showing exec mode authorization failed.

Unanswered Question
Dec 4th, 2008

Not able to login to switch when authorization commands mentioned below are configured.It is showing exec mode authorization failed.

\ set authorization exec enable tacacs+ if-authenticated console\ set authorization exec enable tacacs+ if-authenticated telnet

cisco WS-6506 Running with cat OS 8.6.5

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smalkeric Wed, 12/10/2008 - 15:13

You may try defining the option and fallbackoption values in the “set authorization exec enable {option} {fallbackoption} [console | telnet | both]” command.

When you define the option and fallbackoption values, the following occurs:

• tacacs+ specifies the TACACS+ authorization method.

• deny fails authorization if the TACACS+ server does not respond.

• if-authenticated allows you to proceed with your action if the TACACS+ server does not respond and you have authentication.

• none allows you to proceed without further authorization if the TACACS+ server does not respond.

mvnaveenforever Wed, 12/31/2008 - 02:39

Tried configuring the same .but still facing the same issue.

we cannot login to the switch.In ACS logs i can find its getting authenticated.

But on the switch its not allowing to login.throwing the message"exec mode authorization failed."

Can we check on the image version ?

Its running on 8.6(5) cat OS.

Same set of commands is been configured on other switches(running with diff cat OS) ,they all are woking fine.

Can you tell me is there any Bug on this 8.6(5) version..?

Pravin Phadte Wed, 12/31/2008 - 03:04

hi,

When you say the "Same set of commands is been configured on other switches(running with diff cat OS) ,they all are woking fine. "

I dont feel thats the problem with u r commands.

1. Check the AAA configuration. I am not so sure in CAT OS.

So the configuration for TACACS should be something like this in IOS:

tacacs-server host x.x.x.x

tacacs-server key TESTKEY

aaa new-model

aaa authentication login AAA1 group tacacs+ local none

aaa authentication login AAA1 group tacacs+ line none

aaa authentication enable default group tacacs+ (acs password for enable)

aaa authentication login AAA1 group tacacs+ enable none (not required)

Which you did mention.

Please check on this and you need to verify if this device is added in Cisco Secure ACS with the "tacacs-server key TESTKEY" right

mvnaveenforever Mon, 02/09/2009 - 04:21

Regarding Switch Authorization,

Its a software defect the switch is hitting causing the problem with Tacacs Authorization.

Bug CSCso82426 “to the switch does not work with authorization enabled" has been fixed starting in release 8.7(1) and higher.

The problem is during authorization the username in the request to the tacacs server is null

Hence Issue is resolved.

Actions

This Discussion