Troubleshooting Your AAA Setup 303
Figure 14-16 Selecting a Downloadable ACL
Troubleshooting Your AAA Setup
Troubleshooting your AAA configuration can be a simple function or a difficult process, depending on how complicated the configuration is and how well you documented it. It is always in your best interests to document any configuration and to be as detailed as possible when doing so. It is also recommended that you use best practices such as adding users to groups and applying rules to groups rather than to users, using a standardized naming convention, and completing the description fields and comment blocks when creating elements, rules, components, and so on. Neglecting these basic steps can turn a relatively simple issue into an extremely difficult troubleshooting event. It is also a good idea to remember the basic troubleshooting method of “divide and conquer.” In other words, don’t start checking the PIX or the CSACS configurations until you have verified connectivity between the two devices.
304 Chapter 14: Configuration of AAA on the Cisco PIX Firewall
Checking the PIX Firewall
The most effective command for troubleshooting the PIX firewall is show. The show command is run in configuration mode and can be used to show the configuration for all the AAA components on the PIX. The following is a list of the show commands pertaining to the AAA configuration:
•show aaa-server—Shows you the different group_tags, which protocol is used for each group_tag, and the ip_address, key, and timeout for each AAA server.
•show aaa—Provides you with the output of the following commands:
—show aaa authentication—Shows you all AAA authentication rules.
—show aaa authorization—Shows you all AAA authorization rules.
—show aaa accounting—Shows you all AAA accounting rules.
—show timeout—Shows the maximum idle time for a session.
—show timeout uauth—Shows the duration in hours, minutes, and seconds before the authentication and authorization cache times out.
—show auth prompt—Shows the prompt, accept, and reject text messages when a user attempts to authenticate via a Telnet session.
Troubleshooting Authentication
If you encounter issues with your AAA authentication, you can use the debug aaa authentication command to display the communication between the Cisco PIX Firewall and the AAA server. This command lets you determine the method of authentication and verify successful communication between the PIX and the AAA server. Example 14-11 shows where a login causes the PIX to initiate a connection to the AAA server at 17.16.1.8, requesting a login using TACACS+ and generating an eight-digit session ID. The session ID is used to distinguish between multiple concurrent authentication requests.
Example 14-17 debug aaa authentication Command Output
tgpix# debug aaa authentication
10:15:01: AAA/AUTHEN: create_user user=’’ ruser=’’ port=’tty19’ rem_addr=’172.16.1.8’ authen_type=1 service=1 priv=1
10:15:01: AAA/AUTHEN/START (0): port=’tty19’ list=’’ action=LOGIN service=LOGIN 10:15:01: AAA/AUTHEN/START (0): using “default” list
10:15:01: AAA/AUTHEN/START (12345678): Method=TACACS+
10:15:01: TAC+ (12345678): received authen response status = GETUSER 10:15:02: AAA/AUTHEN (12345678): status = GETUSER
10:15:02: AAA/AUTHEN/CONT (12345678): continue_login 10:15:02: AAA/AUTHEN (12345678): status = GETUSER 10:15:02: AAA/AUTHEN (12345678): Method=TACACS+ 10:15:02: TAC+: send AUTHEN/CONT packet
10:15:03: TAC+ (12345678): received authen response status = GETPASS 10:15:03: AAA/AUTHEN (12345678): status = GETPASS
10:15:03: AAA/AUTHEN/CONT (12345678): continue_login
Troubleshooting Your AAA Setup 305
Example 14-17 debug aaa authentication Command Output (Continued)
10:15:03: AAA/AUTHEN (12345678): status = GETPASS 10:15:03: AAA/AUTHEN (12345678): Method=TACACS+ 10:15:03: TAC+: send AUTHEN/CONT packet
10:15:03: TAC+ (12345678): received authen response status = PASS 10:15:03: AAA/AUTHEN (12345678): status = PASS
Troubleshooting Authorization
If you encounter issues with your AAA authorization, you can use the debug aaa authorization command to display the communication between the PIX Firewall and the AAA server, as demonstrated in Example 14-12.
Example 14-18 debug aaa authorization Command Output
tgpix# debug aaa authorization
10:15:01: AAA/AUTHOR (0): user=’jdoe’
10:15:01: AAA/AUTHOR (0): send AV service=shell 10:15:01: AAA/AUTHOR (0): send AV cmd*
10:15:01: AAA/AUTHOR (123456789): Method=TACACS+ 10:15:01: AAA/AUTHOR/TAC+ (123456789): user=jdoe
10:15:01: AAA/AUTHOR/TAC+ (123456789): send AV service=shell 10:15:01: AAA/AUTHOR/TAC+ (123456789): send AV cmd*
10:15:01: AAA/AUTHOR (123456789): Post authorization status = FAIL
Troubleshooting Accounting
If you encounter issues with your AAA accounting, you can use the show accounting command to step through the sessions and, if necessary, print records of actively accounted sessions. The debug aaa accounting command is used to display the output of AAA accounting and is independent of the protocol used to transfer records to the log server, as demonstrated in Example 14-13.
Example 14-19 debug aaa accounting Command Output
tgpix# debug aaa accounting
10:15:01: AAA/ACCT: EXEC acct start, line 10 10:15:01: AAA/ACCT: Connect start, line 10, glare 10:15:01: AAA/ACCT: Connection acct stop:
task_id=70 service=exec port=10 protocol=telnet address=172.16.1.13 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
If you believe you have encountered a protocol-specific problem, you can view the individual protocols using the following commands:
•debug tacacs—Displays the packet information for communication between the PIX Firewall and the AAA server. Example 14-14 demonstrates typical output from this command.
306Chapter 14: Configuration of AAA on the Cisco PIX Firewall
•debug tacacs events—Should be used only if requested by Cisco service personnel.
•debug radius—Displays the output of the RADIUS communication. This is more difficult to read, except for the obvious “Access-Accept” or “Access-Reject” message. Example 14-15 demonstrates typical output from this command.
Example 14-20 debug tacacs Command Output
tgpix# debug tacacs
10:15:01: TAC+: Opening TCP/IP connection to 172.16.1.8 using source 172.16.1.1 10:15:01: TAC+: Sending TCP packet number 123456789-1 to 172.16.1.8 (AUTHEN/START) 10:15:01: TAC+: Receiving TCP packet number 123456789-2 from 172.16.1.8
10:15:01: TAC+ (123456789): received authen response status = GETUSER 10:15:01: TAC+: send AUTHEN/CONT packet
10:15:02: TAC+: Sending TCP packet number 123456789-3 to 172.16.1.8 (AUTHEN/CONT) 10:15:02: TAC+: Receiving TCP packet number 123456789-4 from 172.16.1.8
10:15:02: TAC+ (123456789): received authen response status = GETPASS 10:15:02: TAC+: send AUTHEN/CONT packet
10:15:03: TAC+: Sending TCP packet number 123456789-5 to 172.16.1.8 (AUTHEN/CONT) 10:15:03: TAC+: Receiving TCP packet number 123456789-6 from 172.16.1.8
10:15:03: TAC+ (123456789): received authen response status = PASS 10:15:03: TAC+: Closing TCP connection to 172.16.1.8
Example 14-21 debug radius Command Output
tgpix# debug radius
10:15:01: Radius: IPC Send 0.0.0.0:1645, Access-Request, id 0xE len 12 10:15:01: Attribute 5 5 CDA14568
10:15:01: Attribute 7 9 B475B47A
10:15:01: Attribute 6 2 45C4E78A
10:15:01: Attribute 4 1 14568521
10:15:01: Radius: Received from 172.16.1.8:1645, Access-Accept, id 0xE len 33 10:15:01: Attribute 2 2 0000000F
NOTE |
It is important that you not run the debug command continuously, because these commands |
|
can generate a significant amount of output. |
|
The command to terminate the debug is no debug insert your command here. |
|
|
Checking the CSACS
After verifying your settings on the Cisco PIX Firewall, you should double-check the settings on the CSACS to ensure that they match the PIX. You can also use the extensive logging information available on the CSACS Reports and Activity page. You can find a list of troubleshooting information for the CSACS in the CSACS online documentation. Simply enter “Troubleshooting Information for Cisco Secure ACS” in the Search box at Cisco.com to find this documentation.