I have CS 2.4 used for AAA on switches&routers. I am using NT for authentication & authorization but authorization is not working. 'Enable mode authorization failure' is the error and one can't do anything else. I am using Per user TACACS+ attributes and TACACS+ Enable Password is configured to use external database password (NT). This is not happening neither is the enale password on the device.
Keep in mind that "enable authentication' is used when you have configured on your router:
aaa authentication enable .........
In this scenario, you will only have an enable authentication request sent to ACS when the user types the enable password.
So first confirm that this is your scenario. If it really is, then try first configuring a user in the local ACS db, and use that user for enable authentication as well. If that doesn't work, then collect debugs on the router (debug aaa authentication) and compare it to your failed attempts reports, and check your configuration.
If you've confirmed that it works for local users, but doesn't work for your NT users, you may be running into a known issue. Do a search using the bug toolkit for "enable" and you may find a bug which is related to your issue.
You also said "neither is the enable password on the device." This implies that you may have issues that are not related to the ACS server.
debug tacacs, debug aaa authentication and debug aaa authorization are your friends here :)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :