Enable mode authorization failed.

Answered Question
Oct 16th, 2007
User Badges:

Have a user that cannot get to en prompt. Here is my trace output:

AAA/AUTHEN: update_user user='lduncan' ruser='(null)' port='telnet146' rem_addr=

'10.128.20.110' authen_type=1 service=ENABLE priv=152007 Oct 16 10:57:07.360 EST

-04:00

AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=ENABLE

TAC+: send AUTHEN/START packet ver=192 id=626074205

TAC+: Opening TCP/IP connection to 10.129.12.196

TAC+: ver=192 id=626074205 received AUTHEN status = GETPASS2007 Oct 16 10:57:08.

440 EST -04:00

AAA/AUTHEN (626074205): status = GETPASSPassword: 2007 Oct 16 10:57:11.200 EST -

04:00 *62*2007 Oct 16 10:57:11.440 EST -04:00 *69*2007 Oct 16 10:57:11.800 EST -

04:00 *67*2007 Oct 16 10:57:12.050 EST -04:00 *74*2007 Oct 16 10:57:12.300 EST -

04:00 *6f*2007 Oct 16 10:57:12.530 EST -04:00 *65*

2007 Oct 16 10:57:12.950 EST -04:00

AAA/AUTHEN/CONT (626074205): continue_login2007 Oct 16 10:57:12.950 EST -04:00

AAA/AUTHEN (626074205): status = GETPASS

TAC+: send AUTHEN/CONT packet id=626074205

TAC+: ver=192 id=626074205 received AUTHEN status = PASS2007 Oct 16 10:57:13.460

EST -04:00

AAA/AUTHEN (626074205): status = PASS2007 Oct 16 10:57:13.460 EST -04:00 return

PASS

2007 Oct 16 10:57:13.460 EST -04:00

AAA/AUTHOR : ptr2=enable

2007 Oct 16 10:57:13.470 EST -04:00

AAA/AUTHOR : Add AV service=shell

2007 Oct 16 10:57:13.470 EST -04:00

AAA/AUTHOR : Add AV cmd=enable

2007 Oct 16 10:57:13.470 EST -04:00

AAA/AUTHOR/TACACS+ cmd author (413075467): Port='telnet146' list='(null)' servic

e=CMD2007 Oct 16 10:57:13.480 EST -04:00

AAA/AUTHOR/TACACS+ cmd author: (413075467) user='lduncan'2007 Oct 16 10:57:13.4

80 EST -04:00

AAA/AUTHOR/TACACS+ cmd author: (413075467) send AV service=shell2007 Oct 16 10:5

7:13.480 EST -04:00

AAA/AUTHOR/TACACS+ cmd author: (413075467) send AV cmd=enable

AAA/AUTHOR/TACACS+ cmd author: (413075467) Method=TAC_PLUS2007 Oct 16 10:57:13.4

90 EST -04:00

AAA/AUTHOR/TAC+: (413075467): user=lduncan2007 Oct 16 10:57:13.490 EST -04:00

AAA/AUTHOR/TAC+: (413075467): send AV service=shell2007 Oct 16 10:57:13.490 EST

-04:00

AAA/AUTHOR/TAC+: (413075467): send AV cmd=enable

TAC+: Opening TCP/IP connection to 10.129.12.196

TAC+: (413075467): received author response status = FAIL2007 Oct 16 10:57:14.50

0 EST -04:00

AAA/AUTHOR (413075467): Post authorization status = FAIL2007 Oct 16 10:57:14.500

EST -04:00

AAA/AUTHOR : do_author result=12007 Oct 16 10:57:14.500 EST -04:00 %AAA: author:

tacacs_plus_author ret=1.

Enable mode authorization faile

I have checked his user info and group info in tacacs.

Correct Answer by Jagdeep Gambhir about 9 years 7 months ago

Please mark it resolved so other can benefit from it.



Regards,

~JG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Tue, 10/16/2007 - 07:51
User Badges:
  • Red, 2250 points or more

It seems that you have command author configured that is why user in not able to issue it.


What kind of user is it ? Admin or normal user.



To make him login you need to make changes in the command author set.


Make one command autho set in acs --->shared profile componenets.


add-->give any name "Full access "---> Put radio button to permit and submit.


Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.



Now it should let you in.


Caution : This is let that uses to issue all commands


Also provide me more info if you want user to deny some commands. We need to set up command autho set accordingly.




Regards,

~JG


Please rate helpful posts

Correct Answer
Jagdeep Gambhir Tue, 10/16/2007 - 08:12
User Badges:
  • Red, 2250 points or more

Please mark it resolved so other can benefit from it.



Regards,

~JG

Actions

This Discussion