I input 'aaa auth login...' and got 'authorization failed'. I am locked.

Unanswered Question
Jun 11th, 2009

Good morning,

On 3750, I was setting up passwords and I did:

config t

aaa new-model

aaa auth login default group tacacs+ local

Then I got ouput:

% Authorization failed.

From there I can't do show run, config t, etc. It sounds I need to reboot the switch and break into it?

Why this happened and what is it wrong? My intention is to set the following, so that if tacacs is not present, users can use the local login "local" to login:

aaa new-model

aaa authentication login default group tacacs+ local

username local secret passwordlogin

line con 0

session-timeout 900

exec-timeout 15 0

login local

password consolepassword

line vty 0 15

login local

session-timeout 900

exec-timeout 15 0

password telnetpassword

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Edison Ortiz Thu, 06/11/2009 - 06:56

During your initial configuration, your entry to the router was made with the 'enable secret|password'.

When you enabled 'aaa new-model' and 'aaa authentication ... local', you need to regain entry into the router by using the local username and password in order to continue making changes in the config.

Edit: Additionally, I noticed the local account does not have 'priv 15'. You need privilege 15 in order to make config changes.

HTH,

__

Edison.

mahmoodmkl Thu, 06/11/2009 - 06:58

Hi,

have u entered the aaa config for authentication or authorization.

I think the ios has taken it as authorizain bacause when we are entering this config usually the ios prompts stop in order for us to select weather we want authentication or authorization.

the above config needs some modification.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default groip tacacs+ local

if u havent saved the config u need to reboot the switch or do a password recovery if u have saved it.

Thanks

Mahmood

news2010a Thu, 06/11/2009 - 07:06

Fortunately I closed my telnet session and then I was able to login again, without rebooting it.

Can you confirm the following should work:

aaa new-model

aaa authentication login default group tacacs+ local

username local privilege 15 secret passwordlogin

line con 0

session-timeout 900

exec-timeout 15 0

login local

password consolepassword

line vty 0 15

login local

session-timeout 900

exec-timeout 15 0

password telnetpassword

Richard Burts Thu, 06/11/2009 - 07:17

Marlon

You may have intended authentication. But the error message is pretty clear that the router interpreted your input as authorization:

Then I got ouput:

% Authorization failed.

Assuming that you have not done a copy run start then recovery should be easy by power cycling the device. If the change was not saved then power cycle will get rid of the change and there is no need to break in and do password recovery.

HTH

Rick

Richard Burts Thu, 06/11/2009 - 07:22

Marlon

The issue that I see with this proposed config is that when you enable aaa new-model then you can no longer configure login local for console or vty.

Also you are specifying TACACS as the primary method but the partial config does not have any configuration of the TACACS server. Other than that I believe that your config is ok.

HTH

Rick

Edison Ortiz Thu, 06/11/2009 - 07:23

After login, were you able to get into config mode and make the additional changes?

news2010a Thu, 06/11/2009 - 07:31

Yes, I can make changes now.

Can you confirm that I should be using authentication as below?

At this stage the switch has not network connectivity but I will point to tacacs IP accordingly (the only thing is that I need to be able to login using local credentials since no network connectivity is in place yet).

aaa new-model

aaa authentication login default group tacacs+ local

username local privilege 15 secret passwordlogin

line con 0

session-timeout 900

exec-timeout 15 0

login local

password consolepassword

line vty 0 15

login local

session-timeout 900

exec-timeout 15 0

password telnetpassword

mahmoodmkl Thu, 06/11/2009 - 07:33

Hi,

I think u need an extra line i.e

aaa authentication enable default group tacacs+ local

Thanks

Mahmood

news2010a Thu, 06/11/2009 - 07:36

I tried that, but it did not accept 'local'. Also, if I try my original configuration, now I understand the comment that someone made that when I try to do "line con... login local" I am not longer able to do that since it requires 'authentication' instead.

switch(config)#aaa authentication enable default group tacacs+ local

^

% Invalid input detected at '^' marker.

switch(config)#

switch(config)#aaa authentication enable default group tacacs+ ?

cache Use Cached-group

enable Use enable password for authentication.

group Use Server-group

line Use line password for authentication.

none NO authentication.

Edison Ortiz Thu, 06/11/2009 - 07:36

I'm glad you are able to make changes now. The problem you had before is that your privileges were changed from 'enable secret' to 'local account'.

Your authentication line is fine. If you need additional AAA services, then you need to configure 'authorization' and 'accounting'.

For now, without a TACACS server - you are fine with just authentication but once the TACACS server is online, you will also need the authorization component on AAA.

HTH,

__

Edison.

Actions

This Discussion