Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Console authorization issue

Hi, all.

I'm getting “% Authorization Failed.” on the console when logging in despite the config below - have I missed something here?


!
aaa new-model
!
aaa authentication login default local
aaa authentication login VTY_AUTH group radius local
aaa authorization exec default none
aaa authorization exec VTY_AUTH group radius local
aaa accounting exec default start-stop group radius
!

!
line con 0
 password 7 XXXXXXXXXXXXXX
line vty 0 4
 access-class VTY_ACL in
 password 7 XXXXXXXXXXXXXX
 authorization exec VTY_AUTH
 login authentication VTY_AUTH
 transport input ssh
 transport output ssh
line vty 5 15
 transport input none
!

 

Debug output when I login:

AAA/AUTHEN/LOGIN (000004B6): Pick method list 'default'
AAA/AUTHOR (0x4B6): Pick method list 'VTY_AUTH'
AAA/AUTHOR/EXEC(000004B6): Authorization FAILED


I can’t for the life of me figure out why it’s trying the “VTY_AUTH” list - any ideas?

 

This is on a 3750-X stack running 12.2(55)SE3 at ipbase license level.

8 REPLIES

Hello,Yeah does not seems

Hello,

Yeah does not seems good,

 

Quick question, did you add the command:

aaa authorization console 

This is required to enable authorization on the console line,

 

Regards

 

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

The aaa authorization console

The aaa authorization console command is not in use - this idea is to have the console only ever use the local database. As you can see in my original post, the default method is set to local for login (and is selected correctly) and "none" is set for the default exec authorization (and is skipped?).

I'm sure it would work if I define a new list but one would assume that if the default is set it should use that (if at all)?

I have also tried setting the default to "if-authenticated" etc. but it goes to use the 'VTY_AUTH' in all cases. Though interestingly, when the RADIUS servers are unreachable the local login does work - I assume this is because  the fallback authorization mode is local?

Seems like it could be a bug?

I will be back on site to test tomorrow morning.

Cisco Employee

I would get ride of this line

I would get ride of this line as I have the feeling that it is causing issues for you. 

aaa authentication login default local

If that does not fix it you can also add:

aaa authentication login console line

line con 0

login authentication console

 

Hope this helps!

 

Thank you for rating helpful posts!

 

Thank you for rating helpful posts!
Silver

well check the syntax and if

well check the syntax and if you are using the groups make sure they are avaiable in the radius and raduis server is clearly defined and reachable.

aaa authentication login default {group group-list [none]| local

group-list—Space-separated list of server groups that can include any configured RADIUS or TACACS+ server group name.

local—Specifies the local database of the
Cisco CG-OS router for authentication.

none—Uses no authentication.

 

 

Cisco Employee

debugs indicates that while

debugs indicates that while you were trying to connect from console, it picked the right authentication method and wrong authorization method. I guess you might have globally enabled console authorization but then also it should not pick VTY_AUTH method list.

Can you try this if possible:

 

username <username> privilege 15 password <password>

aaa authentication login CON default local

aaa authorization exec CON default local

aaa authorization console

!

line console 0

login authentication CON

authorization exec CON

exit

 

Please try again and let me know if that works.

 

Regards,

Jatin Katyal

**Do rate helpful posts**

 

~BR Jatin Katyal **Do rate helpful posts**
New Member

Following up on this, I have

Following up on this, I have tried most suggestions with the config currently as follows:

!
aaa new-model
!
aaa authentication login default local
aaa authentication login CON0 local
aaa authentication login VTY_AUTH group radius local
aaa authorization console
aaa authorization exec default none
aaa authorization exec CON0 if-authenticated
aaa authorization exec VTY_AUTH group radius local
aaa accounting exec default start-stop group radius
!

!
line con 0
 password 7 XXXXXXXXXXXXXX
 authorization exec CON0
 login authentication CON0
line vty 0 4
 access-class VTY_ACL in
 password 7 XXXXXXXXXXXXXX
 authorization exec VTY_AUTH
 login authentication VTY_AUTH
 transport input ssh
 transport output ssh
line vty 5 15
 transport input none
!


Debug output on login - you’ll notice that this is still picking the wrong list:

AAA/BIND(000004DE): Bind i/f  
AAA/AUTHEN/LOGIN (000004DE): Pick method list 'CON0'
AAA/AUTHOR (0x4DE): Pick method list 'VTY_AUTH'
AAA/AUTHOR/EXEC(000004DE): Authorization FAILED

 

Any further ideas?

New Member

Came on to post about

CONCLUSION

Came on to post about something else and saw this, remembering that I had never returned to update it with the final working config:

aaa new-model
aaa authentication login default local
aaa authentication login CON0 local
aaa authorization console
aaa authorization exec default none
aaa authorization exec CON0 if-authenticated
aaa session-id common


line con 0
 password 7 XXXXXXXXXXXXXX
 authorization exec CON0
 login authentication CON0

Version is now 15.2(1)E2 and none of this worked until I moved off the version mentioned in the initial post.

Cisco Employee

James, glad you were able to

James, glad you were able to solve your issue! Also, thank you for taking the time to come back here and provide the solution (+5 from me). 

Now, since the issue is resolved, you should mark the thread as "answered" :)

Thank you for rating helpful posts!

Thank you for rating helpful posts!
277
Views
5
Helpful
8
Replies