10-09-2009 02:16 AM - edited 03-10-2019 04:43 PM
Hi,I have configured command authorization in my ASA with tacacs and also i have configured shell command authorization for different users in ACS4.2. when im using ACS for command authorization there is no problem ,but when i disconnect my connection to ACS from ASA, i stock in configuration even i have configured aaa authorization command TACACS LOCAL but when connection to ACS is lost i get very limited access to my asa(LOCAL is configured end of the above command) also i have configured user with Priv 15 so when i log in to my asa with this local user i have limited access even its Priv level is 15,so do i have to configure any thing else to give me full access in level 15 when there is no access to ACS and aaa authorization command <server group> LOCAL is configured?? thanks
10-09-2009 05:42 AM
Hi,
Please check this known bug,
CSCsj56051 Bug Details
AAA authorization commands LOCAL fallback broken
Symptom:
aaa authorization fallback to LOCAL fails, blocking some commands to be executed and displaying "Command authorization failed" error message even though local authorization should be granted.
Conditions:
TACACS+ server communication is lost, LOCAL is configured next in the list.
Workaround:
none.
Further Problem Description:
7.2.2 does not show this behavior.
8.0(3) does not show this behavior.
Regards,
~JG
Do rate helpful posts
10-09-2009 06:01 AM
Hi,
Further to JG update; I also came across this defect and i did a lab recreate for LOCAL command authorization on 8.0.3 and confirmed the issue has fixed.
Now with your current config and code 8.0.x you can access or run any command with privilege 15 user. However for read only access with LOCAL authorization you need to update your config with lots of command.
HTH
JK
Plz rate helpful posts-
10-09-2009 06:20 AM
Thank you guys very much,but what about FWSM 3.2 image?becuse now I'm going to config it on 3.2 os!
11-11-2010 12:26 AM
Hello,
I had the same problem and found out that the problem exists on 8.0.2
I had to downgrade to 7.2.1, remove aaa authorization command and reboot to 8.0.2 again to have normal rights.
Kind regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide