12-23-2008 04:49 AM - edited 03-10-2019 04:14 PM
Versions involved:
AAA
ACS 4.1.4.13.12
Devices:
C2960-LANBASE-M, Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)
C3550-I9Q3L2-M, Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)
If we try to configure a single interface or just a very small range, it works fine, but if we try to configure a larger range of interfaces, we get a Command authorization failed message, as can be seen below:
HOST1184(config)#int range fastEthernet 0/1 - 3
HOST1184(config-if-range)# switchport access vlan 24
HOST1184(config-if-range)# switchport mode access
HOST1184(config-if-range)# switchport voice vlan 301
HOST1184(config-if-range)# dot1x pae authenticator
HOST1184(config-if-range)# dot1x port-control auto
HOST1184(config-if-range)# dot1x timeout reauth-period 7200
HOST1184(config-if-range)# dot1x timeout supp-timeout 120
HOST1184(config-if-range)# dot1x max-req 1
HOST1184(config-if-range)# dot1x max-reauth-req 1
HOST1184(config-if-range)# dot1x reauthentication
HOST1184(config-if-range)# dot1x guest-vlan 280
HOST1184(config-if-range)# spanning-tree portfast
HOST1184(config-if-range)#!
OST1184(config-if-range)#end
HOST1184#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HOST1184(config)#int range fastEthernet 0/4 - 14
HOST1184(config-if-range)# switchport access vlan 24
Command authorization failed.
Command authorization failed.
Command authorization failed.
HOST1184(config-if-range)# switchport mode access
HOST1184(config-if-range)# switchport voice vlan 301
HOST1184(config-if-range)# dot1x pae authenticator
HOST1184(config-if-range)# dot1x port-control auto
Command authorization failed.
HOST1184(config-if-range)# dot1x timeout reauth-period 7200
Command authorization failed.
.
.
.
HOST1184(config-if-range)# dot1x timeout supp-timeout 120
Command authorization failed.
.
.
.
HOST1184(config-if-range)# dot1x max-req 1
Command authorization failed.
.
.
.
HOST1184(config-if-range)# dot1x max-reauth-req 1
Command authorization failed.
.
.
.
HOST1184(config-if-range)# dot1x reauthentication
Command authorization failed.
.
.
.
HOST1184(config-if-range)# dot1x guest-vlan 280
Command authorization failed.
.
.
.
HOST1184(config-if-range)# spanning-tree portfast
Command authorization failed.
.
.
.
HOST1184(config-if-range)#!
The pieces of config are as follows:
!
aaa new-model
aaa group server radius dot1x
server 10.61.156.136 auth-port 1812 acct-port 1813
!
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group dot1x
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated none
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
enable secret 5 <removed>
!
....
!
logging 10.142.4.45
snmp-server community <removed> RO
snmp-server community <removed> RW
snmp-server location "SD"
snmp-server contact contact - contact@mynet.com
tacacs-server host A.B.C.D timeout 5 key <removed>
tacacs-server host A.B.C.D timeout 5 key <removed>
tacacs-server host A.B.C.D timeout 5 key <removed>
no tacacs-server directed-request
radius-server host 10.61.156.136 auth-port 1812 acct-port 1813 key 7 096E5C3D4851
radius-server retransmit 3
!
...
Anyone out there has a solution for such a problem?
Regards,
AL
12-23-2008 06:08 AM
Al,
Please check your acs shell command autho settings. You may need to permit range command in it.
Regards,
~JG
Do rate helpful posts
12-23-2008 08:37 AM
Hi JG, thanks for your response.
I don't have the appliance close to me, so I cannot check on this setting.
As soon as I have a chance, I will return with this info.
Anyway, why does it work for other devices and also, why we don't have any problem when configuring a small range of interfaces?
Once again, thanks for your reply.
Regards,
AL
12-23-2008 12:11 PM
Some IOS ver send different syntax to acs for command authorization.
Regards,
~JG
Do rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: