cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
32640
Views
5
Helpful
11
Replies

Command authorization failed

yong khang NG
Level 5
Level 5

Hi all,

Below is the problem statement:

For device admin purpose, when enable AAA access/Authorization in ASDM, it not allow user to configure the ASA via CLI.

when trying to configure, It will promopt message of "command authorization failed"

For the topology setup:

01.ASA code running in version 8.4.2

02. Cisco ACS running in version 5.3.0.40

For device admin purpose, using Cisco ACS 5.3 as the backend AAA server, running on protocol TACACS+

There's no issue on AAA setting of authenticaiton and authorization part. Shell profile's privilege level and command set's command were running well in Cisco ios router/switch device.

For ASA ASDM access, it able to support users' Shell profile's privilege level assigned at Cisco ACS server.

Specific user privilege on ASA were using "configure command privleges", it's using default setting, apply to all. View-only on privilege 3, admin level on 15.

Problem only after enable ASDM AAA access/ authorization, it not allow to configure the ASA via CLI

attach the snipet of ASA firewall config and the debug log,

Hope you guys able to pin point my mistake.

Million Thanks

Noel

1 Accepted Solution

Accepted Solutions

set the maximum privilege to 15 in policy elements. Even after doing that, you will still be able to access only show commands. This is a required settings for enable authentication.

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

11 Replies 11

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Yong,

Is there a way you can share a snapshot of the error u are getting on the ACS (The log on the TACACS+ authorization AAA monitoring area)

That would lead us to a solution as right now seems to be a missconfiguration with the command set configured as result for that specific user,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi jc

thanks for the reply.

i attached some snapshot on the ACS configuration.

Quesiton 1: it show username as enable_15. while i am using username:admin to perform authentication which i created at ACS

thanks

Noel

Hi Yong,

Since you are doing command authorization against ACS/TACACS and then local.

aaa authorization command ACS LOCAL

so If we are configuring command authorization on ASA, we have to make sure that we have enable authenticaiton  configured from the same tacacs server. otherwise we would see failed logs for  "enable_15".

Please add the below listed command on the ASA and make sure we define and use the enable password from ACS.

aaa authentication enable console ACS LOCAL

Let me know how it goes.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Hello Yong,

Agree with Jatin,

The thing with the ASA is that when performing authorization it will do a preservation of the username, in this case it will preserve the username in privilege mode ( as you are not authenticating the enable password  it will use the default privilige_15 username )

Authenticate the enable password against the ACS and you should be good to go,

Let us know the result,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hi both

thanks for the idea and it do work on this case.

but i hit another problem !

My test case only telling username: admin with privilege level 15; whilst i have another user with lower privilege, username:ops with privilege level 3, role is monitoring, and read-only on configuration (CLI)

In CLI, it can pass thru the authentication process, but not able to let username:ops get into exec mode. It stuck in enable password.

Even i create the enable password with privilege level 3, but it also not let go.

Anything i can tune?

Thanks again

Since TACACS is your primary authentication method so it doesn't matter what role you have on the local database. I would like to see what enable privileges you have assisgned user:ops on the ACS. Can you get the screen shot from the policy elements.

Also, take a look at the tacacs authentication section in the logging and monitoring section to see what error you are getting.As far as I guess, it should be related to enable privileges.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Hi Jatin,

yeah i do think there's something missing.

i attached the ASA config snipet and the ACS config snapshot for your to view.

Thanks

Noel

set the maximum privilege to 15 in policy elements. Even after doing that, you will still be able to access only show commands. This is a required settings for enable authentication.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Hi Jatin

It work as expected, thanks for these days support

Noel

I got the same issue with admin context, when I hit a command, an error message : command authorization failed.

An account : enable_15 who is authneticated not my normal account.

The solution was to create a new account in ACS with enable_15 as credential.

.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: