Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13487
Views
0
Helpful
5
Replies

Fallback authorization.Command authorization failed

pemasirid
Level 1
Level 1

‎03-13-2008 02:30 AM - edited ‎03-10-2019 03:43 PM

Hi I configured my firewall for authenticaitona and authorization. I could login via telent/console with AD username & password but I could not do any command exces. (ie.sh run, conf t etc) and I get following error

allback authorization. Username 'xxx' not in LOCAL database

Command authorization failed

Following are the configuration in firewall

aaa-server VPN protocol radius

accounting-mode simultaneous

aaa-server VPN host 172.20.20.11

key xxx

aaa-server VPN host 172.20.20.12

key xxx

aaa-server my-group protocol tacacs+

accounting-mode simultaneous

aaa-server my-group host 172.20.20.11

key xxx

aaa-server my-group host 172.20.20.12

key xxx

aaa authentication telnet console VPN LOCAL

aaa authentication enable console VPN LOCAL

aaa authorization command VPN LOCAL

aaa accounting command privilege 15 my-group

I used Radius for my VPN user authentication. Fitst time i tried using tacacs+ for aaa authenticaiton/authorization for console/telnet but it didnt work. then I change to Radius then it authenticated.

In ACS I cretated Shared Profile to allow_all in add the same in ACS group under Shell command Authorization Set.

But still I only can login to firewall but can't execute any commands and get the following erro.

Fallback authorization. Username 'mannai' not in LOCAL database

Command authorization failed

Can anyone give me a solution for this please.

thanks

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Jagdeep Gambhir
Level 10
Level 10

‎03-14-2008 05:47 AM

Pls see this example,something must be worng in shell author set.

http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

0 Helpful

pemasirid
Level 1
Level 1
In response to Jagdeep Gambhir

‎03-16-2008 02:02 AM

Hi JG,

thanks for the reply. I followed the same procedure but this time I got the following error:

XXX-PIX515# sh run

Fallback authorization. Username 'enable_15' not in LOCAL database

Command authorization failed

Here is my configuration in Firewall:

aaa-server my-group protocol tacacs+

accounting-mode simultaneous

aaa-server my-group host 172.20.20.11

key cisco123

aaa-server my-group host 172.20.20.12

key cisco123

privilege cmd level 15 mode enable command configure

aaa authorization command my-group LOCAL

And ACS configuration is also attached.

I followed the steps in Firewall 7.2(2) guide for configuring AAA Authentication and Authorization and it said its is required to configure local aaa authorization. I configured local username & passowrd with privilege 15 but even its not ask for this username & password it accepts only default password.

Please help me to solve this issue.

thanks in advance

Preview file
194 KB
0 Helpful

shakirovshm
Level 1
Level 1
In response to Jagdeep Gambhir

‎07-31-2012 10:37 AM

Hi everybody.

I have the same ptoblem. I've got ASA 8.2(5) and ACS 5.2. But i can login ASA by username wich is located in

ASA LOCAL database . And i can not login by username wich is located in ACS 5.2, at the same time i can login Router 2951 by that username. After login by username which is located in ASA LOCAL database i can not execute any command. I ve got the following error:

FW-ASA-DPC-02-5520-1# sh run

Command authorization failed

FW-ASA-DPC-02-5520-1#

And if i will restart ACS, and during restarting i will execute the same command i will have the following error:

Fallback authorization. Username 'enable_15' not in LOCAL database

Command authorization failed

FW-ASA-DPC-02-5520-1#

FW-ASA-DPC-02-5520-1# sh run

Fallback authorization. Username 'enable_15' not in LOCAL database

Command authorization failed

FW-ASA-DPC-02-5520-1#


&?

0 Helpful

shakirovshm
Level 1
Level 1
In response to shakirovshm

‎08-01-2012 02:13 AM

I've svolved my problem by using following commands:

aaa-server AAA_ID protocol tacacs+

aaa-server AAA_ID (VLAN_19) host 10.2.19.21

key ***

aaa authentication ssh console AAA_ID LOCAL

aaa authorization command AAA_ID LOCAL

aaa authorization exec authentication-server

username aaaaa password AAAAAAAAA encrypted privilege 15

username aaaaa attributes

service-type admin

0 Helpful

netbeginner
Level 2
Level 2
In response to shakirovshm

‎11-14-2015 12:14 AM

Hello shakirovshm

I am also facing the same problem ....ACS (5.6) credentials are not getting authenticate on ASA 5525 But we are able to login on ASA using local password and getting same output what u experienced. i.e COMMAND AUTHORIZATION FAILED on executing any CLI command.

This will be great help to us If you share "how you got the entry permission with all access on ASA and corrected the commands".

Rgds

**** 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents