Security Troubleshooting – AAA Troubleshooting

So far we have two posts on security troubleshooting — there’s so much to this one topic that I can’t say WHEN we will ever finish it! This week’s post focuses on an often targeted area of authentication and/or authorization failures and determining their cause.

We’ll utilize two key concepts from the first post in this series — namely, that knowledge of the authentication/authorization protocols can be valuable along with having multiple troubleshooting tools at your disposal.

First of all, for those who may not be acquainted with the acronym, AAA stands for Authentication Authorization and Accounting. The first paragraph left out accounting since this feature almost always operates successfully once authentication and authorization are successfully operating. In troubleshooting authentication, my experience showed that using specific debug tacacs+ or debug radius commands often provide too detailed and obscure output to anyone except those extremely knowledgeable in the protocols.

Instead, the debug aaa authentication generic command has several advantages over the more protocol-specific ones. First, it can be used across the router, switch, and ASA platforms.

The second advantage can be seen by a sample output of this command shown below:
Router# debug aaa authentication
113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''
ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''
action=LOGIN service=LOGIN
113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list
113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL
113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)')
113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS
113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='johndoe')
113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS
113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS

As seen above, there are several places where the output can be seen in the form of: attribute = value. Several key attributes shown above are user, Method, service, and status. While this sample illustrates authentication using the local database, this debug command could be used for TACACS+, RADIUS, or other means of authentication. In a similar fashion, debug aaa authorization also displays these attribute – value pairs:

Router# debug aaa authorization
9:35:37: AAA/AUTHOR (0): user='jdoe'
9:35:37: AAA/AUTHOR (0): send AV service=shell
9:35:37: AAA/AUTHOR (0): send AV cmd*
9:35:37: AAA/AUTHOR (453996672): Method=TACACS+
9:35:37: AAA/AUTHOR/TAC+ (453996672): user=jdoe
9:35:37: AAA/AUTHOR/TAC+ (453996672): send AV service=shell
9:35:37: AAA/AUTHOR/TAC+ (453996672): send AV cmd*
9:35:37: AAA/AUTHOR (453996672): Post authorization status = FAIL

In this sample, the network administrator needs to ensure that the “shell” attribute is allowed for the jdoe user under his TACACS+ authorization attribute list to correct this problem. We’ll discuss the subject of the specific “gotchas” with local logins in a future posting.

In this article

Join the Conversation