Console Authentication Failed

jwbensley · ‎04-23-2012

I'm trying to set up reverse console access in the lab;

AUX port on router R1 is connected to Console port on switch SW1.

On R1 I have the following configuration;

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization reverse-access default group tacacs+ local

aaa accounting exec default

action-type stop-only

group tacacs+

!

aaa accounting commands 0 default

action-type stop-only

group tacacs+

!

aaa accounting commands 1 default

action-type stop-only

group tacacs+

!

aaa accounting commands 15 default

action-type start-stop

group tacacs+

!

aaa session-id common

!

line aux 0

modem InOut

transport preferred telnet

transport input all

transport output all

flowcontrol hardware

I can telnet to R1, and then telnet to its own loopback0 interface on port 2001, which connects me to SW1;

r1#telnet 1.2.3.4 2001

Trying 1.2.3.4, 2001 ... Open

User Access Verification

Username: me

Password:

% Authorization failed.

[Connection to 1.2.3.4 closed by foreign host]

r1#

No matter what configuration I try I always get this "% Authorization failed". I can telnet to SW1, just fine with the following configuration, what's missing to allow reverse access to work correcrtly?

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 0 default stop-only group tacacs+

aaa accounting commands 1 default stop-only group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

!

line con 0

privilege level 15

line vty 0 4

session-timeout 5

access-class 50 in

logging synchronous

transport input all

transport output all

andrew.butterworth · ‎04-26-2012

Does this help?

https://supportforums.cisco.com/thread/2113769

jwbensley · ‎04-27-2012

Hi Andrew,

Thanks for the input but unfortunately I'm still stumped! I can't see why it wouldn't work, a bit more fiddeling, latest configs are below but it seems like it should work to me. I dropped "aaa authorization reverse-access default group tacacs+ local" from R1, now instead of being able to log into SW1 and get the "% Authorization failed." error, I get nothing and it just hangs indefinatly never actually logging in or failing.

R1;

aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated 
aaa authorization commands 15 default group tacacs+ if-authenticated 
aaa accounting exec default
 action-type stop-only
 group tacacs+
!
aaa accounting commands 0 default
 action-type stop-only
 group tacacs+
!
aaa accounting commands 1 default
 action-type stop-only
 group tacacs+
!
aaa accounting commands 15 default
 action-type start-stop
 group tacacs+
!
aaa session-id common

!

line aux 0
 transport preferred none
 transport input telnet
 transport output none

SW1;

aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated 
aaa authorization commands 15 default group tacacs+ if-authenticated 
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 0 default stop-only group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common

!

line con 0
 privilege level 15

Richard Burts · ‎04-28-2012

I have two suggestions:

- on R1 add under line aux 0

no exec

- on SW1 remove

aaa authorization console

HTH

Rick

HTH

Rick