AAA authorization fails, but still command is executed...

Hi everyone,
i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).
Now I try to configure a loopback or Vlan interface, which should not be allowed.
COMMANDS IMPLEMENTED:
aaa authorization config-commands
aaa authorization commands 0 vty group tacacs+ none
aaa authorization commands 1 vty group tacacs+ none
aaa authorization commands 15 vty group tacacs+ none
line vty 0 15
authorization commands 0 vty
authorization commands 1 vty
authorization commands 15 vty
COMMAND AND OUTPUT FROM TESTING:
SWITCH(config)#int vlan 2
Command authorization failed.
DEBUG AAA AUTHORIZATION:
SWITCH#
Dec  7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1
Dec  7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
Dec  7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=
'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD
Dec  7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'
Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell
Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface
Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan
Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2
Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>
Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"
Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)
Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1
Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell
Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface
Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan
Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2
Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>
Dec  7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL
Dec  7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r
em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15
As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.
RESULT:
SWITCH#sh run int vlan 2
Building configuration...
Current configuration : 38 bytes
interface Vlan2
no ip address
end
QUESTION:
I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.
But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.
Is this me not understandig the basic concept of AAA or is this some other problem?
The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).
The Tacacs runs Cisco Secure ACS4.2.0.124
Thanks,
Tom

Hi Tom,
this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
hth
Herbert

Similar Messages

  • AAA Authorization Fail between WLC 2125 & LWAP 1042n

    In my Wireless environment, WLC 2125 is connected to a LWAP 1042n. The WLC is succesfully providing DHCP IP to the AP but is unable to discover it. All are connected. During debug mode following error message is encountered in WLC 2125, "AAA Authorization Fail....".
    Please suggest what to do.

    Here is a good doc that explains different errors:
    http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml

  • Output routine fails but still output is issued....Urgent

    I have an output routine attached to a output type which generates IDOC. There are different conditions placed in the routine under which SY-SUBRC is made either 4 or 0.
    In one of the cases Sy-subrc is 4 but still output is issued and IDOC is generated...
    My question is even though output routine is not fulfilled is there a chance of output getting issued on the document ???
    Need you help urgently..........

    Hi,
    Yes the IDOC will be triggered with the different status.
    Regards,
    Sharath

  • Video download failed but still charged me!!!!

    I had just recently bought a music video from itunes but the download didn't work then when i looked it still charged me for the incomplete download!!!!! how do i get my money back?

    If your download gets interrupted mid-flow it usually resumes next time you start iTunes. Just occasionally however the item may complete the transfer to your download folder, but fail to be copied into your main library. Have a look inside the download folder to see if you can see any evidence of the file in question. It might also be worth checking the Movies section in case iTunes has failed to set the Media Kind as Music Video.
    tt2

  • Aaa authorization and show logging command

    Hello Guys,
    I am running IOS 15 on some routers and using ACS version 5.3.0.40.5 for authentication and authorization.
    I would like to have a group of users not be able to access the configuration mode but issue all show commands.
    However, the show logging command does not seem to work in user mode.
    Any ideas or work arounds are welcome.
    thanks in advance.

    Hello,
    There is no contradiction. You can be a level 15 access and deny or permit access to whatever commands that you want.
    I am using ACS where everyone have level 15 access but some of them can only use show commands (no conf t).
    You can configure things the same way by allowing everyone level 15 access and allow or deny whatever commands you want.
    let me know if you need extra help.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Optical out fail, but still shining?

    Hi,
    I have previously used my optical out fine. Recently I have tried using it to no luck. There is light shining through my optical cable. The mac automatically sets the output to optical. But no luck with my devices. (Surround sound a DAC) Anybody know anything I can try? Can this be a hardware issue if its still emmiting light and registering it automatically?
    Thanks

    Hi there Jmttdr,
    While the symptom listed is not the exact issue your are experiencing, I would still recommend taking a look at the troubleshooting steps found in the article below.
    Troubleshooting issues with no audio from built-in speakers on Macs
    http://support.apple.com/kb/ts1574
    -Griff W.

  • N73 firmware update failed but still working?

    Few days ago I saw new firmware for N73 is out. Downloaded program, stared to update firmware.
    After cca. 90% of progress bar I heard same sound you hear every time you plug in/out your phone over USB cable. My heart almost stopped since I heard stories you must not unplug phone during firmware update, that it will not work after that. Suprisingly software offered me to repeat update process!
    I clicked OK and it started all over again.
    Once again after reaching about 90% progress bar instalation stopped with same un plugg sound. This time there was no repeat update offer. I tryed everything but update din't work.
    I plugged USB out of comp and phone and tryed to turn on phone. I wasn't able to turn in on! Then I took out battery, put it back in and turned on phone.
    All worked, menu was in english, but I had option to change it back to croatian again. Installed old programs and they all worked. Voice dialing working, camera working... all working.
    What the hell happened?
    Why installation stopped on 90% and my phone is working without problems on NEW firmware? Bug in Nokia Firmware update software?

