Jump to content
Калькуляторы

Cisco Nexus 5010 (N5K-C5010P-BF V03) + TACACS

Доброго дня.

Не удается подружить Nexus 5010 c сервером Cisco ACS (протокол TACACS+).

 

N5-C5010-BF-I# sh ver
Software
  BIOS:      version 1.5.0
  loader:    version N/A
  kickstart: version 5.2(1)N1(9a)
  system:    version 5.2(1)N1(9a)
  power-seq: Module 1: version v1.2
  BIOS compile time:       11/30/10
  kickstart image file is: bootflash:///n5000-uk9-kickstart.5.2.1.N1.9a.bin
  kickstart compile time:  4/7/2016 5:00:00 [04/07/2016 17:46:22]
  system image file is:    bootflash:///n5000-uk9.5.2.1.N1.9a.bin
  system compile time:     4/7/2016 5:00:00 [04/07/2016 19:56:59]

Hardware
  cisco Nexus5010 Chassis ("20x10GE/Supervisor")
  Intel(R) Celeron(R) M CPU    with 2065504 kB of memory.
  System version: 5.2(1)N1(9a)

 

Настройки TACACS:

 

ip tacacs source-interface mgmt0
tacacs-server timeout 6
tacacs-server host 10.10.0.250 key 0 key-key
aaa group server tacacs+ SPCOM 
    server 10.10.0.250 
    use-vrf management
    source-interface mgmt0

aaa authentication login default group SPCOM local 
aaa authorization config-commands default group SPCOM local 
aaa authorization commands default group SPCOM local 
aaa accounting default group SPCOM local 
tacacs-server directed-request 

 

Прочие настройки:

 

vrf context management
  ip route 0.0.0.0/0 10.10.0.1

...

interface mgmt0
  vrf member management
  ip address 10.10.2.20/16

 

Дебаг говорит:

 

2018 Sep 17 16:11:05 N5K-C5010-BF-II last message repeated 2 times
2018 Sep 17 16:11:29 N5K-C5010-BF-II last message repeated 2 times
2018 Sep 17 16:11:29 N5K-C5010-BF-II %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user USER from 10.0.0.144 - login
2018 Sep 17 16:11:34 N5K-C5010-BF-II %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by USER on 10.0.0.144@pts/0
2018 Sep 17 16:11:41 N5K-C5010-BF-II %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond

 

Сервер TACACS доступен:

 

N5K-C5010-BF-II# ping 10.10.0.250 vrf management
PING 10.10.0.250 (10.10.0.250): 56 data bytes
64 bytes from 10.10.0.250: icmp_seq=0 ttl=63 time=3.315 ms
64 bytes from 10.10.0.250: icmp_seq=1 ttl=63 time=2.927 ms
64 bytes from 10.10.0.250: icmp_seq=2 ttl=63 time=3.126 ms
64 bytes from 10.10.0.250: icmp_seq=3 ttl=63 time=3.091 ms
64 bytes from 10.10.0.250: icmp_seq=4 ttl=63 time=3.122 ms

--- 10.10.0.250 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 2.927/3.116/3.315 ms

 

 

 

 

Edited by andry_9876
опечатка

Share this post


Link to post
Share on other sites

Обмен между коммутатором и сервером ACS проходит:

 

N5-C5010-BF-I# etha loc int mgmt capture-filter "host 10.10.0.250"
Capturing on eth0
2018-09-19 11:56:46.850199   10.10.1.20 -> 10.10.0.250  TCP 42855 > tacacs [SYN] Seq=0 Len=0 MSS=1460 WS=0 TSV=2398447 TSER=0
2018-09-19 11:56:46.851567  10.10.0.250 -> 10.10.1.20   TCP tacacs > 42855 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 TSV=1905513751 TSER=2398447 WS=7
2018-09-19 11:56:46.853343   10.10.1.20 -> 10.10.0.250  TCP 42855 > tacacs [ACK] Seq=1 Ack=1 Win=17376 Len=0 TSV=2398447 TSER=1905513751
2018-09-19 11:56:46.855126   10.10.1.20 -> 10.10.0.250  TACACS+ Q: Authentication
2018-09-19 11:56:46.855666  10.10.0.250 -> 10.10.1.20   TCP tacacs > 42855 [ACK] Seq=1 Ack=52 Win=14592 Len=0 TSV=1905513756 TSER=2398447
2018-09-19 11:56:46.859760  10.10.0.250 -> 10.10.1.20   TCP tacacs > 42855 [FIN, ACK] Seq=1 Ack=52 Win=14592 Len=0 TSV=1905513758 TSER=2398447
2018-09-19 11:56:46.860504   10.10.1.20 -> 10.10.0.250  TCP 42855 > tacacs [ACK] Seq=52 Ack=2 Win=17376 Len=0 TSV=2398447 TSER=1905513758
2018-09-19 11:56:46.861171   10.10.1.20 -> 10.10.0.250  TCP 42855 > tacacs [FIN, ACK] Seq=52 Ack=2 Win=17376 Len=0 TSV=2398447 TSER=1905513758
2018-09-19 11:56:46.863868  10.10.0.250 -> 10.10.1.20   TCP tacacs > 42855 [ACK] Seq=2 Ack=53 Win=14592 Len=0 TSV=1905513762 TSER=2398447

