Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1080
Views
0
Helpful
4
Replies

showing exec mode authorization failed.

mvnaveenforever
Level 1
Level 1

‎12-04-2008 10:54 PM - edited ‎03-10-2019 04:13 PM

Not able to login to switch when authorization commands mentioned below are configured.It is showing exec mode authorization failed.

\ set authorization exec enable tacacs+ if-authenticated console\ set authorization exec enable tacacs+ if-authenticated telnet

cisco WS-6506 Running with cat OS 8.6.5

Labels:
0 Helpful
4 Replies 4

smalkeric
Level 6
Level 6

‎12-10-2008 03:13 PM

You may try defining the option and fallbackoption values in the “set authorization exec enable {option} {fallbackoption} [console | telnet | both]” command.

When you define the option and fallbackoption values, the following occurs:

• tacacs+ specifies the TACACS+ authorization method.

• deny fails authorization if the TACACS+ server does not respond.

• if-authenticated allows you to proceed with your action if the TACACS+ server does not respond and you have authentication.

• none allows you to proceed without further authorization if the TACACS+ server does not respond.

0 Helpful

mvnaveenforever
Level 1
Level 1
In response to smalkeric

‎12-31-2008 02:39 AM

Tried configuring the same .but still facing the same issue.

we cannot login to the switch.In ACS logs i can find its getting authenticated.

But on the switch its not allowing to login.throwing the message"exec mode authorization failed."

Can we check on the image version ?

Its running on 8.6(5) cat OS.

Same set of commands is been configured on other switches(running with diff cat OS) ,they all are woking fine.

Can you tell me is there any Bug on this 8.6(5) version..?

0 Helpful

Pravin Phadte
Level 5
Level 5
In response to mvnaveenforever

‎12-31-2008 03:04 AM

hi,

When you say the "Same set of commands is been configured on other switches(running with diff cat OS) ,they all are woking fine. "

I dont feel thats the problem with u r commands.

1. Check the AAA configuration. I am not so sure in CAT OS.

So the configuration for TACACS should be something like this in IOS:

tacacs-server host x.x.x.x

tacacs-server key TESTKEY

aaa new-model

aaa authentication login AAA1 group tacacs+ local none

aaa authentication login AAA1 group tacacs+ line none

aaa authentication enable default group tacacs+ (acs password for enable)

aaa authentication login AAA1 group tacacs+ enable none (not required)

Which you did mention.

Please check on this and you need to verify if this device is added in Cisco Secure ACS with the "tacacs-server key TESTKEY" right

0 Helpful

mvnaveenforever
Level 1
Level 1
In response to Pravin Phadte

‎02-09-2009 04:21 AM

Regarding Switch Authorization,

Its a software defect the switch is hitting causing the problem with Tacacs Authorization.

Bug CSCso82426 “to the switch does not work with authorization enabled" has been fixed starting in release 8.7(1) and higher.

The problem is during authorization the username in the request to the tacacs server is null

Hence Issue is resolved.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents