AAA authorization problem

Answered Question
Jul 17th, 2008

I have the following config on my switch...

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login CONSOLE line

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 10 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated


The problem is that when I log into the switch via console port, and I enter these commands in, I instantly get "Command Authorization Failed" on any commands there after. It's mind boggling because there is no possible way the switch is talking to my Cisco ACS. I didn't even put in the tacacs-server key. I'm being forced to reboot the box each time. What am I missing?


Thank you for your time. I'm using IOS Version 12.2(25)SEB4.


-Andrew

Correct Answer by Jagdeep Gambhir about 8 years 7 months ago

Andrew,

What you are getting is not a expected behavior. By default Command authorization is disabled on console port, so from console session it should not check for any authorization.


To enable it we need to use a hidden command on IOS aaa authorization console


It seems that you have not issued that command but still it is checking for the authorization.


This seems that we are hitting a bug here. Please check these bug CSCeb08860 & CSCsg74428.


Pls consider upgrade or apply a work around described in bug.


Regards,

~JG

Correct Answer by chaitu_kranthi about 8 years 7 months ago

As per my concern those commands are enough.

Correct Answer by chaitu_kranthi about 8 years 7 months ago

Hi

Before doing the tacacs configuration create one local user.

add the following commands.


username cisco password cisco

aaa new-model


aaa authentication login default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

tacacs-server host x.x.x.x

tacacs-server key ........



please score me if it help to you




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Correct Answer
chaitu_kranthi Thu, 07/17/2008 - 06:24

Hi

Before doing the tacacs configuration create one local user.

add the following commands.


username cisco password cisco

aaa new-model


aaa authentication login default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

tacacs-server host x.x.x.x

tacacs-server key ........



please score me if it help to you




spanglenuts Thu, 07/17/2008 - 06:38

Just so I'm clear, After I create a user account, should I only do the commands that you listed, or can I do all of my commands?


I'll make sure to score ya.


Thanks,

Andrew

Correct Answer
Jagdeep Gambhir Fri, 07/18/2008 - 00:00

Andrew,

What you are getting is not a expected behavior. By default Command authorization is disabled on console port, so from console session it should not check for any authorization.


To enable it we need to use a hidden command on IOS aaa authorization console


It seems that you have not issued that command but still it is checking for the authorization.


This seems that we are hitting a bug here. Please check these bug CSCeb08860 & CSCsg74428.


Pls consider upgrade or apply a work around described in bug.


Regards,

~JG

Actions

This Discussion