N5-C5010-BF-I# 9 packets captured

 

Share this post


Link to post
Share on other sites

По инструкции https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html#config2 настроил сервер, на коммутатор зашел, но команды не выполняются:

 

 

N5-C5010-BF-I# conf t
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)
N5-C5010-BF-I# sh run
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)
N5-C5010-BF-I# 
 

 

Хотя дебаг говорит SUCCESS:

 

 

 

2018 Sep 19 14:25:30.452980 tacacs: process_rd_fd_set: calling callback for fd 7
2018 Sep 19 14:25:30.453019 tacacs: fsrv_sdb_process_msg: vdc-id[1] mts_opc[8421][MTS_OPC_TACACS_AAA_REQ] 0xbfc3579c 0xb57d7474 406 
2018 Sep 19 14:25:30.453036 tacacs: Sending it to SDB-Dispatch 
2018 Sep 19 14:25:30.453052 tacacs: Sdb-dispatch did not process 
2018 Sep 19 14:25:30.453072 tacacs: No msg handler in FSRV for mts_opc[8421][MTS_OPC_TACACS_AAA_REQ] 
2018 Sep 19 14:25:30.453087 tacacs: fsrv didnt consume 8421 opcode
2018 Sep 19 14:25:30.453101 tacacs: process_implicit_cfs_session_start: entering...
2018 Sep 19 14:25:30.453114 tacacs: process_implicit_cfs_session_start: exiting; we are in distribution disabled state
2018 Sep 19 14:25:30.453135 tacacs: process_aaa_tplus_request: entering for aaa session id 0
2018 Sep 19 14:25:30.453160 tacacs: process_aaa_tplus_request:Checking for state of mgmt0 port with servergroup SPCOM
2018 Sep 19 14:25:30.453178 tacacs: tacacs_servergroup_config: entering for server group, index 0
2018 Sep 19 14:25:30.453195 tacacs: tacacs_servergroup_config: GETNEXT_REQ for Protocol server group index:0 name:
2018 Sep 19 14:25:30.453236 tacacs: tacacs_pss2_move2key: rcode = 40480003 syserr2str = no such pss key
2018 Sep 19 14:25:30.453252 tacacs: tacacs_pss2_move2key: calling pss2_getkey 
2018 Sep 19 14:25:30.453269 tacacs: tacacs_servergroup_config: GETNEXT_REQ got Protocol server group index:2 name:SPCOM
2018 Sep 19 14:25:30.453286 tacacs: tacacs_servergroup_config: got back the return value of Protocol group operation:SUCCESS
2018 Sep 19 14:25:30.453299 tacacs: tacacs_servergroup_config: returning retval 0 for Protocol server group:SPCOM
2018 Sep 19 14:25:30.453315 tacacs: process_aaa_tplus_request: Group SPCOM found. corresponding vrf is management
2018 Sep 19 14:25:30.453330 tacacs: process_aaa_tplus_request: checking for mgmt0 vrf:management against vrf:management of requested group
2018 Sep 19 14:25:30.453346 tacacs: process_aaa_tplus_request:port_check will be done 
2018 Sep 19 14:25:30.453359 tacacs: create_tplus_req_state_machine(927): entering for aaa session id 0
2018 Sep 19 14:25:30.453374 tacacs: state machine count 0
2018 Sep 19 14:25:30.453387 tacacs: init_tplus_req_state_machine: entering for aaa session id 0
2018 Sep 19 14:25:30.453400 tacacs: init_tplus_req_state_machine(1323):tplus_ctx is NULL it should be if author and test
2018 Sep 19 14:25:30.453414 tacacs: tacacs_servergroup_config: entering for server groupSPCOM, index 0
2018 Sep 19 14:25:30.453430 tacacs: tacacs_servergroup_config: GET_REQ for Protocol server group index:0 name:SPCOM
2018 Sep 19 14:25:30.453443 tacacs: find_tacacs_servergroup: entering for server group SPCOM
2018 Sep 19 14:25:30.453464 tacacs: tacacs_pss2_move2key: rcode = 0 syserr2str = SUCCESS
2018 Sep 19 14:25:30.453479 tacacs: find_tacacs_servergroup: exiting for server group SPCOM index is 2
2018 Sep 19 14:25:30.453497 tacacs: tacacs_servergroup_config: GET_REQ: find_tacacs_servergroup error 0 for Protocol server group SPCOM
2018 Sep 19 14:25:30.453516 tacacs: tacacs_pss2_move2key: rcode = 0 syserr2str = SUCCESS
2018 Sep 19 14:25:30.453530 tacacs: tacacs_servergroup_config: GET_REQ got Protocol server group index:2 name:SPCOM
2018 Sep 19 14:25:30.453543 tacacs: tacacs_servergroup_config: got back the return value of Protocol group operation:SUCCESS
2018 Sep 19 14:25:30.453555 tacacs: tacacs_servergroup_config: returning retval 0 for Protocol server group:SPCOM
2018 Sep 19 14:25:30.453579 tacacs: tacacs_server_config: entering for server , index 1
2018 Sep 19 14:25:30.453596 tacacs: tacacs_server_config: GET request for Protocol server index:1 addr:
2018 Sep 19 14:25:30.453646 tacacs: tacacs_pss2_move2key: rcode = 0 syserr2str = SUCCESS
2018 Sep 19 14:25:30.453662 tacacs: tacacs_server_config: Got for Protocol server index:1 addr:10.10.0.250
2018 Sep 19 14:25:30.453675 tacacs: tacacs_server_config: got back the return value of Protocol server 10.10.0.250 operation: SUCCESS
2018 Sep 19 14:25:30.453688 tacacs: tacacs_server_config: returning auth-port 49, acct-port 49 for Protocol server:10.10.0.250
2018 Sep 19 14:25:30.453702 tacacs: tacacs_server_config: returning retval 0 for Protocol server:10.10.0.250
2018 Sep 19 14:25:30.453737 tacacs: tacacs_global_config(3197): entering ...
2018 Sep 19 14:25:30.453752 tacacs: tacacs_global_config(3521): GET_REQ...