    I've understood it's quite normal that the update prosedure may seem to stop even for some minutes and then go on again. The connection between the phone and computer will also break and then reconnect couple of times...
    Are you sure, you did wait long enough before unplugging your phone (at least some minutes)?
    But if your phone has the new firmware now and everything is working fine so I hope there is no problem!
    Nokia N97 v. 12.0.024

  • In app purchase failed but still got billed

    I wanted to buy 51 gold for battle camp,so i tapped the option for 51 gold,and it prompted me for my password,so as usual i enter it in,and the circular loading icon shows up,and then asks me again whether i want to buy the 51 gold pack for confirmation,so i tap yes or buy,didnt really notice,and the loading icon popped up again and then it dissappeared,i checked my gold,3 gold left(that was the gold i left from previous transactions).So i got worried as this is my firt time and i restarted the app,still no gold,then it keeps prompting me to enter my password.I then turned on my computer and went to itunes and sure enough,i was billed.The date shows 28 december(today).So is there a fix to stop the app from prompting the signing in/password? I sent help requests to apple and pennypop(battlecamp publisher),any chance i will get refunded or be given my gold? P.S i was in the bedroom at the time of transaction and the internet was slow.
    Thanks.

    Start here
    http://www.apple.com/support/itunes/contact/
    and see what they can do to help you

  • Mail delivery fail but still received mail

    hi
    i keep receiving 2 messages straight after receipt of the original which is readable..
    1st message: mail delivery fail
    2nd message: undeliverable
    i have no problem reading the original message
    regards
    kel

    This is a problem with your recipients ISP not delivering the email, or with Comcast in not sending it once it reaches their mail servers. You should check with your recipients to find out if they use the same ISP, and have them check with the ISP to ask why mail sent from a Comcast account is not being delivered.
    If this affects all your recipients (assuming there are many more than just the two you mentioned), then its a Comcast issue and you should call them and insist they make any necessary changes so everyone can receive email from you. If it only affects those two recipients, they would need to call their ISP and have them make the necessary changes.

  • Tuning concat index but still fail

    I have query :
    select
    count(*) as y0_
    from
    t_transaction this_
    where this_.USER_ID=:1 and this_.OPTYPE in (:2, :3, :4, :5, :6, :7, :8, :9, :10, :11, :12, :13, :14, :15, :16, :17, :18, :19, :20, :21, :22, :23, :24, :25, :26, :27, :28, :29, :30, :31, :32, :33, :34, :35, :36, :37, :38) and this_.TRANSACTION_DATE>=:39 and this_.TRANSACTION_DATE<:40 and ((lower(this_.STATUS) like :41 or lower(this_.STATUS) like :42) or lower(this_.STATUS) like :43)
    doing this :
    create index idx1 on t_transaction(user_id,optype,-1,transaction_date,-1,status,-1) reverse tablespace TS_A_IDX;
    but i failed.
    I don't know how to make the index running on above query. I'd using domain index, separate it with create index idx1 on t_transaction indextype is ctxsys.context for like clause and add to query contains(idx1,:41)>0 or contains(idx1,:42)>0 or contains(idx1,:43)>0 .. but still didn't work.
    Any help very appreciated in order to an concatenate index could run on above query for performance tuning sake.
    Best Regards,
    Han

    but i failed.
    but still didn't work.not Oracle error codes & messages.
    my car didn't work.
    tell me how to make my car go.
    It is really, Really, REALLY difficult to fix a problem that can not be seen.
    use COPY & PASTE so we can see what you do & how Oracle responds.

