andry_9876 Posted September 17, 2018 (edited) · Report post Доброго дня. Не удается подружить Nexus 5010 c сервером Cisco ACS (протокол TACACS+). N5-C5010-BF-I# sh ver Software BIOS: version 1.5.0 loader: version N/A kickstart: version 5.2(1)N1(9a) system: version 5.2(1)N1(9a) power-seq: Module 1: version v1.2 BIOS compile time: 11/30/10 kickstart image file is: bootflash:///n5000-uk9-kickstart.5.2.1.N1.9a.bin kickstart compile time: 4/7/2016 5:00:00 [04/07/2016 17:46:22] system image file is: bootflash:///n5000-uk9.5.2.1.N1.9a.bin system compile time: 4/7/2016 5:00:00 [04/07/2016 19:56:59] Hardware cisco Nexus5010 Chassis ("20x10GE/Supervisor") Intel(R) Celeron(R) M CPU with 2065504 kB of memory. System version: 5.2(1)N1(9a) Настройки TACACS: ip tacacs source-interface mgmt0 tacacs-server timeout 6 tacacs-server host 10.10.0.250 key 0 key-key aaa group server tacacs+ SPCOM server 10.10.0.250 use-vrf management source-interface mgmt0 aaa authentication login default group SPCOM local aaa authorization config-commands default group SPCOM local aaa authorization commands default group SPCOM local aaa accounting default group SPCOM local tacacs-server directed-request Прочие настройки: vrf context management ip route 0.0.0.0/0 10.10.0.1 ... interface mgmt0 vrf member management ip address 10.10.2.20/16 Дебаг говорит: 2018 Sep 17 16:11:05 N5K-C5010-BF-II last message repeated 2 times 2018 Sep 17 16:11:29 N5K-C5010-BF-II last message repeated 2 times 2018 Sep 17 16:11:29 N5K-C5010-BF-II %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user USER from 10.0.0.144 - login 2018 Sep 17 16:11:34 N5K-C5010-BF-II %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by USER on 10.0.0.144@pts/0 2018 Sep 17 16:11:41 N5K-C5010-BF-II %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond Сервер TACACS доступен: N5K-C5010-BF-II# ping 10.10.0.250 vrf management PING 10.10.0.250 (10.10.0.250): 56 data bytes 64 bytes from 10.10.0.250: icmp_seq=0 ttl=63 time=3.315 ms 64 bytes from 10.10.0.250: icmp_seq=1 ttl=63 time=2.927 ms 64 bytes from 10.10.0.250: icmp_seq=2 ttl=63 time=3.126 ms 64 bytes from 10.10.0.250: icmp_seq=3 ttl=63 time=3.091 ms 64 bytes from 10.10.0.250: icmp_seq=4 ttl=63 time=3.122 ms --- 10.10.0.250 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 2.927/3.116/3.315 ms Edited September 18, 2018 by andry_9876 опечатка Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
andry_9876 Posted September 19, 2018 · Report post Обмен между коммутатором и сервером ACS проходит: N5-C5010-BF-I# etha loc int mgmt capture-filter "host 10.10.0.250" Capturing on eth0 2018-09-19 11:56:46.850199 10.10.1.20 -> 10.10.0.250 TCP 42855 > tacacs [SYN] Seq=0 Len=0 MSS=1460 WS=0 TSV=2398447 TSER=0 2018-09-19 11:56:46.851567 10.10.0.250 -> 10.10.1.20 TCP tacacs > 42855 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 TSV=1905513751 TSER=2398447 WS=7 2018-09-19 11:56:46.853343 10.10.1.20 -> 10.10.0.250 TCP 42855 > tacacs [ACK] Seq=1 Ack=1 Win=17376 Len=0 TSV=2398447 TSER=1905513751 2018-09-19 11:56:46.855126 10.10.1.20 -> 10.10.0.250 TACACS+ Q: Authentication 2018-09-19 11:56:46.855666 10.10.0.250 -> 10.10.1.20 TCP tacacs > 42855 [ACK] Seq=1 Ack=52 Win=14592 Len=0 TSV=1905513756 TSER=2398447 2018-09-19 11:56:46.859760 10.10.0.250 -> 10.10.1.20 TCP tacacs > 42855 [FIN, ACK] Seq=1 Ack=52 Win=14592 Len=0 TSV=1905513758 TSER=2398447 2018-09-19 11:56:46.860504 10.10.1.20 -> 10.10.0.250 TCP 42855 > tacacs [ACK] Seq=52 Ack=2 Win=17376 Len=0 TSV=2398447 TSER=1905513758 2018-09-19 11:56:46.861171 10.10.1.20 -> 10.10.0.250 TCP 42855 > tacacs [FIN, ACK] Seq=52 Ack=2 Win=17376 Len=0 TSV=2398447 TSER=1905513758 2018-09-19 11:56:46.863868 10.10.0.250 -> 10.10.1.20 TCP tacacs > 42855 [ACK] Seq=2 Ack=53 Win=14592 Len=0 TSV=1905513762 TSER=2398447 N5-C5010-BF-I# 9 packets captured Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted September 19, 2018 · Report post там скорее всего нужно еще слать cisco-av-pair shell:roles https://routing-bits.com/2011/05/24/nexus-user-roles/ Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
andry_9876 Posted September 19, 2018 · Report post По инструкции https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html#config2 настроил сервер, на коммутатор зашел, но команды не выполняются: N5-C5010-BF-I# conf t Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10) N5-C5010-BF-I# sh run Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10) N5-C5010-BF-I# Хотя дебаг говорит SUCCESS: 2018 Sep 19 14:25:30.452980 tacacs: process_rd_fd_set: calling callback for fd 7 2018 Sep 19 14:25:30.453019 tacacs: fsrv_sdb_process_msg: vdc-id[1] mts_opc[8421][MTS_OPC_TACACS_AAA_REQ] 0xbfc3579c 0xb57d7474 406 2018 Sep 19 14:25:30.453036 tacacs: Sending it to SDB-Dispatch 2018 Sep 19 14:25:30.453052 tacacs: Sdb-dispatch did not process 2018 Sep 19 14:25:30.453072 tacacs: No msg handler in FSRV for mts_opc[8421][MTS_OPC_TACACS_AAA_REQ] 2018 Sep 19 14:25:30.453087 tacacs: fsrv didnt consume 8421 opcode 2018 Sep 19 14:25:30.453101 tacacs: process_implicit_cfs_session_start: entering... 2018 Sep 19 14:25:30.453114 tacacs: process_implicit_cfs_session_start: exiting; we are in distribution disabled state 2018 Sep 19 14:25:30.453135 tacacs: process_aaa_tplus_request: entering for aaa session id 0 2018 Sep 19 14:25:30.453160 tacacs: process_aaa_tplus_request:Checking for state of mgmt0 port with servergroup SPCOM 2018 Sep 19 14:25:30.453178 tacacs: tacacs_servergroup_config: entering for server group, index 0 2018 Sep 19 14:25:30.453195 tacacs: tacacs_servergroup_config: GETNEXT_REQ for Protocol server group index:0 name: 2018 Sep 19 14:25:30.453236 tacacs: tacacs_pss2_move2key: rcode = 40480003 syserr2str = no such pss key 2018 Sep 19 14:25:30.453252 tacacs: tacacs_pss2_move2key: calling pss2_getkey 2018 Sep 19 14:25:30.453269 tacacs: tacacs_servergroup_config: GETNEXT_REQ got Protocol server group index:2 name:SPCOM 2018 Sep 19 14:25:30.453286 tacacs: tacacs_servergroup_config: got back the return value of Protocol group operation:SUCCESS 2018 Sep 19 14:25:30.453299 tacacs: tacacs_servergroup_config: returning retval 0 for Protocol server group:SPCOM 2018 Sep 19 14:25:30.453315 tacacs: process_aaa_tplus_request: Group SPCOM found. corresponding vrf is management 2018 Sep 19 14:25:30.453330 tacacs: process_aaa_tplus_request: checking for mgmt0 vrf:management against vrf:management of requested group 2018 Sep 19 14:25:30.453346 tacacs: process_aaa_tplus_request:port_check will be done 2018 Sep 19 14:25:30.453359 tacacs: create_tplus_req_state_machine(927): entering for aaa session id 0 2018 Sep 19 14:25:30.453374 tacacs: state machine count 0 2018 Sep 19 14:25:30.453387 tacacs: init_tplus_req_state_machine: entering for aaa session id 0 2018 Sep 19 14:25:30.453400 tacacs: init_tplus_req_state_machine(1323):tplus_ctx is NULL it should be if author and test 2018 Sep 19 14:25:30.453414 tacacs: tacacs_servergroup_config: entering for server groupSPCOM, index 0 2018 Sep 19 14:25:30.453430 tacacs: tacacs_servergroup_config: GET_REQ for Protocol server group index:0 name:SPCOM 2018 Sep 19 14:25:30.453443 tacacs: find_tacacs_servergroup: entering for server group SPCOM 2018 Sep 19 14:25:30.453464 tacacs: tacacs_pss2_move2key: rcode = 0 syserr2str = SUCCESS 2018 Sep 19 14:25:30.453479 tacacs: find_tacacs_servergroup: exiting for server group SPCOM index is 2 2018 Sep 19 14:25:30.453497 tacacs: tacacs_servergroup_config: