cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
984
Views
0
Helpful
3
Replies

AAA --> Int range configuration gives "Command authorization failed" msg.

Versions involved:

AAA

ACS 4.1.4.13.12

Devices:

C2960-LANBASE-M, Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)

C3550-I9Q3L2-M, Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)

If we try to configure a single interface or just a very small range, it works fine, but if we try to configure a larger range of interfaces, we get a Command authorization failed message, as can be seen below:

HOST1184(config)#int range fastEthernet 0/1 - 3

HOST1184(config-if-range)# switchport access vlan 24

HOST1184(config-if-range)# switchport mode access

HOST1184(config-if-range)# switchport voice vlan 301

HOST1184(config-if-range)# dot1x pae authenticator

HOST1184(config-if-range)# dot1x port-control auto

HOST1184(config-if-range)# dot1x timeout reauth-period 7200

HOST1184(config-if-range)# dot1x timeout supp-timeout 120

HOST1184(config-if-range)# dot1x max-req 1

HOST1184(config-if-range)# dot1x max-reauth-req 1

HOST1184(config-if-range)# dot1x reauthentication

HOST1184(config-if-range)# dot1x guest-vlan 280

HOST1184(config-if-range)# spanning-tree portfast

HOST1184(config-if-range)#!

OST1184(config-if-range)#end

HOST1184#conf t

Enter configuration commands, one per line. End with CNTL/Z.

HOST1184(config)#int range fastEthernet 0/4 - 14

HOST1184(config-if-range)# switchport access vlan 24

Command authorization failed.

Command authorization failed.

Command authorization failed.

HOST1184(config-if-range)# switchport mode access

HOST1184(config-if-range)# switchport voice vlan 301

HOST1184(config-if-range)# dot1x pae authenticator

HOST1184(config-if-range)# dot1x port-control auto

Command authorization failed.

HOST1184(config-if-range)# dot1x timeout reauth-period 7200

Command authorization failed.

.

.

.

HOST1184(config-if-range)# dot1x timeout supp-timeout 120

Command authorization failed.

.

.

.

HOST1184(config-if-range)# dot1x max-req 1

Command authorization failed.

.

.

.

HOST1184(config-if-range)# dot1x max-reauth-req 1

Command authorization failed.

.

.

.

HOST1184(config-if-range)# dot1x reauthentication

Command authorization failed.

.

.

.

HOST1184(config-if-range)# dot1x guest-vlan 280

Command authorization failed.

.

.

.

HOST1184(config-if-range)# spanning-tree portfast

Command authorization failed.

.

.

.

HOST1184(config-if-range)#!

The pieces of config are as follows:

!

aaa new-model

aaa group server radius dot1x

server 10.61.156.136 auth-port 1812 acct-port 1813

!

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group dot1x

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated none

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

enable secret 5 <removed>

!

....

!

logging 10.142.4.45

snmp-server community <removed> RO

snmp-server community <removed> RW

snmp-server location "SD"

snmp-server contact contact - contact@mynet.com

tacacs-server host A.B.C.D timeout 5 key <removed>

tacacs-server host A.B.C.D timeout 5 key <removed>

tacacs-server host A.B.C.D timeout 5 key <removed>

no tacacs-server directed-request

radius-server host 10.61.156.136 auth-port 1812 acct-port 1813 key 7 096E5C3D4851

radius-server retransmit 3

!

...

Anyone out there has a solution for such a problem?

Regards,

AL

3 Replies 3

Jagdeep Gambhir
Level 10
Level 10

Al,

Please check your acs shell command autho settings. You may need to permit range command in it.

Regards,

~JG

Do rate helpful posts

Hi JG, thanks for your response.

I don't have the appliance close to me, so I cannot check on this setting.

As soon as I have a chance, I will return with this info.

Anyway, why does it work for other devices and also, why we don't have any problem when configuring a small range of interfaces?

Once again, thanks for your reply.

Regards,

AL

Some IOS ver send different syntax to acs for command authorization.

Regards,

~JG

Do rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: