_move2key: rcode = 0 syserr2str = SUCCESS 2018 Sep 19 14:25:30.453530 tacacs: tacacs_servergroup_config: GET_REQ got Protocol server group index:2 name:SPCOM 2018 Sep 19 14:25:30.453543 tacacs: tacacs_servergroup_config: got back the return value of Protocol group operation:SUCCESS 2018 Sep 19 14:25:30.453555 tacacs: tacacs_servergroup_config: returning retval 0 for Protocol server group:SPCOM 2018 Sep 19 14:25:30.453579 tacacs: tacacs_server_config: entering for server , index 1 2018 Sep 19 14:25:30.453596 tacacs: tacacs_server_config: GET request for Protocol server index:1 addr: 2018 Sep 19 14:25:30.453646 tacacs: tacacs_pss2_move2key: rcode = 0 syserr2str = SUCCESS 2018 Sep 19 14:25:30.453662 tacacs: tacacs_server_config: Got for Protocol server index:1 addr:10.10.0.250 2018 Sep 19 14:25:30.453675 tacacs: tacacs_server_config: got back the return value of Protocol server 10.10.0.250 operation: SUCCESS 2018 Sep 19 14:25:30.453688 tacacs: tacacs_server_config: returning auth-port 49, acct-port 49 for Protocol server:10.10.0.250 2018 Sep 19 14:25:30.453702 tacacs: tacacs_server_config: returning retval 0 for Protocol server:10.10.0.250 2018 Sep 19 14:25:30.453737 tacacs: tacacs_global_config(3197): entering ... 2018 Sep 19 14:25:30.453752 tacacs: tacacs_global_config(3521): GET_REQ... Вставить ник Quote
ikiliikkuja Posted September 19, 2018 Posted September 19, 2018 у меня так работает aaa authentication login default group %groupname% aaa authentication login console local aaa authorization config-commands default group %groupname% local aaa authorization commands default group %groupname% local aaa accounting default group %groupname% no aaa user default-role Вставить ник Quote
andry_9876 Posted September 21, 2018 Author Posted September 21, 2018 В 19.09.2018 в 20:08, ikiliikkuja сказал: у меня так работает Ничего не поменялось. Подозреваю, что проблема на стороне сервера ACS. Т.к. авторизация при входе проходит: Internet Protocol Version 4, Src: 10.10.1.20, Dst: 10.10.0.250 TACACS+ Major version: TACACS+ Minor version: 0 Type: Authorization (2) Sequence number: 1 Flags: 0x00 (Encrypted payload, Multiple Connections) Session ID: 2097165289 Packet length: 76 Encrypted Request Decrypted Request Auth Method: TACACSPLUS (0x06) Privilege Level: 1 Authentication type: PAP (2) Service: Login (1) User len: 7 User: USER Port len: 4 Port: 3000 Remaddr len: 10 Remote Address: 10.0.0.144 Arg count: 4 Arg[0] length: 13 Arg[0] value: service=shell Arg[1] length: 4 Arg[1] value: cmd= Arg[2] length: 14 Arg[2] value: cisco-av-pair* Arg[3] length: 12 Arg[3] value: shell:roles* Internet Protocol Version 4, Src: 10.10.0.250, Dst: 10.10.1.20 TACACS+ Major version: TACACS+ Minor version: 0 Type: Authorization (2) Sequence number: 2 Flags: 0x00 (Encrypted payload, Multiple Connections) Session ID: 2097165289 Packet length: 48 Encrypted Reply Decrypted Reply Auth Status: PASS_REPL (0x02) Server Msg length: 0 Data length: 0 Arg count: 1 Arg[0] length: 41 Arg[0] value: cisco-av-pair=shell:roles="network-admin" А вот авторизация для выполнения команды уже нет: Internet Protocol Version 4, Src: 10.10.1.20, Dst: 10.10.0.250 TACACS+ Major version: TACACS+ Minor version: 0 Type: Authorization (2) Sequence number: 1 Flags: 0x00 (Encrypted payload, Multiple Connections) Session ID: 673452272 Packet length: 83 Encrypted Request Decrypted Request Auth Method: TACACSPLUS (0x06) Privilege Level: 1 Authentication type: PAP (2) Service: TAC_PLUS_AUTHEN_SVC_NONE (0) User