Authorization Failed

thomasandy32 · ‎05-22-2010

Hello Friends,

I m configuring Shell Command Authorization set for a group of users, After entering username and after that entering password it gives me error" Authorization Failed", I m using evaluation version ACS for windows 4.2.

For authorization i have configured as follows:

Step 1. Go to Shell Command Authorization Set, check the Command button, and enter login.

Step 2. Select Permit under Unlisted Arguments. Repeat this process for the logout, enable, and disable commands. This is creating a set of commands that is authorized.

Step 3. Go to Shell Command Authorization Set, check the Command button, and enter show. Under Arguments, enter permit clock, and select deny for Unlisted Arguments.

Step 4. When you are finished, click Submit. This enables some basic command authorization at the Group level.

I m doing this by cisco press book what command i m authorize to execute. Have anybody face such type of error before.

Thanks

Panos Kampanakis · ‎05-24-2010

What product are you trying to authenticate to? A router, an ASA?

Are you also doing authenticaion? Please make sure you do so.

Here you can find a could of examples http://www.ciscosystems.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_authorizatn_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1057693

Of course the ACS needs to be configured to do command (exec) authorization for specific commands and users.

PK

Jatin Katyal · ‎05-24-2010

Have you configured command authorization on the Network access device like router or switch because the error message you are gettings is because of exec authorization so for that you need to give privilege 15 on the ACS, if you have group configured then go to that group >> jump to tacacs+ and check the option shell(exec) define the privilege level 15.

Command authorization configuration examole:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo

In order to configure command authrization on IOS you need the below listed command:

aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

On ASA you only need one command

aaa authorization command tacacs LOCAL

If you still face any issues then do attach the sh run from the device and faiked attempt logs from the ACS

HTH

JK

Do rate helpful posts-

~Jatin

thomasandy32 · ‎05-26-2010

Dear jkatyal

I m confuse can you help me to authorize some command to a group of ACS. The above 4 steps in my previous mail what i have done what i will achieve from those steps????? what command access i will be authorize??? I have added the above command from ur mail in my routers,but what actually these commands will do????

I have enabled a privilege level 1 in exec (shell) section of group and in shell authorization set i have done exactly

Step 1.	Go to Shell Command Authorization Set, check the Command button, and enter login.
Step 2.	Select Permit under Unlisted Arguments. Repeat this process for the logout, enable, and disable commands. This is creating a set of commands that is authorized.
Step 3.	Go to Shell Command Authorization Set, check the Command button, and enter show. Under Arguments, enter permit clock, and select deny for Unlisted Arguments

also i have configured a privilege level 1 user in the router, when i try to telnet to a router i get a prompt of username and password and then when i type a "en" it again propmt me " router >".

Below is the output from console when a privilege level 1 user telent to a router.

ACS_Router#

*May 26 12:28:18.331: AAA/BIND(0000000D): Bind i/f
*May 26 12:28:18.331: AAA/AUTHEN/LOGIN (0000000D): Pick method list '123'
*May 26 12:28:31.331: AAA/AUTHOR (0000000D): Method list id=0 not configured. Skip author
*May 26 12:28:41.115: AAA/AUTHOR: auth_need : user= 'test' ruser= 'ACS_Router'rem_addr= '192.168.10.4' priv= 0 list= '' AUTHOR-TYPE= 'command'
*May 26 12:28:41.115: AAA: parse name=tty514 idb type=-1 tty=-1
*May 26 12:28:41.115: AAA: name=tty514 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=514 channel=0
*May 26 12:28:41.115: AAA/MEMORY: create_user (0x467487F0) user='test' ruser='ACS_Router' ds0=0 port='tty514' rem_addr='192.168.10.4' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
*May 26 12:28:41.115: tty514 AAA/AUTHOR/CMD(1324718254): Port='tty514' list='' service=CMD
*May 26 12:28:41.115: AAA/AUTHOR/CMD: tty514(1324718254) user='test'
*May 26 12:28:41.115: tty514 AAA/AUTHOR/CMD(1324718254): send AV service=shell
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): send AV cmd=enable
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): send AV cmd-arg=1
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): send AV cmd-arg=
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): found list "default"
*May 26 12:28:41.119: tty514 AAA/AUTHOR/CMD(1324718254): Method=tacacs+ (tacacs+)
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): user=test
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): send AV service=shell
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): send AV cmd=enable
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): send AV cmd-arg=1
*May 26 12:28:41.119: AAA/AUTHOR/TAC+: (1324718254): send AV cmd-arg=
*May 26 12:28:41.319: TAC+: (1324718254): received author response status = PASS_ADD
*May 26 12:28:41.319: AAA/AUTHOR (1324718254): Post authorization status = PASS_ADD
*May 26 12:28:41.319: AAA/MEMORY: free_user (0x467487F0) user='test' ruser='ACS_Router' port='tty514' rem_addr='192.168.10.4' authen_type=ASCII service=NONE priv=0 vrf= (id=0)