Share this post


Link to post
Share on other sites

у меня так работает

 

aaa authentication login default group %groupname%
aaa authentication login console local
aaa authorization config-commands default group %groupname% local
aaa authorization commands default group %groupname% local
aaa accounting default group %groupname%
no aaa user default-role

 

Share this post


Link to post
Share on other sites
В 19.09.2018 в 20:08, ikiliikkuja сказал:

у меня так работает

 

Ничего не поменялось.

Подозреваю, что проблема на стороне сервера ACS.

Т.к. авторизация при входе проходит:

 

Internet Protocol Version 4, Src: 10.10.1.20, Dst: 10.10.0.250
TACACS+
    Major version: TACACS+
    Minor version: 0
    Type: Authorization (2)
    Sequence number: 1
    Flags: 0x00 (Encrypted payload, Multiple Connections)
    Session ID: 2097165289
    Packet length: 76
    Encrypted Request
    Decrypted Request
        Auth Method: TACACSPLUS (0x06)
        Privilege Level: 1
        Authentication type: PAP (2)
        Service: Login (1)
        User len: 7
        User: USER
        Port len: 4
        Port: 3000
        Remaddr len: 10
        Remote Address: 10.0.0.144
        Arg count: 4
        Arg[0] length: 13
        Arg[0] value: service=shell
        Arg[1] length: 4
        Arg[1] value: cmd=
        Arg[2] length: 14
        Arg[2] value: cisco-av-pair*
        Arg[3] length: 12
        Arg[3] value: shell:roles*
 

Internet Protocol Version 4, Src: 10.10.0.250, Dst: 10.10.1.20
TACACS+
    Major version: TACACS+
    Minor version: 0
    Type: Authorization (2)
    Sequence number: 2
    Flags: 0x00 (Encrypted payload, Multiple Connections)
    Session ID: 2097165289
    Packet length: 48
    Encrypted Reply
    Decrypted Reply
        Auth Status: PASS_REPL (0x02)
        Server Msg length: 0
        Data length: 0
        Arg count: 1
        Arg[0] length: 41
        Arg[0] value: cisco-av-pair=shell:roles="network-admin"
 

 

А вот авторизация для выполнения команды уже нет:

 

Internet Protocol Version 4, Src: 10.10.1.20, Dst: 10.10.0.250
TACACS+
    Major version: TACACS+
    Minor version: 0
    Type: Authorization (2)
    Sequence number: 1
    Flags: 0x00 (Encrypted payload, Multiple Connections)
    Session ID: 673452272
    Packet length: 83
    Encrypted Request
    Decrypted Request
        Auth Method: TACACSPLUS (0x06)
        Privilege Level: 1
        Authentication type: PAP (2)
        Service: TAC_PLUS_AUTHEN_SVC_NONE (0)
        User len: 7
        User: USER
        Port len: 0
        Remaddr len: 10
        Remote Address: 10.0.0.144
        Arg count: 4
        Arg[0] length: 13
        Arg[0] value: service=shell
        Arg[1] length: 13
        Arg[1] value: cmd=configure
        Arg[2] length: 16
        Arg[2] value: cmd-arg=terminal
        Arg[3] length: 12
        Arg[3] value: cmd-arg=<cr>

 

Internet Protocol Version 4, Src: 10.10.0.250, Dst: 10.10.1.20
TACACS+
    Major version: TACACS+
    Minor version: 0
    Type: Authorization (2)
    Sequence number: 2
    Flags: 0x00 (Encrypted payload, Multiple Connections)
    Session ID: 673452272
    Packet length: 6
    Encrypted Reply
    Decrypted Reply
        Auth Status: FAIL (0x10)
        Server Msg length: 0
        Data length: 0
        Arg count: 0
 

 

 

N5-C5010-BF-I# sh user-account USER
user:USER
        roles:network-admin 
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user
 account
Local login not possible
N5-C5010-BF-I# 

 

Share this post


Link to post
Share on other sites

У вас ацс на запрос выполнения команды сказал нельзя. Ошибка в конфигурации ацс

Share this post


Link to post
Share on other sites
18 часов назад, zhenya` сказал:

У вас ацс на запрос выполнения команды сказал нельзя. Ошибка в конфигурации ацс

Это я вижу, есть идеи что и где править?

Этот же сервер ACS работает с коммутаторами Cisco, Orion, SNR, проблем нет.

Share this post


Link to post
Share on other sites

acs какой версии? мб вопрос именно в совместимости nx-os и версии acs?

Share this post


Link to post
Share on other sites

С профилями команд ерунда какая-то. Вам вообще эта часть нужна? Дебажте полиси.

Share this post


Link to post
Share on other sites

При заходе на цыску покажите show privilege

 

Если вы хотите что бы у вас выполнение команд шло через ACL, я думаю что они должны выглядеть примерно вот так

group = YOUR_GROUP {
    default service = deny
    service = exec { priv-lvl = 15 }
cmd = ping 	{ permit .*
	   	}
cmd = show 	{ permit vlan
		  permit running-config.interface.TenGigabitEthernet.1.1
		  permit running-config.interface.TenGigabitEthernet.1.5
		  permit running-config.interface.TenGigabitEthernet.1.6
		  permit running-config.interface.TenGigabitEthernet.3.2
		  permit running-config.interface.TenGigabitEthernet.3.6
		  permit Port-channel.1
		  permit Port-channel.5
		  deny .*
	   	}

cmd = interface { permit TenGigabitEthernet.3.2
		  permit TenGigabitEthernet.3.6
		  permit Port-channel.5
		  deny .*
		}
}

 

Share this post


Link to post
Share on other sites
4 часа назад, zhenya` сказал:

У него Cisco acs ) 

ACS это просто обвертка для протокола tacacs, не более

Share this post


Link to post
Share on other sites
В 22.09.2018 в 21:00, FATHER_FBI сказал:

При заходе на цыску покажите show privilege

 

C6509V-II#sh privilege 
Current privilege level is 15

 

Разобрался:

 

На ACS сервере идем Access Policies > Access Services > Default Device Admin > Authorization, внизу справа нажимаем "Customize", в нижней половине добавляем "Command Sets" в Selected.

После чего в правилах появится возможность выбрать Command Set. Делаем новый, настраиваем его, как требуется, и выбираем. Применяем, сохраняем, пользуемся.

 

Можно закрывать.

Share this post


Link to post
Share on other sites

 tacacs - в кисках дюже переборчивая, в моём варианте требовала почти синхронизации времени, или не работала вообще. Но это было давно.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now