01-01-2014 03:18 AM - edited 03-10-2019 09:13 PM
I am getting the issue, and following is the script , cannot find and locate the cause of error !
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hexxor
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
enable password 7 0525112F05411F075231123E
!
username hexxor password 7 024D2A103F26243363593D1C2B5C
!
!
aaa new-model
!
!
aaa authentication login T-AUTH group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
aaa accounting exec T-ACC start-stop group tacacs+
aaa accounting commands 15 T-ACC start-stop group tacacs+
!
!
!
!
!
!
interface Vlan1
no ip address
!
interface Vlan50
ip address 128.1.50.54 255.255.255.0
no ip route-cache
!
ip default-gateway 128.1.50.254
no ip http server
ip http secure-server
ip sla enable reaction-alerts
logging trap debugging
logging 10.241.40.20
logging 128.1.50.245
access-list 1 permit 128.1.50.245
snmp-server host 10.241.40.27 Armageddon
snmp-server host 128.1.50.245 Armageddon
tacacs-server host 10.241.40.22
tacacs-server host 10.241.40.23
tacacs-server directed-request
tacacs-server key 7 020813480E052F2E4D
!
line con 0
exec-timeout 5 0
password 7 1142374E2332201E2B3D1F210678
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport preferred none
line vty 0 4
exec-timeout 5 0
password 7 06281801684358174E231727
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport input telnet
transport output telnet
line vty 5 15
password 7 0228137B2F0B5E2F077A0C35
!
end
01-02-2014 01:40 AM
1- check your radius server logs and see what it says about this message.
2- add the following lines to your config:
>aaa authorization commands 0 T-AUTHOR group tacacs+ if-authenticated
>aaa authorization commands 1 T-AUTHOR group tacacs+ if-authenticated
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"
01-03-2014 08:05 AM
There are several authorization commands configured. It would be helpful to know which one might be the one causing the issue. Are we correct in assuming that authentication is processing successfully to TACACS and that TACACS authorization is where the problem is coming from?
Can you tell us whether the authorization failed message is generated when you attempt to login? Or is it generated when you attempt to enter some command?
HTH
Rick
01-06-2014 04:43 PM
Actually, the script I pasted above is giving me errors on authorization .
I can input the AD credentials for login username and password, yet enter the enable mode, but in enable mdoe cannot run the SHOW RUN or SHOW VER commands and says COMMAND AUTHIRZATION FAILED ?
Need help on that.
01-06-2014 07:54 PM
Based on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
I would suggest this as a first test:
- login to the device.
- go into enabl mode.
- attempt the show run command. (I assume that it will fail)
- check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
If you want to do a second test to verify the cause of the problem then I would suggest this:
- remove from the config these lines
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
then login to the device, go into enable mode, attempt the show run command
Try one or both of these tests and post back to tell us of the results.
HTH
Rick
01-13-2014 10:55 AM
Honestly,
All tips are fine ... but i just restarted my ACS and things started working fine.
amazing !
this happened in the CCIE lab also to me 4 years ago !!!
thanks for all the advice anyways.
keep up the good work!
-K-
01-13-2014 12:32 PM
Thanks for posting back to the forum and letting us know that it has started to work correctly after a restart. It is sometimes helpful to be reminded that when strange symptoms are encountered that sometimes a restart will cause things to work normally again.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide