ASA Local Command Authorization problem?

Unanswered Question
Oct 9th, 2009
User Badges:

Hi,I have configured command authorization in my ASA with tacacs and also i have configured shell command authorization for different users in ACS4.2. when im using ACS for command authorization there is no problem ,but when i disconnect my connection to ACS from ASA, i stock in configuration even i have configured aaa authorization command TACACS LOCAL but when connection to ACS is lost i get very limited access to my asa(LOCAL is configured end of the above command) also i have configured user with Priv 15 so when i log in to my asa with this local user i have limited access even its Priv level is 15,so do i have to configure any thing else to give me full access in level 15 when there is no access to ACS and aaa authorization command <server group> LOCAL is configured?? thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Jagdeep Gambhir Fri, 10/09/2009 - 05:42
User Badges:
  • Red, 2250 points or more


Please check this known bug,

CSCsj56051 Bug Details

AAA authorization commands LOCAL fallback broken


aaa authorization fallback to LOCAL fails, blocking some commands to be executed and displaying "Command authorization failed" error message even though local authorization should be granted.


TACACS+ server communication is lost, LOCAL is configured next in the list.



Further Problem Description:

7.2.2 does not show this behavior.

8.0(3) does not show this behavior.



Do rate helpful posts

Jatin Katyal Fri, 10/09/2009 - 06:01
User Badges:
  • Cisco Employee,


Further to JG update; I also came across this defect and i did a lab recreate for LOCAL command authorization on 8.0.3 and confirmed the issue has fixed.

Now with your current config and code 8.0.x you can access or run any command with privilege 15 user. However for read only access with LOCAL authorization you need to update your config with lots of command.



Plz rate helpful posts-

blackhat2020 Fri, 10/09/2009 - 06:20
User Badges:

Thank you guys very much,but what about FWSM 3.2 image?becuse now I'm going to config it on 3.2 os!

Feidopiastis.n Thu, 11/11/2010 - 00:26
User Badges:


   I had the same problem and found out that the problem exists on 8.0.2

I had to downgrade to 7.2.1, remove aaa authorization command and reboot to 8.0.2 again to have normal rights.

Kind regards


This Discussion