GET_REQ: find_tacacs_servergroup error 0 for Protocol server group SPCOM 2018 Sep 19 14:25:30.453516 tacacs: tacacs_pss2_move2key: rcode = 0 syserr2str = SUCCESS 2018 Sep 19 14:25:30.453530 tacacs: tacacs_servergroup_config: GET_REQ got Protocol server group index:2 name:SPCOM 2018 Sep 19 14:25:30.453543 tacacs: tacacs_servergroup_config: got back the return value of Protocol group operation:SUCCESS 2018 Sep 19 14:25:30.453555 tacacs: tacacs_servergroup_config: returning retval 0 for Protocol server group:SPCOM 2018 Sep 19 14:25:30.453579 tacacs: tacacs_server_config: entering for server , index 1 2018 Sep 19 14:25:30.453596 tacacs: tacacs_server_config: GET request for Protocol server index:1 addr: 2018 Sep 19 14:25:30.453646 tacacs: tacacs_pss2_move2key: rcode = 0 syserr2str = SUCCESS 2018 Sep 19 14:25:30.453662 tacacs: tacacs_server_config: Got for Protocol server index:1 addr:10.10.0.250 2018 Sep 19 14:25:30.453675 tacacs: tacacs_server_config: got back the return value of Protocol server 10.10.0.250 operation: SUCCESS 2018 Sep 19 14:25:30.453688 tacacs: tacacs_server_config: returning auth-port 49, acct-port 49 for Protocol server:10.10.0.250 2018 Sep 19 14:25:30.453702 tacacs: tacacs_server_config: returning retval 0 for Protocol server:10.10.0.250 2018 Sep 19 14:25:30.453737 tacacs: tacacs_global_config(3197): entering ... 2018 Sep 19 14:25:30.453752 tacacs: tacacs_global_config(3521): GET_REQ... Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ikiliikkuja Posted September 19, 2018 · Report post у меня так работает aaa authentication login default group %groupname% aaa authentication login console local aaa authorization config-commands default group %groupname% local aaa authorization commands default group %groupname% local aaa accounting default group %groupname% no aaa user default-role Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
andry_9876 Posted September 21, 2018 · Report post В 19.09.2018 в 20:08, ikiliikkuja сказал: у меня так работает Ничего не поменялось. Подозреваю, что проблема на стороне сервера ACS. Т.к. авторизация при входе проходит: Internet Protocol Version 4, Src: 10.10.1.20, Dst: 10.10.0.250 TACACS+ Major version: TACACS+ Minor version: 0 Type: Authorization (2) Sequence number: 1 Flags: 0x00 (Encrypted payload, Multiple Connections) Session ID: 2097165289 Packet length: 76 Encrypted Request Decrypted Request Auth Method: TACACSPLUS (0x06) Privilege Level: 1 Authentication type: PAP (2) Service: Login (1) User len: 7 User: USER Port len: 4 Port: 3000 Remaddr len: 10 Remote Address: 10.0.0.144 Arg count: 4 Arg[0] length: 13 Arg[0] value: service=shell Arg[1] length: 4 Arg[1] value: cmd= Arg[2] length: 14 Arg[2] value: cisco-av-pair* Arg[3] length: 12 Arg[3] value: shell:roles* Internet Protocol Version 4, Src: 10.10.0.250, Dst: 10.10.1.20 TACACS+ Major version: TACACS+ Minor version: 0 Type: Authorization (2) Sequence number: 2 Flags: 0x00 (Encrypted payload, Multiple Connections) Session ID: 2097165289 Packet length: 48 Encrypted Reply Decrypted Reply Auth Status: PASS_REPL (0x02) Server Msg length: 0 Data length: 0 Arg count: 1 Arg[0] length: 41 Arg[0] value: cisco-av-pair=shell:roles="network-admin" А вот авторизация для выполнения команды уже нет: Internet Protocol Version 4, Src: 10.10.1.20, Dst: 10.10.0.250 TACACS+ Major version: TACACS+ Minor version: 0 Type: Authorization (2) Sequence number: 1 Flags: 0x00 (Encrypted payload, Multiple Connections) Session ID: 673452272 Packet length: 83 Encrypted Request Decrypted Request Auth Method: TACACSPLUS (0x06) Privilege Level: 1 Authentication type: PAP (2) Service: TAC_PLUS_AUTHEN_SVC_NONE (0) User len: 7 User: USER Port len: 0 Remaddr len: 