Re: I Can Log In But Cannot Run Any Commands - AAA Problem?

RRatBB · ‎03-28-2024

Mods blocked last post, so trying again. No info here is confidential.

Hoping someone can shed some light. I have a switch in a remote location that I can connect to via SSH, but once connected I am unable to run *any* commands. I cannot do "show run." I cannot do *any* "show" commands. I can't even "exit" my SSH session. All commands return "% Authorization failed." It's as if I am logging in as privilege LEVEL 0. But I can't even run LEVEL 0 commands. Here's an example:

login as: joeusername
Pre-authentication banner message from server:
|
| ***********************************************************
| ** Access to this device is restricted to authorized blah blah**
| ***********************************************************
End of banner message from server
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server

SWITCH001#sh run
% Authorization failed.

SWITCH001#exit
% Authorization failed.

SWITCH001#logout
% Authorization failed.

Here are some things I have found:

1. Default authentication method is using RADIUS, then TACACS+, then local
2. However, we have no local accounts configured. And we no longer have a TACACS+ server. So it appears I everything is via RADIUS.
3. We *do* have "aaa authorization exec ..." configured. I suspect this is where the problem is ... but I am not sure.

Relevant AAA settings are below (IPs, servers, keys, and group names are fake):

!
aaa new-model
!
!
aaa group server radius RADIUSSERVER
server 192.168.6.21 auth-port 1812 acct-port 1026
!
aaa authentication fail-message ^C
***********************************************************
** Your authentication request has been rejected and blah blah**
***********************************************************
^C
aaa authentication login default group RADIUSSERVER group tacacs+ local
aaa authentication enable default group RADIUSSERVER group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group RADIUSSERVER group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting delay-start all
aaa accounting exec default start-stop group RADIUSSERVER group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting network default start-stop group RADIUSSERVER group tacacs+
!
!
!
aaa session-id common
!
...
...
...
tacacs-server host 192.168.5.7
tacacs-server host 192.168.5.8
tacacs-server directed-request
tacacs-server key 7 xxxxxx
radius-server attribute 8 include-in-access-req
radius-server host 192.168.6.21 auth-port 1812 acct-port 1026
radius-server key 7 xxxxxx
banner login ^C
***********************************************************
** Access to this device is restricted to authorized blah blah **
***********************************************************
^C
!
line con 0
password 7 xxxxxx
logging synchronous
line vty 0 4
exec-timeout 15 0
password 7 xxxxxxx
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 15 0
password 7 xxxxxx
transport input ssh
!

I think the first thing I need to do is create a local admin-level account. Then I should probably remove anything having to do with tacacs+. But I'm still not sure that explains why I don't seem to be getting any sort of authorization whatsoever.

Thank you.

MHM Cisco World · ‎03-28-2024

Exec will give user it privilege

Issue here as I understand you lost connect to tacacs which you use to authz the command' the fallback to local not work if you not specify which command is allow for each privilege locally in router'

So solution is remove authz command or use if-auth with authz command (not sure if-auth work in this particular case)

MHM