  • AAA Authorization issue

    Hi All,
    I've got an issue when adding a device to ACS.When I try to login to the device after adding it to the ACS, it does'nt prompt me to enter my tacacs username and password, instead it prompts me to enter the tacacs username/password details when I try to get into the enable mode. Also, once I am in the enable mode, I cant execute any commands as shown below:
    Router01#debug aaa authentication
    Command authorization failed.
    ^
    % Invalid input detected at '^' marker.
    Router01#sh run
    Command authorization failed.
    % Incomplete command.
    The aaa config is as listed below:
    aaa authentication login default group TACACS-GROUP enable
    aaa authentication enable default group TACACS-GROUP enable
    aaa authentication ppp default local
    aaa authorization commands 1 default group TACACS-GROUP if-authenticated
    aaa authorization commands 15 default group TACACS-GROUP if-authenticated
    aaa accounting commands 1 default start-stop group TACACS-GROUP
    aaa accounting commands 15 default start-stop group TACACS-GROUP
    Everything works fine once I remove the device from ACS. How do I get over this issue? Any advice would be much appreciated.
    Regards,
    PV

    PV,
    The reason you are not able to issue any command is because, you have command authorization enabled on Router.
    It seems that you don't want that. You need to remove these commands,
    no aaa authorization commands 1 default group TACACS-GROUP if-authenticated
    no aaa authorization commands 15 default group TACACS-GROUP if-authenticated
    These commands are used to authorize what all command user can issue.
    Please see this link, it explain about setting up command authorization using acs,
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • 535 authorization failed

    i used Nokia Messaging with 2 email address (yahoo.co.id domain) but today one of them cannot send email. always getĀ 535 authorization failed.but i can receive email. ive tried to remove and add it again but no luck...

    i get this error again on the same account ... ( what should i do ? is this Yahoo problem or Nokia Messaging problem ??

  • Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request' % Incomplete command.

    we are using CISCO ASR 9006 . and we configured aaa authentication and commit changes after that i am able to login ASR with local user but
    no any command execute and get error.
    Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
    % Incomplete command.
    please help.

    Hi Anop
    How did you get over this problem? I am having the same issue.
    Regards
    Rohan

  • AAA -- Int range configuration gives "Command authorization failed" msg.

    Versions involved:
    AAA
    ACS 4.1.4.13.12
    Devices:
    C2960-LANBASE-M, Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)
    C3550-I9Q3L2-M, Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)
    If we try to configure a single interface or just a very small range, it works fine, but if we try to configure a larger range of interfaces, we get a Command authorization failed message, as can be seen below:
    HOST1184(config)#int range fastEthernet 0/1 - 3
    HOST1184(config-if-range)# switchport access vlan 24
    HOST1184(config-if-range)# switchport mode access
    HOST1184(config-if-range)# switchport voice vlan 301
    HOST1184(config-if-range)# dot1x pae authenticator
    HOST1184(config-if-range)# dot1x port-control auto
    HOST1184(config-if-range)# dot1x timeout reauth-period 7200
    HOST1184(config-if-range)# dot1x timeout supp-timeout 120
    HOST1184(config-if-range)# dot1x max-req 1
    HOST1184(config-if-range)# dot1x max-reauth-req 1
    HOST1184(config-if-range)# dot1x reauthentication
    HOST1184(config-if-range)# dot1x guest-vlan 280
    HOST1184(config-if-range)# spanning-tree portfast
    HOST1184(config-if-range)#!
    OST1184(config-if-range)#end
    HOST1184#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    HOST1184(config)#int range fastEthernet 0/4 - 14
    HOST1184(config-if-range)# switchport access vlan 24
    Command authorization failed.
    Command authorization failed.
    Command authorization failed.
    HOST1184(config-if-range)# switchport mode access
    HOST1184(config-if-range)# switchport voice vlan 301
    HOST1184(config-if-range)# dot1x pae authenticator
    HOST1184(config-if-range)# dot1x port-control auto
    Command authorization failed.
    HOST1184(config-if-range)# dot1x timeout reauth-period 7200
    Command authorization failed.
    HOST1184(config-if-range)# dot1x timeout supp-timeout 120
    Command authorization failed.
    HOST1184(config-if-range)# dot1x max-req 1
    Command authorization failed.
    HOST1184(config-if-range)# dot1x max-reauth-req 1
    Command authorization failed.
    HOST1184(config-if-range)# dot1x reauthentication
    Command authorization failed.
    HOST1184(config-if-range)# dot1x guest-vlan 280
    Command authorization failed.
    HOST1184(config-if-range)# spanning-tree portfast
    Command authorization failed.
    HOST1184(config-if-range)#!
    The pieces of config are as follows:
    aaa new-model
    aaa group server radius dot1x
    server 10.61.156.136 auth-port 1812 acct-port 1813
    aaa authentication login default group tacacs+ enable
    aaa authentication enable default group tacacs+ enable
    aaa authentication dot1x default group dot1x
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ if-authenticated none
    aaa authorization commands 0 default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    enable secret 5 <removed>
    logging 10.142.4.45
    snmp-server community <removed> RO
    snmp-server community <removed> RW
    snmp-server location "SD"
    snmp-server contact contact - [email protected]
    tacacs-server host A.B.C.D timeout 5 key <removed>
    tacacs-server host A.B.C.D timeout 5 key <removed>
    tacacs-server host A.B.C.D timeout 5 key <removed>
    no tacacs-server directed-request
    radius-server host 10.61.156.136 auth-port 1812 acct-port 1813 key 7 096E5C3D4851
    radius-server retransmit 3
    Anyone out there has a solution for such a problem?
    Regards,
    AL

    Hi JG, thanks for your response.
    I don't have the appliance close to me, so I cannot check on this setting.
    As soon as I have a chance, I will return with this info.
    Anyway, why does it work for other devices and also, why we don't have any problem when configuring a small range of interfaces?
    Once again, thanks for your reply.
    Regards,
    AL

  • AAA issue ( command authorization failed)

    I am getting the issue, and following is the script , cannot findĀ  and locate the cause of error !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname hexxor
    boot-start-marker
    boot-end-marker
    enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
    enable password 7 0525112F05411F075231123E
    username hexxor password 7 024D2A103F26243363593D1C2B5C
    aaa new-model
    aaa authentication login T-AUTH group tacacs+ local
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
    aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
    aaa accounting exec T-ACC start-stop group tacacs+
    aaa accounting commands 15 T-ACC start-stop group tacacs+
    interface Vlan1
    no ip address
    interface Vlan50
    ip address 128.1.50.54 255.255.255.0
    no ip route-cache
    ip default-gateway 128.1.50.254
    no ip http server
    ip http secure-server
    ip sla enable reaction-alerts
    logging trap debugging
    logging 10.241.40.20
    logging 128.1.50.245
    access-list 1 permit 128.1.50.245
    snmp-server host 10.241.40.27 Armageddon
    snmp-server host 128.1.50.245 Armageddon
    tacacs-server host 10.241.40.22
    tacacs-server host 10.241.40.23
    tacacs-server directed-request
    tacacs-server key 7 020813480E052F2E4D
    line con 0
    exec-timeout 5 0
    password 7 1142374E2332201E2B3D1F210678
    authorization commands 15 T-AUTHOR
    authorization exec T-AUTHOR
    accounting commands 15 T-ACC
    accounting exec T-ACC
    login authentication T-AUTH
    transport preferred none
    line vty 0 4
    exec-timeout 5 0
    password 7 06281801684358174E231727
    authorization commands 15 T-AUTHOR
    authorization exec T-AUTHOR
    accounting commands 15 T-ACC
    accounting exec T-ACC
    login authentication T-AUTH
    transport input telnet
    transport output telnet
    line vty 5 15
    password 7 0228137B2F0B5E2F077A0C35
    end

    Based on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
    I would suggest this as a first test:
    - login to the device.
    - go into enabl mode.
    - attempt the show run command. (I assume that it will fail)
    - check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
    If you want to do a second test to verify the cause of the problem then I would suggest this:
    - remove from the config these lines
    aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
    aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
    then login to the device, go into enable mode, attempt the show run command
    Try one or both of these tests and post back to tell us of the results.
    HTH
    Rick

Maybe you are looking for

  • My computer crashed how do i sync

    my windows 7 computer crashed, so I had to re-install itunes, i can sync the stuff I brought from itunes. How do i get my old files (which are saved on an external hard drive) into the new itunes.

  • Installation issue with ECC 6.0 Ehp4 Ready / NW 7.01

    HpUX - 11.31 Oracle 11g I am getting 'FRF-00007 Unable to open RFC connection' in the last phase of installation. Already tried latest kernel, restarted SAP and OS, restarted sapinst, but still same error. I am able to login to 000 as DDIC using sapl

  • How to get breakup of Supplier Liability A/c

    Hi, I am want to develop a report which gives breakup of Supplier Liability a/c. Liability A/c: 01-00-00-12111-00 Supplier: abc Invoice_number.................Invoice Date...................Invoice Amount................Remaining Amount Sub-Total Sup

  • How to import text from Word without any style?

    Hi all. I'm working with a copy writer who has a tendency to apply a return on every line on the Word document. How can I over ride it so that I don't have to go back and eliminate every return in InDesign? Thanks!

  • Visual Studio Online can send you back to zero with one simple mistake.

    I was recently motivated by Microsoft team to move my code from other cloud services to Azure. I found out that it was very easy to make changes to the code using visual studio online until I lost all my code today and Microsoft team was unable to he