AAA --> Int range configuration gives "Command authorization failed" msg.

Unanswered Question
Dec 23rd, 2008

Versions involved:

AAA

ACS 4.1.4.13.12

Devices:

C2960-LANBASE-M, Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)

C3550-I9Q3L2-M, Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)

If we try to configure a single interface or just a very small range, it works fine, but if we try to configure a larger range of interfaces, we get a Command authorization failed message, as can be seen below:

HOST1184(config)#int range fastEthernet 0/1 - 3

HOST1184(config-if-range)# switchport access vlan 24

HOST1184(config-if-range)# switchport mode access

HOST1184(config-if-range)# switchport voice vlan 301

HOST1184(config-if-range)# dot1x pae authenticator

HOST1184(config-if-range)# dot1x port-control auto

HOST1184(config-if-range)# dot1x timeout reauth-period 7200

HOST1184(config-if-range)# dot1x timeout supp-timeout 120

HOST1184(config-if-range)# dot1x max-req 1

HOST1184(config-if-range)# dot1x max-reauth-req 1

HOST1184(config-if-range)# dot1x reauthentication

HOST1184(config-if-range)# dot1x guest-vlan 280

HOST1184(config-if-range)# spanning-tree portfast

HOST1184(config-if-range)#!

OST1184(config-if-range)#end

HOST1184#conf t

Enter configuration commands, one per line. End with CNTL/Z.

HOST1184(config)#int range fastEthernet 0/4 - 14

HOST1184(config-if-range)# switchport access vlan 24

Command authorization failed.

Command authorization failed.

Command authorization failed.

HOST1184(config-if-range)# switchport mode access

HOST1184(config-if-range)# switchport voice vlan 301

HOST1184(config-if-range)# dot1x pae authenticator

HOST1184(config-if-range)# dot1x port-control auto

Command authorization failed.

HOST1184(config-if-range)# dot1x timeout reauth-period 7200

Command authorization failed.

.

.

.

HOST1184(config-if-range)# dot1x timeout supp-timeout 120

Command authorization failed.

.

.

.

HOST1184(config-if-range)# dot1x max-req 1

Command authorization failed.

.

.

.

HOST1184(config-if-range)# dot1x max-reauth-req 1

Command authorization failed.

.

.

.

HOST1184(config-if-range)# dot1x reauthentication

Command authorization failed.

.

.

.

HOST1184(config-if-range)# dot1x guest-vlan 280

Command authorization failed.

.

.

.

HOST1184(config-if-range)# spanning-tree portfast

Command authorization failed.

.

.

.

HOST1184(config-if-range)#!

The pieces of config are as follows:

!

aaa new-model

aaa group server radius dot1x

server 10.61.156.136 auth-port 1812 acct-port 1813

!

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group dot1x

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated none

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

enable secret 5 <removed>

!

....

!

logging 10.142.4.45

snmp-server community <removed> RO

snmp-server community <removed> RW

snmp-server location "SD"

snmp-server contact contact - [email protected]

tacacs-server host A.B.C.D timeout 5 key <removed>

tacacs-server host A.B.C.D timeout 5 key <removed>

tacacs-server host A.B.C.D timeout 5 key <removed>

no tacacs-server directed-request

radius-server host 10.61.156.136 auth-port 1812 acct-port 1813 key 7 096E5C3D4851

radius-server retransmit 3

!

...

Anyone out there has a solution for such a problem?

Regards,

AL

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Tue, 12/23/2008 - 06:08

Al,

Please check your acs shell command autho settings. You may need to permit range command in it.

Regards,

~JG

Do rate helpful posts

alvaro.motta Tue, 12/23/2008 - 08:37

Hi JG, thanks for your response.

I don't have the appliance close to me, so I cannot check on this setting.

As soon as I have a chance, I will return with this info.

Anyway, why does it work for other devices and also, why we don't have any problem when configuring a small range of interfaces?

Once again, thanks for your reply.

Regards,

AL

Jagdeep Gambhir Tue, 12/23/2008 - 12:11

Some IOS ver send different syntax to acs for command authorization.

Regards,

~JG

Do rate helpful posts

Actions

This Discussion