Authorization Failed

Unanswered Question
May 22nd, 2010

Hello Friends,

I m configuring Shell Command Authorization set for a group of users, After entering username and after that entering password it gives me error" Authorization Failed", I m using evaluation version ACS for windows 4.2.

For authorization i have configured as follows:

Step 1.  Go to Shell Command Authorization Set, check the Command button, and enter login.

Step 2.  Select Permit under Unlisted Arguments. Repeat this process for the logout, enable, and disable commands. This is creating a set of commands that is authorized.

Step 3.  Go to Shell Command Authorization Set, check the Command button, and enter show. Under Arguments, enter permit clock, and select deny for Unlisted Arguments.

Step 4.  When you are finished, click Submit. This enables some basic command authorization at the Group level.

I m doing this by cisco press book what command i m authorize to execute. Have anybody face such type of error before.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Panos Kampanakis Mon, 05/24/2010 - 15:04

What product are you trying to authenticate to? A router, an ASA?

Are you also doing authenticaion? Please make sure you do so.

Here you can find a could of examples http://www.ciscosystems.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_authorizatn_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1057693

Of course the ACS needs to be configured to do command (exec) authorization for specific commands and users.

PK

Jatin Katyal Mon, 05/24/2010 - 16:11


Have you configured command authorization on the Network access device like router or switch because the error message you are gettings is because of exec authorization so for that you need to give privilege 15 on the ACS, if you have group configured then go to that group >> jump to tacacs+ and check the option shell(exec) define the privilege level 15.


Command authorization configuration examole:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo


In order to configure command authrization on IOS you need the below listed command:

aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

On ASA you only need one command

aaa authorization command tacacs LOCAL


If you still face any issues then do attach the sh run from the device and faiked attempt logs from the ACS



HTH

JK


Do rate helpful  posts-

thomasandy32 Wed, 05/26/2010 - 05:52

Dear jkatyal

I m confuse can you help me to authorize some command  to a group of ACS. The above 4 steps in my previous mail what i have  done what i will achieve from those steps????? what command access i  will be authorize??? I have added the above command from ur mail in my  routers,but what actually these commands will do????

I  have enabled a privilege level 1 in exec (shell) section of group and in  shell authorization set i have done exactly

Step 1.
Go to Shell Command Authorization  Set, check the Command button, and enter  login.

Step 2.
Select Permit under Unlisted Arguments. Repeat this process for the logout, enable, and disable commands. This is creating a set of commands  that is authorized.

Step 3.
Go to Shell Command Authorization  Set, check the Command button, and enter  show. Under Arguments, enter permit  clock, and select deny for Unlisted Arguments

also i have configured a privilege level 1 user in the  router, when i try to telnet to a router i get a prompt of username and  password and then when i type a "en"  it again propmt  me " router  >".

Below is the output from console when a  privilege level 1 user telent to a router.

ACS_Router#

*May 26 12:28:18.331: AAA/BIND(0000000D): Bind i/f
*May 26 12:28:18.331: AAA/AUTHEN/LOGIN (0000000D): Pick method list  '123'
*May 26 12:28:31.331: AAA/AUTHOR (0000000D): Method list id=0 not  configured. Skip author
*May 26 12:28:41.115: AAA/AUTHOR: auth_need : user= 'test' ruser=  'ACS_Router'rem_addr= '192.168.10.4' priv= 0 list= '' AUTHOR-TYPE=  'command'
*May 26 12:28:41.115: AAA: parse name=tty514 idb type=-1 tty=-1
*May 26 12:28:41.115: AAA: name=tty514 flags=0x11 type=5 shelf=0 slot=0  adapter=0 port=514 channel=0
*May 26 12:28:41.115: AAA/MEMORY: create_user (0x467487F0) user='test'  ruser='ACS_Router' ds0=0 port='tty514' rem_addr='192.168.10.4'  authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
*May 26 12:28:41.115: tty514 AAA/AUTHOR/CMD(1324718254): Port='tty514'  list='' service=CMD
*May 26 12:28:41.115: AAA/AUTHOR/CMD: tty514(1324718254) user='test'
*May 26 12:28:41.115: tty514 AAA/AUTHOR/CMD(1324718254): send AV  service=shell
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): send AV  cmd=enable
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): send AV  cmd-arg=1
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): send AV  cmd-arg=
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): found list  "default"
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): Method=tacacs+  (tacacs+)
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): user=test
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): send AV  service=shell
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): send AV cmd=enable
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): send AV cmd-arg=1
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): send AV  cmd-arg=
*May 26 12:28:41.319: TAC+: (1324718254): received author response  status = PASS_ADD
*May 26 12:28:41.319: AAA/AUTHOR (1324718254): Post authorization status  = PASS_ADD
*May 26 12:28:41.319: AAA/MEMORY: free_user (0x467487F0) user='test'  ruser='ACS_Router' port='tty514' rem_addr='192.168.10.4'  authen_type=ASCII service=NONE priv=0 vrf= (id=0)

Actions

This Discussion