cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9214
Views
0
Helpful
6
Replies

[ACS 5.2] switch Command authorization failed

Vendy Wijaya
Level 1
Level 1

Hi all,

i've problem, switch "authorization failed" on every command that i type.

Switch#sho run
Command authorization failed.

Switch#conf t
Command authorization failed.

i only use basic configuration. *attached below

Switch config :

aaa new-model
!
aaa authentication login default group tacacs+ none
aaa authentication enable default group tacacs+ none
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated none
aaa authorization commands 15 default group tacacs+ if-authenticated none
!
aaa session-id common

!

ip tacacs source-interface Vlan888
tacacs-server host 10.255.253.25
tacacs-server key cisco

!

ACS config :

# Network resources - network devices and AAA clients

     * name switch , ip 10.255.253.65 , authen option : tacacs+ , shared secret cisco

# User and identity store - internal identity store - users

     * name tester , pass : passw0rd , enable pass : enable

# Policy elements - authorization and permissions - device administration - shell profile

     * name : testProfile , command task - maximum privilege 15 , (default privilege not in use / default)

# Policy elements - authorization and permissions - device administration - command sets

     * name : PermitAll , mark "Permit any command that is not in the table below"

# Access policies - access service - default device admin - authorization
     * rule-8 , identity group in all groups , shell profile : testProfile

has anyone seen this type of issue and perhaps offer some advice on what I am missing.

Many Thanks in advanced.

6 Replies 6

zujalal
Cisco Employee
Cisco Employee

Hi.

What do you have under line vty 0 4

regards

mine says

line vty 0 4

access-class ACL....

exec-timeout 9 0

password 7 ....

transport input ssh

ki.song
Level 1
Level 1

Did you find an answer for this? I have the same problem.

The whole question is :

if the switch says command authorization failed, what does ACS say in the authorization logs ???

Classification: UNCLASSIFIED

Caveats: FOUO

It works now. The authorization logs does not say anything.

I had the same problem and marked the default priv lvl 15 and the max 15 (this was only for the admin account) the guest account i set up uses default 1 max (none) and it works perfectly.

you can #sho priv inside your cisco devie and it should say 15, if it doesnt then you know its a problem with your shell profile priv lvl.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: