Not Authorized

Document created by cdnadmin on Jan 25, 2014
Version 1Show Document
  • View in full screen mode
This document was generated from CDN thread

Created by: James ******* on 04-11-2013 11:18:45 AM
I am running an ASR1K with 3.10S1 and onepk 1.0.0 (1.0.0.86 API) 

Using the Java SDK running the BaseTutorial (and anything else) I get the following

243  ERROR com.cisco.onep.element.NetworkElement - IDL Exception: ExceptionIDL(code:8, text:User is not authorized to run this application, context:0)
244  ERROR com.cisco.onep.element.NetworkElement - Could not connect to NetworkElement: com.cisco.onep.core.exception.OnepConnectionException: Error occurred in the operation. Failed to connect to the network element or the session is closed. null
255  ERROR com.cisco.onep.tutorials.BaseTutorial - Error occurred in the operation. Failed to connect to the network element or the session is closed. null

The router config is

aaa authentication onep default group LAB-TACACS local
aaa authorization onep default group LAB-TACACS local 
aaa accounting onep default start-stop group LAB-TACACS
onep 
transport type tcp 
session max 32

with the following debug on the router....  Any ideas..

Nov  4 17:14:10.883 gmt: [187] : Server Done tos 1 [cthrift_recv_main__:2256]Nov  4 17:14:10.884 gmt: [187] : BaseTutorial-xnc1: Connecting attempt: username timeout[0] shandle[0] fd[2] [NetworkElement_connectIDL:216]Nov  4 17:14:10.884 gmt: [187] : BaseTutorial-xnc1: FSM:  ==>  [network_app_fsm_connecting:2597]Nov  4 17:14:10.884 gmt: [187] : Fail to find handle [8193] [network_element_find_app_by_handle:530]Nov  4 17:14:10.884 gmt: [187] : Fail to find handle [8193] [network_element_find_app_by_handle:530]Nov  4 17:14:10.884 gmt: [187] : BaseTutorial-xnc1-8193: [0x7F10E3CFDC78][2001] added [network_element_add_app_internal:366]Nov  4 17:14:10.884 gmt: [187] : BaseTutorial-xnc1-8193: Connecting with handle [2001] at Mon Nov 04 17:14:10.883 [network_app_fsm_connecting:2624]Nov  4 17:14:10.884 gmt: [187] : BaseTutorial-xnc1-8193: FSM:  ==>  [network_app_fsm_authenticated:2794]Nov  4 17:14:10.884 gmt: [187] : Authenticating ONEP Session for user jcumming [onep_al_aaa_session_authenticate:1462]Nov  4 17:14:10.884 gmt: [187] : AAA is configured [onep_al_aaa_session_authenticate:1492]Nov  4 17:14:10.884 gmt: [187] : Processing AAA request [onep_al_aaa_process_request:1070]Nov  4 17:14:10.884 gmt: AAA/BIND(00000208): Bind i/f  Nov  4 17:14:10.884 gmt: AAA/AUTHEN/ConnectedApps (00000208): Pick method list 'default' Nov  4 17:14:10.889 gmt: [187] : Using TACACS authentication method [onep_al_aaa_process_request:1175]Nov  4 17:14:10.889 gmt: [187] : AAA get password [onep_al_aaa_process_request:1267]Nov  4 17:14:10.920 gmt: [187] : Initiating TACACS Authorization request [onep_al_aaa_tacacs_author_request:941]Nov  4 17:14:10.920 gmt: AAA/AUTHOR (0x208): Pick method list 'default'Nov  4 17:14:10.924 gmt: [187] : Authorization status 2 [onep_al_aaa_tacacs_author_request:1013]Nov  4 17:14:10.924 gmt: [187] : TACACS Authorization attribute list [onep_al_aaa_tacacs_author_request:1023]      username             0   "jcumming"      password             0   <hidden>      priv-lvl             0   15 (0xF)Nov  4 17:14:10.924 gmt: [187] : Onep Session Authentication successful [onep_al_aaa_session_authenticate:1511]Nov  4 17:14:10.924 gmt: [187] : Auto-accounting is not enabled [onep_al_aaa_session_authenticate:1523]Nov  4 17:14:10.924 gmt: [187] : Checking app name in attribute list [onep_al_aaa_is_app_allowed:1366]Nov  4 17:14:10.924 gmt: [187] : Original AAA attribute list of length:3 [onep_al_aaa_is_app_allowed:1381]      username             0   "jcumming"      password             0   <hidden>      priv-lvl             0   15 (0xF)Nov  4 17:14:10.924 gmt: [187] : Privilege level: 15 [onep_al_aaa_is_app_allowed:1413]Nov  4 17:14:10.924 gmt: [187] : Application BaseTutorial is not allowed [onep_al_aaa_session_authenticate:1527]Nov  4 17:14:10.924 gmt: [187] : BaseTutorial-xnc1-8193: Authentication failed for user jcumming [network_app_fsm_authenticated:2825]Nov  4 17:14:10.924 gmt: %ONEP_BASE-3-AUTHEN_ERR: : Authentication/authorization failed. Application (BaseTutorial-xnc1-8193): Username (jcumming)Nov  4 17:14:10.924 gmt: [187] : caller pc 0x0x320B31B [network_application_final_cleanup:2371]Nov  4 17:14:10.924 gmt: [187] : BaseTutorial-xnc1-8193: session_exit [onep_session_manager_session_exit:335]Nov  4 17:14:10.924 gmt: [187] : Session exit for handle 8193 [onep_async_session_exit:852]Nov  4 17:14:10.924 gmt: [187] : Could not find the async service context for this session [onep_async_session_exit:856]Nov  4 17:14:10.924 gmt: [187] : BaseTutorial-xnc1-8193: Async session_exit failed [onep_session_manager_session_exit:348]Nov  4 17:14:10.924 gmt: [187] : SESSION_EXIT: session handle 8193 [onep_event_session_exit:1053]Nov  4 17:14:10.924 gmt: [187] : get by session_handle looking for: 8193 [fh_get_ctx_block_by_session_handle:280]Nov  4 17:14:10.924 gmt: [187] : ONEP/EEM: first time init not properly done [fh_get_ctx_block_by_session_handle:317]Nov  4 17:14:10.924 gmt: [187] : subscribe_handler: service handle not found. [onep_event_session_exit:1058]Nov  4 17:14:10.924 gmt: [187] : BaseTutorial-xnc1-8193: Event session_exit done [onep_session_manager_session_exit:345]Nov  4 17:14:10.924 gmt: [187] : Session exit 8193 [onep_policy_session_exit:449]Nov  4 17:14:10.924 gmt: [187] : Deleting Classes [onep_al_policy_delete_all_classes:375]Nov  4 17:14:10.924 gmt: [187] : No policy created [onep_al_policy_delete_all_policies:149]Nov  4 17:14:10.924 gmt: [187] : Deleting ACLs [onep_al_acl_delete_all_acls:181]Nov  4 17:14:10.924 gmt: [187] : Deleting ACEs [onep_al_acl_delete_all_acls:253]Nov  4 17:14:10.924 gmt: [187] : BaseTutorial-xnc1-8193: Policy session_exit done [onep_session_manager_session_exit:345]Nov  4 17:14:10.924 gmt: [187] : Session exit 8193 [onep_lisp_session_exit:151]Nov  4 17:14:10.925 gmt: [187] : BaseTutorial-xnc1-8193: Lisp session_exit done [onep_session_manager_session_exit:345]Nov  4 17:14:10.925 gmt: [187] : Session exit 8193l [onep_vty_session_exit:2078]Nov  4 17:14:10.925 gmt: [187] : BaseTutorial-xnc1-8193: [0x7F10E3CFDC78][2001] found [network_element_find_app_by_handle:523]Nov  4 17:14:10.925 gmt: [187] : vty_cleanup: Unexpected error, application context xdm missing [vty_cleanup:331]Nov  4 17:14:10.925 gmt: [187] : BaseTutorial-xnc1-8193: VTY session_exit done [onep_session_manager_session_exit:345]Nov  4 17:14:10.925 gmt: [187] : ONEP Location: Ignoring session exit [onep_location_event_session_exit:1143]Nov  4 17:14:10.925 gmt: [187] : BaseTutorial-xnc1-8193: Location session_exit done [onep_session_manager_session_exit:345]Nov  4 17:14:10.925 gmt: [187] : BaseTutorial-xnc1-8193: Topology session_exit done [onep_session_manager_session_exit:345]Nov  4 17:14:10.925 gmt: [187] : BaseTutorial-xnc1-8193: OneFW session_exit done [onep_session_manager_session_exit:345]Nov  4 17:14:10.925 gmt: [187] : ONEP Pathtrace: session exit [onep_pathtrace_event_session_exit:804]Nov  4 17:14:10.925 gmt: [187] : BaseTutorial-xnc1-8193: Pathtrace session_exit done [onep_session_manager_session_exit:345]Nov  4 17:14:10.925 gmt: [187] : ONEP Routing: session exit [onep_rtg_svc_session_exit:129]Nov  4 17:14:10.925 gmt: [187] : BaseTutorial-xnc1-8193: [0x7F10E3CFDC78][2001] found [network_element_find_app_by_handle:523]Nov  4 17:14:10.925 gmt: [187] : BaseTutorial-xnc1-8193: Routing session_exit done [onep_session_manager_session_exit:345]Nov  4 17:14:10.925 gmt: [187] : BaseTutorial-xnc1-8193: [0x7F10E3CFDC78][2001] removed [network_element_remove_app_cb:218]Nov  4 17:14:10.925 gmt: [187] : service=0, table=0, session handle (key)=0x2001 [onep_ha_ctx_remove:260]Nov  4 17:14:10.925 gmt: [187] : removed app name BaseTutorial session handle 0x2001 [onep_ha_ctx_remove:271]Nov  4 17:14:10.925 gmt: [187] : Failed to unlock app queue 22 [NetworkElement_connectIDL:435]Nov  4 17:14:10.925 gmt: [187] : Write cthrift buffer to socket 2: bytes 109 [cthrift_write_entire_buffer__:296]Nov  4 17:14:10.925 gmt: [187] : cthrift wrote 109 bytes, 0 remaining to send, took 0 usec [cthrift_write_entire_buffer__:367]

Subject: RE: Not Authorized
Replied by: Joseph Clarke on 04-11-2013 02:18:01 PM
Can you confirm the user is getting priv 15 from the TACACS+ server for authorization?  This needs to happen for onePK.

Subject: RE: Not Authorized
Replied by: James ******* on 05-11-2013 01:52:47 AM
Can you confirm the user is getting priv 15 from the TACACS+ server for authorization?  This needs to happen for onePK.

Subject: RE: Not Authorized
Replied by: Joseph Clarke on 09-11-2013 04:44:17 PM
James, you just replied with my exact text.  I'm not sure what the answer is.

Subject: RE: Not Authorized
Replied by: Joseph Clarke on 09-11-2013 04:58:10 PM
But the priv level should be coming back from the AAA server.  Is your AAA server configured to return priv 15 when onePK is used for authorization?

Subject: RE: Not Authorized
Replied by: James ******* on 09-11-2013 04:52:33 PM
Joseph Clarke:
James, you just replied with my exact text.  I'm not sure what the answer is.



Sorry, not sure what happened there! That's not what I typed!!!

Anyway - here's the odd things

The user account is mine - I can do everything on all routers (priv 15 plus permit all on authorisation)

When using cli all works and the requests are correctly sent to the AAA server as priv-level=15 BUT when a request is made via onePK the request is sent priv-level=1,service-type=27 which the AAA server is permitting but the router obviously rejects as it wants a higher level.

I suspect a bug on the ASR1K

If I change the cli config to local authentication and authorisation all works (but obviously that isn't what I want)


James

Attachments

    Outcomes