cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
34149
Views
16
Helpful
14
Replies

TACACS+ "authorization failure"

j-soriano85
Level 1
Level 1

I am using cisco secure ACS and have everything up and running. I configured my 3560 switch with tacacs+ info and it works when I console into it and use my login name, but when I telnet into it from another switch it gives me an "authorization failure". I dont know if I'am missing one line in my switch configuration or if its something wrong with the TACACS server? can anyone help?

1 Accepted Solution

Accepted Solutions

Jacobo

I believe that this line is the config is initiating the authorization:

aaa authorization exec default group tacacs+ if-authenticated

if the server is not authorizing I would start by checking how the userID is configured on the tacacs server. I am guessing that something in the definition is interpreted by tacacs as not allowing creation of an exec process for this userID.

HTH

Rick

HTH

Rick

View solution in original post

14 Replies 14

Richard Burts
Hall of Fame
Hall of Fame

Jacobo

It would help us to give you a better answer if you would post the AAA and TACACS sections of the configuration.

Part of what you are running into is that Cisco by default does process authorization for the vty lines but does not process authorization for the console.

Without seeing the config I would make a guess at the problem: I am guessing that you configure authentication either to use local as a primary method or as a backup method. If so I would suggest that you configure authorization to use "if-authenticated" as a corresponding method.

If my guess does not help you to a solution then I ask that you post the configs.

HTH

Rick

HTH

Rick

Hi Sorian,

can you confirm that the switch has been added in the ACS server & also confirm the KEY which you had given on the switch TACACS configuration & ACS server, only if the switch TACACAS authentication KEY doesn't matches you will face the problem.

this is my configuration:

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization network default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

!

!

tacacs-server host 214.3.80.7

tacacs-server key xxx

Jacobo

Thanks for posting these parts of the config. I am glad to see that you already have the if-authenticated in the config. I do not see any obvious issues in the config.

It seems to me that the issue could be either some authorization issue on the TACACS server or it could be an issue with local authorization. We can not tell from what you have posted so far which it is. I would suggest that you run and post the output from debug aaa authorization and debug tacacs authorization. That should show whether the authorization deny is coming from the server or from local processing.

It would also be helpful is you would look on the server in the logs and reports and tell us whether the server saw the request, and whether the server believes that it approved or denied the request.

HTH

Rick

HTH

Rick

KURT HILLIG
Level 1
Level 1

I suspect what you need is to tell the box to use TACACS on its vty ports, something like this:

aaa authentication login admin group admin line

aaa authorization exec tac-author group tacacs+ none

line vty 0 4

authorization exec tac-author

login authentication admin

transport input telnet ssh

Kurt

While you certainly can configure a specific method for authentication and authorization for the vty ports, the main reason for doing this is if you want them to be different from the default. I do not understand in the original post that he wants the vty to be different. And certainly TACACS is being used for the vty ports in the default method.

I do not believe that specifying a non-default method will change the behavior. I note that you also change from if-authenticated to none as the backup method. That may or may not be effective in solving the problem - and may or may not reflect the behavior that they want.

HTH

Rick

HTH

Rick

below is the message I get when debug aaa authentication is on.

04:52:50: tty1 AAA/AUTHOR/EXEC (4206801977): Port='tty1' list='' service=EXEC

04:52:50: AAA/AUTHOR/EXEC: tty1 (4206801977) user='jacobo.soriano'

04:52:50: tty1 AAA/AUTHOR/EXEC (4206801977): send AV service=shell

04:52:50: tty1 AAA/AUTHOR/EXEC (4206801977): send AV cmd*

04:52:50: tty1 AAA/AUTHOR/EXEC (4206801977): found list "default"

04:52:50: tty1 AAA/AUTHOR/EXEC (4206801977): Method=tacacs+ (tacacs+)

04:52:50: AAA/AUTHOR/TAC+: (4206801977): user=jacobo.soriano

04:52:50: AAA/AUTHOR/TAC+: (4206801977): send AV service=shell

04:52:50: AAA/AUTHOR/TAC+: (4206801977): send AV cmd*

04:52:51: AAA/AUTHOR (4206801977): Post authorization status = FAIL

04:52:51: AAA/AUTHOR/EXEC: Authorization FAILED

04:52:53: AAA/MEMORY: free_user (0x30ECE28) user='jacobo.soriano' ruser='NULL' port='tty1' rem_addr=

'214.3.80.7' authen_type=ASCII service=LOGIN priv=1

what does each message mean? I see that it finds the default list.

This is what happens when I try to telnet from another switch or computer.

It works fine when I console into the switch and this is the response form the debug message:

04:57:48: AAA/MEMORY: free_user (0x37799F8) user='jacobo.soriano' ruser='NULL' port='tty0' rem_addr=

'async' authen_type=ASCII service=LOGIN priv=1

04:57:48: AAA: parse name=tty0 idb type=-1 tty=-1

04:57:48: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

04:57:48: AAA/MEMORY: create_user (0x2C0B3B8) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='a

sync' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

Jacobo

Thanks for posting the additional information. I believe that it indicates that you are sending the authorization information to the server and the server is returning the response of "FAIL":

04:52:50: AAA/AUTHOR/TAC+: (4206801977): send AV service=shell

04:52:50: AAA/AUTHOR/TAC+: (4206801977): send AV cmd*

04:52:51: AAA/AUTHOR (4206801977): Post authorization status = FAIL

If you would also run debug tacacs authorization and post that output it might show a bit more clearly what is going on.

Anyway assuming that the tacas does confirm that you are being FAILed by the server, perhaps we should start looking at the server. Can you find entries in the logs of the server about its decision that might show why it is generating FAIL?

HTH

Rick

HTH

Rick

I check the log reports on the TACACS server and it shows me the authorization failures. I am still tryint to troubleshoot it. thanks for your help though I really appreciate it.

All the reports say, under auhtorizatino failure code, is SERVICE=cmd* . I still trying to fix it.

Jacobo

I believe that this line is the config is initiating the authorization:

aaa authorization exec default group tacacs+ if-authenticated

if the server is not authorizing I would start by checking how the userID is configured on the tacacs server. I am guessing that something in the definition is interpreted by tacacs as not allowing creation of an exec process for this userID.

HTH

Rick

HTH

Rick

Mr.Burts,

I got it now and it works smoothe. I logged into our Cisco Secure ACS which is running TACACS+. I clicked on edit settings under the group I am in, then I Scrolled down to TACACS+ Settings and checked the SHELL(exec) box. wow I couldn't believe how simple that was. Thanks for your help sir I appreciate it. I wouldn't have got that far without your help. thanks again.

Jacobo

I am glad that my posts were helpful in resolving your problem. Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum most useful when people can read about a problem and can know that they will find a solution for the problem.

HTH

Rick

HTH

Rick

benissetaib
Level 1
Level 1

I got the same issue with admin context, when I hit a command, an error message : command authorization failed.

An account : enable_15 who is authneticated not my normal account.

The solution was to create a new account in ACS with enable_15 as credential.

Thanks for posting to the forums to tell us about the problem that you had and how you fixed it. It is important to remember to check how the user ID is configured in the TACACS server.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco