Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS command Authorization on PIX Console

I have configured the pix firewall for ACS authentication and command authorization, everything is working fine

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 172.28.x.x x.x.x

aaa-server TACACS+ (inside) host 172.28.x. xx

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+

but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when

ACS down, i wana to get console and access the device by using local username and password

but now after this configuration when i try to access the firewall via console, i m getting error of

command authorization fail.

I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue

I have made the command authorization set in ACS and it is working fine for me,

3 REPLIES

Re: ACS command Authorization on PIX Console

Wasim,

Seems to be a bug, the issue we are facing with ASA v 7.2, where fall back to local authentication gives 'command authorization' failed with few commands has been files as a BUG.

Here is the bug tool link: CSCsj56051

http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl

***************************************************************

AAA authorization commands LOCAL fallback broken

Alternate Headline: AAA authorization commands LOCAL fallback broken

Symptom: aaa authorization fallback to LOCAL fails, blocking some commands to be executed and displaying "Command authorization failed" error message even though local authorization should be granted.

Conditions:

TACACS+ server communication is lost; LOCAL is configured next in the list.

Workaround: none.

Further Problem Description:

7.2.2 does not show this behavior

**************************************************************

The issue is resolved in 007.002(002.034), 008.000(002.011),

008.002(000.045)

Regards,

~JG

New Member

Re: ACS command Authorization on PIX Console

kindly once again check my modified configuration,

I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.

aa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (edn) host 172.28.31.132

aaa-server TACACS+ (edn) host 172.28.31.133

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication http console LOCAL

aaa authorization command TACACS+ LOCAL

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+

but i m not able to login i m getting following eror

Command authorization failed

TDC-INT-525-01> exit

Command authorization failed

TDC-INT-525-01> exit

Command authorization failed

TDC-INT-525-01> enable

Command authorization failed

i also defined the local command authorization set like this

privilege cmd level 15 mode exec command exit

privilege show level 5 mode exec command running-config

privilege show level 15 mode exec command version

privilege show level 0 mode exec command access-list

privilege show level 0 mode configure command access-list

privilege cmd level 15 mode configure command exit

privilege cmd level 15 mode configure command no

privilege cmd level 0 mode configure command access-list

privilege cmd level 15 mode interface command exit

privilege cmd level 15 mode subinterface command exit

privilege cmd level 15 mode dynupd-method command exit

privilege cmd level 15 mode trange command exit

privilege cmd level 15 mode route-map command exit

privilege cmd level 15 mode router command exit

privilege cmd level 15 mode ldap command exit

privilege cmd level 15 mode aaa-server-host command exit

privilege cmd level 15 mode aaa-server-group command exit

privilege cmd level 15 mode context command exit

privilege cmd level 15 mode group-policy command exit

privilege cmd level 15 mode username command exit

privilege cmd level 15 mode tunnel-group-general command exit

privilege cmd level 15 mode tunnel-group-ipsec command exit

privilege cmd level 15 mode tunnel-group-ppp command exit

privilege cmd level 15 mode mpf-class-map command exit

privilege cmd level 15 mode mpf-policy-map command exit

privilege cmd level 15 mode mpf-policy-map-class command exit

privilege cmd level 15 mode mpf-policy-map-class command exit

privilege cmd level 15 mode mpf-policy-map-param command exit

Please tell me how to solve this problem

Re: ACS command Authorization on PIX Console

Is the issue happening only with console ? If ssh works fine then did the check the bug I mentioned in my last post ?

321
Views
0
Helpful
3
Replies
CreatePlease login to create content