ACS command Authorization on PIX Console

Unanswered Question
May 20th, 2008
User Badges:


I have configured the pix firewall for ACS authentication and command authorization, everything is working fine


aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 172.28.x.x x.x.x

aaa-server TACACS+ (inside) host 172.28.x. xx

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+


but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when

ACS down, i wana to get console and access the device by using local username and password


but now after this configuration when i try to access the firewall via console, i m getting error of


command authorization fail.


I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue



I have made the command authorization set in ACS and it is working fine for me,



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Tue, 05/20/2008 - 06:46
User Badges:
  • Red, 2250 points or more

Wasim,

Seems to be a bug, the issue we are facing with ASA v 7.2, where fall back to local authentication gives 'command authorization' failed with few commands has been files as a BUG.


Here is the bug tool link: CSCsj56051


http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl


***************************************************************


AAA authorization commands LOCAL fallback broken


Alternate Headline: AAA authorization commands LOCAL fallback broken


Symptom: aaa authorization fallback to LOCAL fails, blocking some commands to be executed and displaying "Command authorization failed" error message even though local authorization should be granted.


Conditions:

TACACS+ server communication is lost; LOCAL is configured next in the list.


Workaround: none.


Further Problem Description:


7.2.2 does not show this behavior


**************************************************************

The issue is resolved in 007.002(002.034), 008.000(002.011),

008.002(000.045)


Regards,

~JG


wasiimcisco Tue, 05/20/2008 - 12:54
User Badges:

kindly once again check my modified configuration,


I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.


aa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (edn) host 172.28.31.132

aaa-server TACACS+ (edn) host 172.28.31.133

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication http console LOCAL

aaa authorization command TACACS+ LOCAL

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+


but i m not able to login i m getting following eror


Command authorization failed

TDC-INT-525-01> exit

Command authorization failed

TDC-INT-525-01> exit

Command authorization failed

TDC-INT-525-01> enable

Command authorization failed


i also defined the local command authorization set like this


privilege cmd level 15 mode exec command exit

privilege show level 5 mode exec command running-config

privilege show level 15 mode exec command version

privilege show level 0 mode exec command access-list

privilege show level 0 mode configure command access-list

privilege cmd level 15 mode configure command exit

privilege cmd level 15 mode configure command no

privilege cmd level 0 mode configure command access-list

privilege cmd level 15 mode interface command exit

privilege cmd level 15 mode subinterface command exit

privilege cmd level 15 mode dynupd-method command exit

privilege cmd level 15 mode trange command exit

privilege cmd level 15 mode route-map command exit

privilege cmd level 15 mode router command exit

privilege cmd level 15 mode ldap command exit

privilege cmd level 15 mode aaa-server-host command exit

privilege cmd level 15 mode aaa-server-group command exit

privilege cmd level 15 mode context command exit

privilege cmd level 15 mode group-policy command exit

privilege cmd level 15 mode username command exit

privilege cmd level 15 mode tunnel-group-general command exit

privilege cmd level 15 mode tunnel-group-ipsec command exit

privilege cmd level 15 mode tunnel-group-ppp command exit

privilege cmd level 15 mode mpf-class-map command exit

privilege cmd level 15 mode mpf-policy-map command exit

privilege cmd level 15 mode mpf-policy-map-class command exit

privilege cmd level 15 mode mpf-policy-map-class command exit

privilege cmd level 15 mode mpf-policy-map-param command exit


Please tell me how to solve this problem


Jagdeep Gambhir Tue, 05/20/2008 - 13:05
User Badges:
  • Red, 2250 points or more

Is the issue happening only with console ? If ssh works fine then did the check the bug I mentioned in my last post ?

Actions

This Discussion