09-16-2002 05:58 AM - edited 03-09-2019 12:19 AM
I have CS 2.4 used for AAA on switches&routers. I am using NT for authentication & authorization but authorization is not working. 'Enable mode authorization failure' is the error and one can't do anything else. I am using Per user TACACS+ attributes and TACACS+ Enable Password is configured to use external database password (NT). This is not happening neither is the enale password on the device.
Any ideas on fixing this?
Thanks in advance.
Kings
09-16-2002 03:33 PM
Keep in mind that "enable authentication' is used when you have configured on your router:
aaa authentication enable .........
In this scenario, you will only have an enable authentication request sent to ACS when the user types the enable password.
So first confirm that this is your scenario. If it really is, then try first configuring a user in the local ACS db, and use that user for enable authentication as well. If that doesn't work, then collect debugs on the router (debug aaa authentication) and compare it to your failed attempts reports, and check your configuration.
If you've confirmed that it works for local users, but doesn't work for your NT users, you may be running into a known issue. Do a search using the bug toolkit for "enable" and you may find a bug which is related to your issue.
You also said "neither is the enable password on the device." This implies that you may have issues that are not related to the ACS server.
debug tacacs, debug aaa authentication and debug aaa authorization are your friends here :)
HTH
Jeff
09-17-2002 07:06 AM
ON ACS; I have actually tried with ACS bd user with Tacacs+ enable password as NT/Use PAP/Use seperate but it would not go. Also with the user on NT.
I get either command authorization failure/enable authorization failure depending on my config.
Because Our network is very sensitive and active it is difficult to tried for too long. I do however have a switch here and can't currenly do commands.
This what I did.
set authorization enable enable tacacs+ none both
set authorization commands enable config tacacs+ none both
aaa authorization commands 15 group tacacs+ none
aaa authorization network group tacacs+ none
The reports say authorization failure. Have to knock off ACS to get in.
Kings
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: