Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Enable Authorization failure

I have CS 2.4 used for AAA on switches&routers. I am using NT for authentication & authorization but authorization is not working. 'Enable mode authorization failure' is the error and one can't do anything else. I am using Per user TACACS+ attributes and TACACS+ Enable Password is configured to use external database password (NT). This is not happening neither is the enale password on the device.

Any ideas on fixing this?

Thanks in advance.


New Member

Re: Enable Authorization failure

Keep in mind that "enable authentication' is used when you have configured on your router:

aaa authentication enable .........

In this scenario, you will only have an enable authentication request sent to ACS when the user types the enable password.

So first confirm that this is your scenario. If it really is, then try first configuring a user in the local ACS db, and use that user for enable authentication as well. If that doesn't work, then collect debugs on the router (debug aaa authentication) and compare it to your failed attempts reports, and check your configuration.

If you've confirmed that it works for local users, but doesn't work for your NT users, you may be running into a known issue. Do a search using the bug toolkit for "enable" and you may find a bug which is related to your issue.

You also said "neither is the enable password on the device." This implies that you may have issues that are not related to the ACS server.

debug tacacs, debug aaa authentication and debug aaa authorization are your friends here :)




Re: Enable Authorization failure

ON ACS; I have actually tried with ACS bd user with Tacacs+ enable password as NT/Use PAP/Use seperate but it would not go. Also with the user on NT.

I get either command authorization failure/enable authorization failure depending on my config.

Because Our network is very sensitive and active it is difficult to tried for too long. I do however have a switch here and can't currenly do commands.

This what I did.

set authorization enable enable tacacs+ none both

set authorization commands enable config tacacs+ none both

aaa authorization commands 15 group tacacs+ none

aaa authorization network group tacacs+ none

The reports say authorization failure. Have to knock off ACS to get in.


CreatePlease to create content