[ACS 5.2] switch Command authorization failed

Unanswered Question
May 30th, 2011

Hi all,

i've problem, switch "authorization failed" on every command that i type.

Switch#sho run
Command authorization failed.

Switch#conf t
Command authorization failed.

i only use basic configuration. *attached below

Switch config :

aaa new-model
aaa authentication login default group tacacs+ none
aaa authentication enable default group tacacs+ none
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated none
aaa authorization commands 15 default group tacacs+ if-authenticated none
aaa session-id common


ip tacacs source-interface Vlan888
tacacs-server host
tacacs-server key cisco


ACS config :

# Network resources - network devices and AAA clients

     * name switch , ip , authen option : tacacs+ , shared secret cisco

# User and identity store - internal identity store - users

     * name tester , pass : passw0rd , enable pass : enable

# Policy elements - authorization and permissions - device administration - shell profile

     * name : testProfile , command task - maximum privilege 15 , (default privilege not in use / default)

# Policy elements - authorization and permissions - device administration - command sets

     * name : PermitAll , mark "Permit any command that is not in the table below"

# Access policies - access service - default device admin - authorization
     * rule-8 , identity group in all groups , shell profile : testProfile

has anyone seen this type of issue and perhaps offer some advice on what I am missing.

Many Thanks in advanced.

I have this problem too.
0 votes
ki.song Tue, 09/06/2011 - 05:23

mine says

line vty 0 4

access-class ACL....

exec-timeout 9 0

password 7 ....

transport input ssh

ki.song Tue, 09/06/2011 - 05:19

Did you find an answer for this? I have the same problem.

Nicolas Darchis Tue, 09/06/2011 - 11:47

The whole question is :

if the switch says command authorization failed, what does ACS say in the authorization logs ???

ki.song Tue, 09/06/2011 - 11:52

Classification: UNCLASSIFIED

Caveats: FOUO

It works now. The authorization logs does not say anything.

randy.klassen Thu, 09/08/2011 - 11:32

I had the same problem and marked the default priv lvl 15 and the max 15 (this was only for the admin account) the guest account i set up uses default 1 max (none) and it works perfectly.

you can #sho priv inside your cisco devie and it should say 15, if it doesnt then you know its a problem with your shell profile priv lvl.


This Discussion

Related Content