Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
spanglenuts
spanglenuts
Community Member
‎07-17-2008 05:41 AM
‎07-17-2008 05:41 AM

AAA authorization problem

I have the following config on my switch...

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login CONSOLE line

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 10 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

The problem is that when I log into the switch via console port, and I enter these commands in, I instantly get "Command Authorization Failed" on any commands there after. It's mind boggling because there is no possible way the switch is talking to my Cisco ACS. I didn't even put in the tacacs-server key. I'm being forced to reboot the box each time. What am I missing?

Thank you for your time. I'm using IOS Version 12.2(25)SEB4.

-Andrew

0 Helpful
Reply
3 ACCEPTED SOLUTIONS

Accepted Solutions
chaitu_kranthi
chaitu_kranthi
Community Member
‎07-17-2008 06:24 AM
‎07-17-2008 06:24 AM

Re: AAA authorization problem

Hi

Before doing the tacacs configuration create one local user.

add the following commands.

username cisco password cisco

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

tacacs-server host x.x.x.x

tacacs-server key ........

please score me if it help to you

0 Helpful
Reply
chaitu_kranthi
chaitu_kranthi
Community Member
‎07-17-2008 06:52 AM
‎07-17-2008 06:52 AM

Re: AAA authorization problem

As per my concern those commands are enough.

0 Helpful
Reply
Jagdeep Gambhir
Jagdeep Gambhir Red
Red
‎07-18-2008 12:00 AM
‎07-18-2008 12:00 AM

Re: AAA authorization problem

Andrew,

What you are getting is not a expected behavior. By default Command authorization is disabled on console port, so from console session it should not check for any authorization.

To enable it we need to use a hidden command on IOS aaa authorization console

It seems that you have not issued that command but still it is checking for the authorization.

This seems that we are hitting a bug here. Please check these bug CSCeb08860 & CSCsg74428.

Pls consider upgrade or apply a work around described in bug.

Regards,

~JG

0 Helpful
Reply
4 REPLIES
chaitu_kranthi
chaitu_kranthi
Community Member
‎07-17-2008 06:24 AM
‎07-17-2008 06:24 AM

Re: AAA authorization problem

Hi

Before doing the tacacs configuration create one local user.

add the following commands.

username cisco password cisco

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

tacacs-server host x.x.x.x

tacacs-server key ........

please score me if it help to you

0 Helpful
Reply
spanglenuts
spanglenuts
Community Member
‎07-17-2008 06:38 AM
‎07-17-2008 06:38 AM

Re: AAA authorization problem

Just so I'm clear, After I create a user account, should I only do the commands that you listed, or can I do all of my commands?

I'll make sure to score ya.

Thanks,

Andrew

0 Helpful
Reply
chaitu_kranthi
chaitu_kranthi
Community Member
‎07-17-2008 06:52 AM
‎07-17-2008 06:52 AM

Re: AAA authorization problem

As per my concern those commands are enough.

0 Helpful
Reply
Jagdeep Gambhir
Jagdeep Gambhir Red
Red
‎07-18-2008 12:00 AM
‎07-18-2008 12:00 AM

Re: AAA authorization problem

Andrew,

What you are getting is not a expected behavior. By default Command authorization is disabled on console port, so from console session it should not check for any authorization.

To enable it we need to use a hidden command on IOS aaa authorization console

It seems that you have not issued that command but still it is checking for the authorization.

This seems that we are hitting a bug here. Please check these bug CSCeb08860 & CSCsg74428.

Pls consider upgrade or apply a work around described in bug.

Regards,

~JG

0 Helpful
Reply
Latest Documents
Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration
Created by Kureli Sankar on 04-19-2018 11:25 AM
0
0
0
0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin... view more
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
All Documents
228
Views
0
Helpful
4
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
75
36
75
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
25
2
25
All Blogs