Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

AAA authorization problem

I have the following config on my switch...

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login CONSOLE line

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 10 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

The problem is that when I log into the switch via console port, and I enter these commands in, I instantly get "Command Authorization Failed" on any commands there after. It's mind boggling because there is no possible way the switch is talking to my Cisco ACS. I didn't even put in the tacacs-server key. I'm being forced to reboot the box each time. What am I missing?

Thank you for your time. I'm using IOS Version 12.2(25)SEB4.

-Andrew

3 ACCEPTED SOLUTIONS

Accepted Solutions
Community Member

Re: AAA authorization problem

Hi

Before doing the tacacs configuration create one local user.

add the following commands.

username cisco password cisco

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

tacacs-server host x.x.x.x

tacacs-server key ........

please score me if it help to you

Community Member

Re: AAA authorization problem

As per my concern those commands are enough.

Re: AAA authorization problem

Andrew,

What you are getting is not a expected behavior. By default Command authorization is disabled on console port, so from console session it should not check for any authorization.

To enable it we need to use a hidden command on IOS aaa authorization console

It seems that you have not issued that command but still it is checking for the authorization.

This seems that we are hitting a bug here. Please check these bug CSCeb08860 & CSCsg74428.

Pls consider upgrade or apply a work around described in bug.

Regards,

~JG

4 REPLIES
Community Member

Re: AAA authorization problem

Hi

Before doing the tacacs configuration create one local user.

add the following commands.

username cisco password cisco

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

tacacs-server host x.x.x.x

tacacs-server key ........

please score me if it help to you

Community Member

Re: AAA authorization problem

Just so I'm clear, After I create a user account, should I only do the commands that you listed, or can I do all of my commands?

I'll make sure to score ya.

Thanks,

Andrew

Community Member

Re: AAA authorization problem

As per my concern those commands are enough.

Re: AAA authorization problem

Andrew,

What you are getting is not a expected behavior. By default Command authorization is disabled on console port, so from console session it should not check for any authorization.

To enable it we need to use a hidden command on IOS aaa authorization console

It seems that you have not issued that command but still it is checking for the authorization.

This seems that we are hitting a bug here. Please check these bug CSCeb08860 & CSCsg74428.

Pls consider upgrade or apply a work around described in bug.

Regards,

~JG

228
Views
0
Helpful
4
Replies
CreatePlease to create content