Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA - Command Authorization Failed

All, I have backed myself into a corner with a command I entered yesterday in my ASA. The command entered was:

aaa authorization command TACACS+ LOCAL

And it locked me down so tight that I can't even go into "conf t" or run a "sh run" command any longer. Like a fool, I must of ran the "copy run start" which I usually don't do, nonetheless I did, so a reboot was not able to save my error in judgement.

Does anyone know of any way to re-enable my command functions? I am running ACS 4.1. I'm thinking that it's looking for some commands that ACS says my account is permitted to run, but I'm at a loss.

6 REPLIES
New Member

Re: ASA - Command Authorization Failed

Added a user in ACS with privilege level 15 access and in the Shell Command Authorization Set" section, checked "Per User Command Authorization" and then selected the "Permit" radio button. Submitted changes. Logged in as new user I just setup and was able to run any command needed. Whew!

New Member

Re: ASA - Command Authorization Failed

Hi,

Even i have the same issue , tried your option...but it does not work.still it give "Command authorization failed".pl help...

New Member

Re: ASA - Command Authorization Failed

Hi,

It looks like you may have missed setting up some parts of the various profiles / groups that you need to. It can be a bit trickier if you are using LDAP from the ACS server though - if this is the case for you, to get you up and running I would temporarily change and use the Local Database on the ACS server.

I would recommend going through and checking your config against the example for read/write access at: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

HTH

Cameron

New Member

Re: ASA - Command Authorization Failed

Thanks for the Quick response, I have did the same config as per the Document, but still have the same issue , one thing i have notices in the ACS failed logs, the caller ID shows 0.0.0.0 will this be the issue ??

New Member

Re: ASA - Command Authorization Failed

Hi,

Unfortunately I can't remember off the top of my head (and am busy on my lab with some other config at the moment)....

But, are you sure the only options you have enabled in the group (or user) profile is shell and privilege ( =15)?

I suspect that PPP or callback options may be enabled but been a while since I last messed round with ACS server to remember properly....

Another thing I've just thought of - have you set up the NAD (network access device) profile as well?

Cameron

New Member

Re: ASA - Command Authorization Failed

Yes, I have enabled shell & privilege 15 for group and assigned the group to my username.

for your info , i am able to login to the switches and routers with the same username.

7743
Views
0
Helpful
6
Replies