Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9499
Views
26
Helpful
17
Replies

Authorization failed on 3560 after IOS upgrade

Go to solution
v.c.bodenstab
Level 1
Level 1

‎10-23-2008 11:20 PM - edited ‎03-10-2019 04:08 PM

Hi all,

I've just upgraded a CAT3560-48TS from IOS 12.2(37)SE1(ipservicesk9) to 12.2(46)SE (ipservicesk9). All seems fine untill I tried logging with my TACACS account: I get a authorization failed. Logging in with a local priv15 account works just fine. After removing the following statements:

aaa authorization exec default group auth-server local

aaa authorization commands 0 default group auth-server none

aaa authorization commands 1 default group auth-server none

aaa authorization commands 15 default group auth-server none

everything works fine again.

Also, I've upgraded other 3560 switches to 12.2(46)SE with an ipbase image. Those switches work fine with exactly the same AAA IOS configuration. Any thoughts on this one?

Cheers,

Vincent

Labels:
0 Helpful
17 Replies 17

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to dsiziba_1

‎10-28-2008 08:00 PM

Douglas

There are a couple of things that would commonly produce the symptoms that you describe. I would check for these:

- is the key (shared secret) configured on the ASA the same as the key configured on the server?

- is the IP address configured on the server for the client the same as the address that the client uses as the source address when it sends the request to the server?

Are there any entries in the logs on the server indicating whether it saw the request for authentication, and if so why the request failed?

HTH

Rick

HTH

Rick

Go to solution
dsiziba_1
Level 1
Level 1
In response to Richard Burts

‎10-28-2008 09:18 PM

Rick,

Thanks a lot. I had to check according to the 2 items above and BINGO!!! all 's looking good. Ip address misconfig and maybe Preshared keys issue.

0 Helpful

Go to solution
jbillingsley
Level 1
Level 1
In response to dsiziba_1

‎12-11-2008 06:07 AM

I found that simply doing the following resolved the issue for me:

no tacacs-server host x.x.x.x single-connection

tacacs-server host x.x.x.x single-connection

Thanks to posters for the help with this issue. I was running ACS Appliance 4.1(1) Build 23

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents