AAA Security Troubleshooting

Monday, June 27, 2011

Dawn Hopper

Bc353c4c6a6f7743290ce11723414424

Article by Doug McKillip

So far we have two posts on security troubleshooting – there’s so much to this one topic that I can’t say WHEN we will ever finish it! This week’s post focuses on an often targeted area of authentication and/or authorization failures and determining their cause.

We’ll utilize two key concepts from the first post in this series – namely, that knowledge of the authentication/authorization protocols can be valuable along with having multiple troubleshooting tools at your disposal.

First of all, for those who may not be acquainted with the acronym, AAA stands for Authentication Authorization and Accounting. The first paragraph left out accounting since this feature almost always operates successfully once authentication and authorization are successfully operating.

In troubleshooting authentication, my experience showed that using specific debug tacacs+ or debug radius commands often provide too detailed and obscure output to anyone except those extremely knowledgeable in the protocols.

Instead, the debug AAA authentication generic command has several advantages over the more protocol-specific ones. First, it can be used across the router, switch, and ASA platforms.

The second advantage can be seen by a sample output of this command shown below:

Router# debug aaa authentication

113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''
ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''
action=LOGIN service=LOGIN

113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list

113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL
113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)')

113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS
113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='johndoe')

113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS
113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS

As seen above, there are several places where the output can be seen in the form of: attribute = value. Several key attributes shown above are user, Method, service, and status.

While this sample illustrates authentication using the local database, this debug command could be used for TACACS+, RADIUS, or other means of authentication. In a similar fashion, debug aaa authorization also displays these attribute – value pairs:

Router# debug aaa authorization
9:35:37: AAA/AUTHOR (0): user='jdoe'
9:35:37: AAA/AUTHOR (0): send AV service=shell
9:35:37: AAA/AUTHOR (0): send AV cmd*
9:35:37: AAA/AUTHOR (453996672): Method=TACACS+
9:35:37: AAA/AUTHOR/TAC+ (453996672): user=jdoe
9:35:37: AAA/AUTHOR/TAC+ (453996672): send AV service=shell
9:35:37: AAA/AUTHOR/TAC+ (453996672): send AV cmd*
9:35:37: AAA/AUTHOR (453996672): Post authorization status = FAIL

In this sample, the network administrator needs to ensure that the “shell” attribute is allowed for the jdoe user under his TACACS+ authorization attribute list to correct this problem. We’ll discuss the subject of the specific “gotchas” with local logins in a future posting.

Cross-posted from Global Knowledge

Possibly Related Articles:
16574
Network->General
Hardware
Authentication Network Access Control Troubleshooting Network Security Routers Debugging
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.