Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
0
Helpful
2
Replies

Enable Authorization failure

admin_2
Level 3
Level 3

‎09-16-2002 05:58 AM - edited ‎03-09-2019 12:19 AM

I have CS 2.4 used for AAA on switches&routers. I am using NT for authentication & authorization but authorization is not working. 'Enable mode authorization failure' is the error and one can't do anything else. I am using Per user TACACS+ attributes and TACACS+ Enable Password is configured to use external database password (NT). This is not happening neither is the enale password on the device.

Any ideas on fixing this?

Thanks in advance.

Kings

Labels:
0 Helpful
2 Replies 2

jekrauss
Level 1
Level 1

‎09-16-2002 03:33 PM

Keep in mind that "enable authentication' is used when you have configured on your router:

aaa authentication enable .........

In this scenario, you will only have an enable authentication request sent to ACS when the user types the enable password.

So first confirm that this is your scenario. If it really is, then try first configuring a user in the local ACS db, and use that user for enable authentication as well. If that doesn't work, then collect debugs on the router (debug aaa authentication) and compare it to your failed attempts reports, and check your configuration.

If you've confirmed that it works for local users, but doesn't work for your NT users, you may be running into a known issue. Do a search using the bug toolkit for "enable" and you may find a bug which is related to your issue.

You also said "neither is the enable password on the device." This implies that you may have issues that are not related to the ACS server.

debug tacacs, debug aaa authentication and debug aaa authorization are your friends here :)

HTH

Jeff

0 Helpful

Not applicable
In response to jekrauss

‎09-17-2002 07:06 AM

ON ACS; I have actually tried with ACS bd user with Tacacs+ enable password as NT/Use PAP/Use seperate but it would not go. Also with the user on NT.

I get either command authorization failure/enable authorization failure depending on my config.

Because Our network is very sensitive and active it is difficult to tried for too long. I do however have a switch here and can't currenly do commands.

This what I did.

set authorization enable enable tacacs+ none both

set authorization commands enable config tacacs+ none both

aaa authorization commands 15 group tacacs+ none

aaa authorization network group tacacs+ none

The reports say authorization failure. Have to knock off ACS to get in.

Kings

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents