ACS command Authorization on PIX Console

Unanswered Question
May 20th, 2008

I have configured the pix firewall for ACS authentication and command authorization, everything is working fine

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 172.28.x.x x.x.x

aaa-server TACACS+ (inside) host 172.28.x. xx

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+

but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when

ACS down, i wana to get console and access the device by using local username and password

but now after this configuration when i try to access the firewall via console, i m getting error of

command authorization fail.

I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue

I have made the command authorization set in ACS and it is working fine for me,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Tue, 05/20/2008 - 06:46

Wasim,

Seems to be a bug, the issue we are facing with ASA v 7.2, where fall back to local authentication gives 'command authorization' failed with few commands has been files as a BUG.

Here is the bug tool link: CSCsj56051

http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl

***************************************************************

AAA authorization commands LOCAL fallback broken

Alternate Headline: AAA authorization commands LOCAL fallback broken

Symptom: aaa authorization fallback to LOCAL fails, blocking some commands to be executed and displaying "Command authorization failed" error message even though local authorization should be granted.

Conditions:

TACACS+ server communication is lost; LOCAL is configured next in the list.

Workaround: none.

Further Problem Description:

7.2.2 does not show this behavior

**************************************************************

The issue is resolved in 007.002(002.034), 008.000(002.011),

008.002(000.045)

Regards,

~JG

wasiimcisco Tue, 05/20/2008 - 12:54

kindly once again check my modified configuration,

I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.

aa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (edn) host 172.28.31.132

aaa-server TACACS+ (edn) host 172.28.31.133

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication http console LOCAL

aaa authorization command TACACS+ LOCAL

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+

but i m not able to login i m getting following eror

Command authorization failed

TDC-INT-525-01> exit

Command authorization failed

TDC-INT-525-01> exit

Command authorization failed

TDC-INT-525-01> enable

Command authorization failed

i also defined the local command authorization set like this

privilege cmd level 15 mode exec command exit

privilege show level 5 mode exec command running-config

privilege show level 15 mode exec command version

privilege show level 0 mode exec command access-list

privilege show level 0 mode configure command access-list

privilege cmd level 15 mode configure command exit

privilege cmd level 15 mode configure command no

privilege cmd level 0 mode configure command access-list

privilege cmd level 15 mode interface command exit

privilege cmd level 15 mode subinterface command exit

privilege cmd level 15 mode dynupd-method command exit

privilege cmd level 15 mode trange command exit

privilege cmd level 15 mode route-map command exit

privilege cmd level 15 mode router command exit

privilege cmd level 15 mode ldap command exit

privilege cmd level 15 mode aaa-server-host command exit

privilege cmd level 15 mode aaa-server-group command exit

privilege cmd level 15 mode context command exit

privilege cmd level 15 mode group-policy command exit

privilege cmd level 15 mode username command exit

privilege cmd level 15 mode tunnel-group-general command exit

privilege cmd level 15 mode tunnel-group-ipsec command exit

privilege cmd level 15 mode tunnel-group-ppp command exit

privilege cmd level 15 mode mpf-class-map command exit

privilege cmd level 15 mode mpf-policy-map command exit

privilege cmd level 15 mode mpf-policy-map-class command exit

privilege cmd level 15 mode mpf-policy-map-class command exit

privilege cmd level 15 mode mpf-policy-map-param command exit

Please tell me how to solve this problem

Jagdeep Gambhir Tue, 05/20/2008 - 13:05

Is the issue happening only with console ? If ssh works fine then did the check the bug I mentioned in my last post ?

Actions

This Discussion