10 Remote Address: 10.0.0.144 Arg count: 4 Arg[0] length: 13 Arg[0] value: service=shell Arg[1] length: 13 Arg[1] value: cmd=configure Arg[2] length: 16 Arg[2] value: cmd-arg=terminal Arg[3] length: 12 Arg[3] value: cmd-arg=<cr> Internet Protocol Version 4, Src: 10.10.0.250, Dst: 10.10.1.20 TACACS+ Major version: TACACS+ Minor version: 0 Type: Authorization (2) Sequence number: 2 Flags: 0x00 (Encrypted payload, Multiple Connections) Session ID: 673452272 Packet length: 6 Encrypted Reply Decrypted Reply Auth Status: FAIL (0x10) Server Msg length: 0 Data length: 0 Arg count: 0 N5-C5010-BF-I# sh user-account USER user:USER roles:network-admin account created through REMOTE authentication Credentials such as ssh server key will be cached temporarily only for this user account Local login not possible N5-C5010-BF-I# Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted September 21, 2018 · Report post У вас ацс на запрос выполнения команды сказал нельзя. Ошибка в конфигурации ацс Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
andry_9876 Posted September 22, 2018 · Report post 18 часов назад, zhenya` сказал: У вас ацс на запрос выполнения команды сказал нельзя. Ошибка в конфигурации ацс Это я вижу, есть идеи что и где править? Этот же сервер ACS работает с коммутаторами Cisco, Orion, SNR, проблем нет. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
kapydan Posted September 22, 2018 · Report post acs какой версии? мб вопрос именно в совместимости nx-os и версии acs? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted September 22, 2018 · Report post С профилями команд ерунда какая-то. Вам вообще эта часть нужна? Дебажте полиси. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
FATHER_FBI Posted September 22, 2018 · Report post При заходе на цыску покажите show privilege Если вы хотите что бы у вас выполнение команд шло через ACL, я думаю что они должны выглядеть примерно вот так group = YOUR_GROUP { default service = deny service = exec { priv-lvl = 15 } cmd = ping { permit .* } cmd = show { permit vlan permit running-config.interface.TenGigabitEthernet.1.1 permit running-config.interface.TenGigabitEthernet.1.5 permit running-config.interface.TenGigabitEthernet.1.6 permit running-config.interface.TenGigabitEthernet.3.2 permit running-config.interface.TenGigabitEthernet.3.6 permit Port-channel.1 permit Port-channel.5 deny .* } cmd = interface { permit TenGigabitEthernet.3.2 permit TenGigabitEthernet.3.6 permit Port-channel.5 deny .* } } Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted September 23, 2018 · Report post У него Cisco acs ) Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
FATHER_FBI Posted September 23, 2018 · Report post 4 часа назад, zhenya` сказал: У него Cisco acs ) ACS это просто обвертка для протокола tacacs, не более Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
andry_9876 Posted September 24, 2018 · Report post В 22.09.2018 в 21:00, FATHER_FBI сказал: При заходе на цыску покажите show privilege C6509V-II#sh privilege Current privilege level is 15 Разобрался: На ACS сервере идем Access Policies > Access Services > Default Device Admin > Authorization, внизу справа нажимаем "Customize", в нижней половине добавляем "Command Sets" в Selected. После чего в правилах появится возможность выбрать Command Set. Делаем новый, настраиваем его, как требуется, и выбираем. Применяем, сохраняем, пользуемся. Можно закрывать. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
YuryD Posted September 24, 2018 · Report post tacacs - в кисках дюже переборчивая, в моём варианте требовала почти синхронизации времени, или не работала вообще. Но это было давно. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...