len: 7 User: USER Port len: 0 Remaddr len: 10 Remote Address: 10.0.0.144 Arg count: 4 Arg[0] length: 13 Arg[0] value: service=shell Arg[1] length: 13 Arg[1] value: cmd=configure Arg[2] length: 16 Arg[2] value: cmd-arg=terminal Arg[3] length: 12 Arg[3] value: cmd-arg=<cr> Internet Protocol Version 4, Src: 10.10.0.250, Dst: 10.10.1.20 TACACS+ Major version: TACACS+ Minor version: 0 Type: Authorization (2) Sequence number: 2 Flags: 0x00 (Encrypted payload, Multiple Connections) Session ID: 673452272 Packet length: 6 Encrypted Reply Decrypted Reply Auth Status: FAIL (0x10) Server Msg length: 0 Data length: 0 Arg count: 0 N5-C5010-BF-I# sh user-account USER user:USER roles:network-admin account created through REMOTE authentication Credentials such as ssh server key will be cached temporarily only for this user account Local login not possible N5-C5010-BF-I# Вставить ник Quote
zhenya` Posted September 21, 2018 Posted September 21, 2018 У вас ацс на запрос выполнения команды сказал нельзя. Ошибка в конфигурации ацс Вставить ник Quote
andry_9876 Posted September 22, 2018 Author Posted September 22, 2018 18 часов назад, zhenya` сказал: У вас ацс на запрос выполнения команды сказал нельзя. Ошибка в конфигурации ацс Это я вижу, есть идеи что и где править? Этот же сервер ACS работает с коммутаторами Cisco, Orion, SNR, проблем нет. Вставить ник Quote
kapydan Posted September 22, 2018 Posted September 22, 2018 acs какой версии? мб вопрос именно в совместимости nx-os и версии acs? Вставить ник Quote
zhenya` Posted September 22, 2018 Posted September 22, 2018 С профилями команд ерунда какая-то. Вам вообще эта часть нужна? Дебажте полиси. Вставить ник Quote
FATHER_FBI Posted September 22, 2018 Posted September 22, 2018 При заходе на цыску покажите show privilege Если вы хотите что бы у вас выполнение команд шло через ACL, я думаю что они должны выглядеть примерно вот так group = YOUR_GROUP { default service = deny service = exec { priv-lvl = 15 } cmd = ping { permit .* } cmd = show { permit vlan permit running-config.interface.TenGigabitEthernet.1.1 permit running-config.interface.TenGigabitEthernet.1.5 permit running-config.interface.TenGigabitEthernet.1.6 permit running-config.interface.TenGigabitEthernet.3.2 permit running-config.interface.TenGigabitEthernet.3.6 permit Port-channel.1 permit Port-channel.5 deny .* } cmd = interface { permit TenGigabitEthernet.3.2 permit TenGigabitEthernet.3.6 permit Port-channel.5 deny .* } } Вставить ник Quote
FATHER_FBI Posted September 23, 2018 Posted September 23, 2018 4 часа назад, zhenya` сказал: У него Cisco acs ) ACS это просто обвертка для протокола tacacs, не более Вставить ник Quote
andry_9876 Posted September 24, 2018 Author Posted September 24, 2018 В 22.09.2018 в 21:00, FATHER_FBI сказал: При заходе на цыску покажите show privilege C6509V-II#sh privilege Current privilege level is 15 Разобрался: На ACS сервере идем Access Policies > Access Services > Default Device Admin > Authorization, внизу справа нажимаем "Customize", в нижней половине добавляем "Command Sets" в Selected. После чего в правилах появится возможность выбрать Command Set. Делаем новый, настраиваем его, как требуется, и выбираем. Применяем, сохраняем, пользуемся. Можно закрывать. Вставить ник Quote
YuryD Posted September 24, 2018 Posted September 24, 2018 tacacs - в кисках дюже переборчивая, в моём варианте требовала почти синхронизации времени, или не работала вообще. Но это было давно. Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.