×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

AAA issue ( command authorization failed)

Unanswered Question
Jan 1st, 2014
User Badges:

I am getting the issue, and following is the script , cannot find  and locate the cause of error !


!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname hexxor

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1

enable password 7 0525112F05411F075231123E

!

username hexxor password 7 024D2A103F26243363593D1C2B5C

!

!

aaa new-model

!

!

aaa authentication login T-AUTH group tacacs+ local

aaa authorization console

aaa authorization config-commands

aaa authorization exec T-AUTHOR group tacacs+ if-authenticated

aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated

aaa accounting exec T-ACC start-stop group tacacs+

aaa accounting commands 15 T-ACC start-stop group tacacs+

!

!

!



!

!

!

interface Vlan1

no ip address

!

interface Vlan50

ip address 128.1.50.54 255.255.255.0

no ip route-cache

!

ip default-gateway 128.1.50.254

no ip http server

ip http secure-server

ip sla enable reaction-alerts

logging trap debugging

logging 10.241.40.20

logging 128.1.50.245

access-list 1 permit 128.1.50.245



snmp-server host 10.241.40.27 Armageddon

snmp-server host 128.1.50.245 Armageddon

tacacs-server host 10.241.40.22

tacacs-server host 10.241.40.23

tacacs-server directed-request

tacacs-server key 7 020813480E052F2E4D





!

line con 0

exec-timeout 5 0

password 7 1142374E2332201E2B3D1F210678

authorization commands 15 T-AUTHOR

authorization exec T-AUTHOR

accounting commands 15 T-ACC

accounting exec T-ACC

login authentication T-AUTH

transport preferred none

line vty 0 4

exec-timeout 5 0

password 7 06281801684358174E231727

authorization commands 15 T-AUTHOR

authorization exec T-AUTHOR

accounting commands 15 T-ACC

accounting exec T-ACC

login authentication T-AUTH

transport input telnet

transport output telnet

line vty 5 15

password 7 0228137B2F0B5E2F077A0C35

!

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Amjad Abdullah Thu, 01/02/2014 - 01:40
User Badges:
  • Red, 2250 points or more

1- check your radius server logs and see what it says about this message.

2- add the following lines to your config:

     >aaa authorization commands 0 T-AUTHOR group tacacs+ if-authenticated

     >aaa authorization commands 1 T-AUTHOR group tacacs+ if-authenticated


Regards,


Amjad


Rating useful replies is more useful than saying "Thank you"

Richard Burts Fri, 01/03/2014 - 08:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

There are several authorization commands configured. It would be helpful to know which one might be the one causing the issue. Are we correct in assuming that authentication is processing successfully to TACACS and that TACACS authorization is where the problem is coming from?


Can you tell us whether the authorization failed message is generated when you attempt to login? Or is it generated when you attempt to enter some command?


HTH


Rick

game123 Mon, 01/06/2014 - 16:43
User Badges:

Actually, the script I pasted above is giving me errors on authorization .


I can input the AD credentials for login username and password, yet enter the enable mode, but in enable mdoe cannot run the SHOW RUN or SHOW VER commands and says COMMAND AUTHIRZATION FAILED ?



Need help on that.

Richard Burts Mon, 01/06/2014 - 19:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Based on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.


I would suggest this as a first test:

- login to the device.

- go into enabl mode.

- attempt the show run command. (I assume that it will fail)

- check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.


If you want to do a second test to verify the cause of the problem then I would suggest this:

- remove from the config these lines

aaa authorization exec T-AUTHOR group tacacs+ if-authenticated

aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated

then login to the device, go into enable mode, attempt the show run command


Try one or both of these tests and post back to tell us of the results.


HTH


Rick

game123 Mon, 01/13/2014 - 10:55
User Badges:

Honestly,


All tips are fine ... but  i just restarted my ACS  and things started working fine.


amazing !



this happened in the CCIE  lab also to me  4 years ago  !!!



thanks for all the advice anyways.


keep up the good work!


-K-

Richard Burts Mon, 01/13/2014 - 12:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Thanks for posting back to the forum and letting us know that it has started to work correctly after a restart. It is sometimes helpful to be reminded that when strange symptoms are encountered that sometimes a restart will cause things to work normally again.


HTH


Rick

Actions

This Discussion