AAA Authorization help

I have configured authentication for the outside users to connect to my servers using the following sample acl
access-list 110 permit tcp any host 10.10.10.3 eq http
access-list 110 permit tcp any host 10.10.10.4 eq http
access-list 110 permit tcp any host 10.10.10.5 eq http
aaa authentication match 110 outside TACACS+
Now for authorizing them do i have to create another set of acls or can i just use the existing acls and write
aaa authorization match 110 outside TACACS+
Is there anything else i should do on the AAA-Server for authorization?
Thanks
Jason

Hi Jason,
You can use the same ACL for authorization. You will not have to do anything on ACS unless you need to push ACLs for the user.
Regards,
Vivek

Similar Messages

  • AAA Authorization named authorization list

    Ladies and Gents,
    Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
    Cisco.com extract below
    When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
    Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
    My question is how do you define the Named Method List i.e. the none-default method list?
    I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
    Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
    Thanks in advance
    David

    Hi David,
    An example of a named AAA list might look something like this:
    aaa authorization exec TacExec group AAASrv local
    In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
    Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
    Below is a cut and paste from the AAA section on one of my devices:
    aaa new-model
    ip tacacs source-interface
    tacacs-server host 10.x.x.x key 7
    tacacs-server host 10.x.x.y key 7
    aaa group server tacacs+ TacSrvGrp
    server 10.x.x.x
    server 10.x.x.y
    aaa authentication login default local
    aaa authentication login TacLogin group TacSrvGrp local
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec default local
    aaa authorization exec TacAuth group TacSrvGrp local
    aaa authorization commands 0 default local
    aaa authorization commands 0 TacCommands0 group TacSrvGrp local
    aaa authorization commands 1 default local
    aaa authorization commands 1 TacCommands1 group TacSrvGrp local
    aaa authorization commands 15 default local
    aaa authorization commands 15 TacCommands15 group TacSrvGrp local
    aaa accounting exec default start-stop group TacSrvGrp
    aaa accounting commands 15 default start-stop group TacSrvGrp
    aaa session-id common
    Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
    line con 0
    exec-timeout 5 0
    line aux 0
    exec-timeout 5 0
    line vty 0 4
    exec-timeout 15 0
    authorization commands 0 TacCommands0
    authorization commands 1 TacCommands1
    authorization commands 15 TacCommands15
    authorization exec TacAuth
    login authentication TacLogin
    transport input ssh
    For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
    One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
    Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
    Hope this helps!

  • AAA Authorization Using Local Database

    Hi Guys,
    I'm planning to use AAA authorization using local database. I have read already about it, I have configured the AAA new-model command and I have setup user's already. But I'm stuck at the part where I will already give certain user access to certain commands using local database. Hope you can help on this.
    FYI: I know using ACS/TACACS+/RADIUS is much more easy and powerful but my company will most likely only use local database.

    For allowing limited read only access , use this example,
    We need these commands on the switch
    Switch(config)#do sh run | in priv
    username admin privilege 15 password 0 cisco123!
    username test privilege 0 password 0 cisco
    privilege exec level 0 show ip interface brief
    privilege exec level 0 show ip interface
    privilege exec level 0 show interface
    privilege exec level 0 show switch
    No need for user to login to enable mode. All priv 0 commands are now there in the user mode. See below
    User Access Verification
    Username: test
    Password:
    Switch>show ?
    diagnostic Show command for diagnostic
    flash1: display information about flash1: file system
    flash: display information about flash: file system
    interfaces Interface status and configuration
    ip IP information
    switch show information about the stack ring
    Switch>show switch
    Switch/Stack Mac Address : 0015.f9c1.ca80
    H/W Current
    Switch# Role Mac Address Priority Version State
    *1 Master 0015.f9c1.ca80 1 0 Ready
    Switch>show run
    ^
    % Invalid input detected at '^' marker.
    Switch>show aaa server
    ^
    % Invalid input detected at '^' marker.
    Switch>show inter
    Switch>show interfaces
    Vlan1 is up, line protocol is up
    Hardware is EtherSVI, address is 0015.f9c1.cac0 (bia 0015.f9c1.cac0)
    Internet address is 192.168.26.3/24
    MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Switch>
    Please check this link,
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • Command execution get very slow when AAA Authorization enable on ASR 1006

    Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it   take time to move to next command level) ...
    These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.
    Did any one face such issue , and how it is fix ...
    See the Show version for ASR
    Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Thu 24-Mar-11 23:32 by mcpre
    Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
    All rights reserved.  Certain components of Cisco IOS-XE software are
    licensed under the GNU General Public License ("GPL") Version 2.0.  The
    software code licensed under GPL Version 2.0 is free software that comes
    with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
    GPL code under the terms of GPL Version 2.0.  For more details, see the
    documentation or "License Notice" file accompanying the IOS-XE software,
    or the applicable URL provided on the flyer accompanying the IOS-XE
    software.
    ROM: IOS-XE ROMMON
    NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes
    Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes
    System returned to ROM by reload
    System restarted at 17:47:32 IST Thu Oct 4 2012
    System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"
    Last reload reason: EHSA standby down
    AAA Commands on ASR 1006
    aaa new-model
    aaa group server tacacs+ tacgroup
    server 10.48.128.10
    server 10.72.160.10
    ip vrf forwarding Mgmt-intf
    ip tacacs source-interface GigabitEthernet0
    aaa authentication login default group tacgroup local
    aaa authentication enable default group tacgroup enable
    aaa accounting exec default start-stop group tacgroup
    aaa accounting commands 1 default start-stop group tacgroup
    aaa accounting commands 15 default start-stop group tacgroup
    aaa accounting connection default start-stop group tacgroup
    aaa accounting system default start-stop group tacgroup
    aaa authorization commands 0 default group tacgroup none
    aaa authorization commands 1 default group tacgroup none
    aaa authorization commands 15 default group tacgroup none
    aaa session-id common
    tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166
    tacacs-server key 7 053B071C325B411B1D25464058

    I think your issue maybe related to your tacacs server. If you  re-order the two servers (typically a 5 second timer before failover  occurs) and see if that improves your performance:
    You  can try to debug the issue by referring to the command reference  guide....i.e. debug tacacs...you can also try to telnet to both ip  address to port 49 to see if the connection opens, in order to rule out  issues where a firewall or routing to one of the tacacs servers is  failing. I also noticed you have the shared secret and tacacs server  defined for one of the servers, is the sam present for the other server  that is in the server group?
    server 10.48.128.10
    server 10.72.160.10
    to
    server 10.72.160.10
    server 10.48.128.10
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Aaa authorization ACA4.1

    i configure aaa on my switch and cannog get telnet loggin. in the PAsst Athem ACS Server: Authentication is OK, but FailItem Unknown NAS
    Thanks for any Help
    -----------------------------------------aaa new-model
    aaa authentication login default group radius local
    aaa authentication login CONSOLE local
    aaa authentication enable default group tacacs+ enable
    aaa authentication dot1x default group radius
    aaa authorization exec default group tacacs+
    aaa authorization exec CON none
    aaa authorization network default group radius
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default stop-only group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    Switch output:
    Username: aessome-d
    Password:
    % Authorization failed.
    Connection closed by foreign host.

    You want to use radius or tacacs ? Make sure you have priv 15 configured in acs,
    Bring users/groups in at level 15
    1. Go to user or group setup in ACS
    2. Drop down to "TACACS+ Settings"
    3. Place a check in "Shell (Exec)"
    4. Place a check in "Privilege level" and enter "15" in the adjacent field
    Regards,
    ~JG
    Do rate helpful posts

  • Aaa authorization console

    Hi,
    i have the following config :
    aaa new-model
    aaa authentication login NO_LOGIN none
    aaa authentication login ADMINS group radius local
    aaa authentication login CONSOLE group radius local
    aaa authorization exec NO_AUTHOR none
    aaa authorization exec ADMINS group radius local
    aaa authorization exec CONSOLE group radius local
    enable secret cisco
    username cisco privilage 15 secret cisco
    line con 0
    password 7 05080F1C2243
    authorization exec CONSOLE
    login authentication CONSOLE
    line vty 0 4
    password 7 045802150C2E0C
    authorization exec ADMINS
    logging synchronous
    login authentication ADMINS
    line vty 5 15
    password 7 060506324F41
    authorization exec ADMINS
    logging synchronous
    login authentication ADMINS
    When i am tryin gto login to the switch from vty line i come directly to privillage mode, but when loging to console port i come to the exec mode (privilage 1) and i cant go further to the user privillage mode . each time i have to type a password (i type the enable one) and my access is denied.
    when issuing the command # aaa authorization console   (using telnet from other switch)
    the problem is solved.
    Can someone please explain why is this happening? i think after logging in with local account (with privillage 15) from console port i should get directly to privilage mode, or am i wrong ?

    aaa authorization console is a hidden command. We have to execute this command to enable authorization for console line. If you create a method list "aaa authorization exec CONSOLE group radius local" for console and try to apply it on line console 0, it will throw an error that without "aaa authorization console" all authorization commands for console is useless. You have to first enable authorization for console with the help of aaa authorization console.
    command refrence
    http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html#wp1024046
    Jatin Katyal
    - Do rate helpful posts -

  • AAA authorization and accounting

    Hello everyone.
    I am given a project to implement AAA on routers and switches in our environment. Can some one please help me out in understanding the difference between,
    1) aaa authorization exec and aaa authorization command option.
    2) aaa accounting exec and aaa accounting command option.
    Many thanks.
    Sent from Cisco Technical Support Android App

    Hello,
    1) aaa authorization exec and aaa authorization command option.
    The first one authorizes if the user has the right privilege level to enter to one of the IOS priviliege levels (0,1,15) you can customize this.
    The second one authorizes the different commands a user can type and send to the device
    2) aaa accounting exec and aaa accounting command option.
    The first one again accounts when a users enters a specific user-level (Privileged level 15 or Exec user-level 1)
    Second one sends an accounting message per each command send to the box
    Check my blog at http:laguiadelnetworking.com for further information.
    Cheers,
    Julio Carvajal Segura

  • AAA setup help

    hi all,
    I have a gateway and would like to setup AAA.
    here's the flow of my setup:
    user call into my gateway -> my tcl script will take over and authenticate user via radius server.
    I'm just at lost with all this "aaa authentication + accounting" setup. Can someone guide me?
    Thanks.

    Hi Vinh
    Here are the commant that can help you to setup the AAA  in Network Devices.
    Here you can make changes in accounting as you requried.
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enabl
    aaa authentication ppp default group default-group local
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 2 default group tacacs+ local
    aaa authorization commands 3 default group tacacs+ local
    aaa authorization commands 4 default group tacacs+ local
    aaa authorization commands 5 default group tacacs+ local
    aaa authorization commands 6 default group tacacs+ local
    aaa authorization commands 7 default group tacacs+ local
    aaa authorization commands 8 default group tacacs+ local
    aaa authorization commands 9 default group tacacs+ local
    aaa authorization commands 10 default group tacacs+ local
    aaa authorization commands 11 default group tacacs+ local
    aaa authorization commands 12 default group tacacs+ local
    aaa authorization commands 13 default group tacacs+ local
    aaa authorization commands 14 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa authorization network default local group default
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 2 default start-stop group tacacs+
    aaa accounting commands 3 default start-stop group tacacs+
    aaa accounting commands 4 default start-stop group tacacs+
    aaa accounting commands 5 default start-stop group tacacs+
    aaa accounting commands 6 default start-stop group tacacs+
    aaa accounting commands 7 default start-stop group tacacs+
    aaa accounting commands 8 default start-stop group tacacs+
    aaa accounting commands 9 default start-stop group tacacs+
    aaa accounting commands 10 default start-stop group tacacs+
    aaa accounting commands 11 default start-stop group tacacs+
    aaa accounting commands 12 default start-stop group tacacs+
    aaa accounting commands 13 default start-stop group tacacs+
    aaa accounting commands 14 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+

  • AAA Authorization on PIX

    I have set up authentication and Authorization on the PIX. Authentication works but Authorization fails. I try to debug but nothing shows up (on PIX or ACS), but it does if I debug Authentication

    Make sure you have enable authentication ,
    aaa authentication ssh console TACACS LOCAL
    aaa authentication telnet console TACACS LOCAL
    aaa authentication enable console TACACS LOCAL
    aaa authorization command TACACS LOCAL
    Incase it does not work pls get aaa config
    Regards,
    ~JG
    Do rate helpful posts

  • Cisco 4948 issue 122-46.SG on AAA authorization

    I have faced a problem regarding AAA line:
    aaa authorization exec default group tacacs+ local
    if i add this line in my cisco 4948 switch running on 122-46.SG..  The next time i telnet to the switch i get an automatic restart of the switch and all configs are lost.
    IOS used:
    cat4500-ipbase-mz.122-46.SG.bin
    WS-C4948-10GE

    I think it is better to move the thread to the swtiching part. They may help you better.

  • Aaa authorization subscriber-service default group

    Dear All
    I am configuring Broadband  RAS over PPPoe on Cisco 7206 ( IOS  12.2(33) SRD).
    some   commands i am not able to run like
    aaa   authorization subscriber-service default group AAA-SERVERS
    aaa server radius sesm
    scenario is   like this
    END   User-> Broadband RAS->(Management software with DHCP  server)->  Bandwidth manager-> core Router -> Internet
    Broadband   RAS will manage All internet user with the help of management software.
    please  help  me
    vikas

    Hi
    The Output that you post System image file is "disk2:c7200p-ipbase-mz.124-15.T9.bin" not support this feature.
    The Below IOS Support the AAA Authorization and Authentication Cache , AAA server group  & These are IPBase W/O Crypto
    15.0(1)M2
    c7200-ipbase-mz.150-1.M2.bin
    512
    64
    15.0(1)M1
    c7200-ipbase-mz.150-1.M1.bin
    512
    64
    15.0(1)M
    c7200-ipbase-mz.150-1.M.bin
    512
    64
    12.2(33)SRE1
    c7200-ipbase-mz.122-33.SRE1.bin
    512
    64
    12.2(33)SRE
    c7200-ipbase-mz.122-33.SRE.bin
    512
    64
    12.2(33)SRD4
    c7200-ipbase-mz.122-33.SRD4.bin
    128
    64
    12.2(33)SRD3
    c7200-ipbase-mz.122-33.SRD3.bin
    128
    64
    12.2(33)SRD2a
    c7200-ipbase-mz.122-33.SRD2a.bin
    128
    64
    12.2(33)SRD2
    c7200-ipbase-mz.122-33.SRD2.bin
    128
    64
    12.2(33)SRD1
    c7200-ipbase-mz.122-33.SRD1.bin
    128
    64
    12.2(33)SRD
    c7200-ipbase-mz.122-33.SRD.bin
    128
    64
    12.2(33)SRC6
    c7200-ipbase-mz.122-33.SRC6.bin
    128
    64
    12.2(33)SRC5
    c7200-ipbase-mz.122-33.SRC5.bin
    128
    64
    12.2(33)SRC4
    c7200-ipbase-mz.122-33.SRC4.bin
    128
    64
    12.2(33)SRC3
    c7200-ipbase-mz.122-33.SRC3.bin
    128
    64
    12.2(33)SRC2
    c7200-ipbase-mz.122-33.SRC2.bin
    128
    64
    12.2(33)SRC1
    c7200-ipbase-mz.122-33.SRC1.bin
    128
    64
    12.2(33)SRC
    c7200-ipbase-mz.122-33.SRC.bin
    128
    64
    Regards
    Chetan Kumar

  • AAA authorization show run in priv 7

    Hi,Any one can help...
    I have set up AAA on my network.
    aaa authentication login default group tacacs+ group security local
    aaa authorization exec default group tacacs+ group security local
    aaa accounting exec default start-stop group tacacs+ group security
    tacacs-server host x.x.x.x
    tacacs-server directed-request
    tacacs-server key 7 xyz
    I want set prvilige on group basis.
    I have created a group called test in ACS server and set comnand authorization on pergroup basis
    & added show command with permit running-config as arguments.
    My objective is give the user of test group priv level 7 but they can use show running-config.
    Any help?
    thanks in advance

    Hi,
    Thanks for your reply.It's nearly the exact what I wanted.However show running-config only shows like these
    7206a#sh run
    Building configuration...
    Current configuration : 53 bytes
    boot-start-marker
    boot-end-marker
    end
    However #Show config
    shows the proper running-config
    Thanks

  • Command confusion - aaa authorization config-commands

    I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.
      >> Shell Command Authorization Sets
          Name: Restricted_Voice
          Description: Configure port voice vlan only.
          Unmatched Commands: Deny
          Add: enable
          Add: configure / permit terminal <cr>
          Add: interface / permit Gi*
          Add: interface / permit Fa*
          Add: switchport / permit voice vlan *
    My switch configuration has the following aaa authorization related lines:
         aaa authorization commands 1 default group tacacs+ if-authenticated
         aaa authorization commands 15 default group tacacs+ if-authenticated
    When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.
    I went and read up the command reference for "aaa authorization config-commands" in
    http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587.
    My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.
    It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me.  I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?

    Hi Axa,
    I have a similar setup and have full Exec Level permissions using only aaa authorization commands level method
    The below is taken from cisco.com and explains that you should not require the
    aaa authorization config-commands unless you have at some point used the no aaa authorization config-commands command to prevent configuration commands from the Exec User
    This in essense is a hidden configured default i.e.you switch on auth for config-commands automatically when you use the aaa authorization commands level method command!
    From Cisco.com (I have underlined the key points)
    aaa authorization config-commands
    To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization commands level method1 command was issued.
    aaa authorization config-commands
    no aaa authorization config-commands
    Syntax Description
    This command has no arguments or keywords.
    Defaults
    After the aaa authorization commands level method has been issued, this command is enabled by default—meaning that all configuration commands in the EXEC mode will be authorized.
    Usage Guidelines
    If aaa authorization commands level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server from attempting configuration command authorization.
    After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
    Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
    Examples
    The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
    aaa new-model
    aaa authorization command 15 tacacs+ none
    no aaa authorization config-commands

  • AAA Authorization + Switch Cluster = Fail?

    Hi, I had a Switch Cluster running with local authentication and authorization just fine (with aaa new-model). It's a stack of 3750-Xs and several 2960s, they've all been configured more or less the same way with a configuration template.
    I added AAA authentication and authorization and I can still reach each of the switches individually, but when I try to rcommand "x" from the cluster commander, I get:
    #rcommand 2
    % Authorization failed.
    One of the 2960s is a stack and when I run rcommand to that switch I get something different:
    #rcommand 1
    EBMIASWF1LB-01 tty1 is now available
    Press RETURN to get started.
    All other 2960s give me "% Authorization failed."
    3750s are running:
    Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
    2960Ses are running:
    Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
    2960s are running:
    Cisco IOS Software, C2960 Software (C2960-LANLITEK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
    I tried a debug aaa authentication and aaa authorization on the member (destination) 2960 switch and I got this:
    541120: Mar  7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/BIND(00004788): Bind i/f 
    541121: Mar  7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA: parse name=tty4 idb type=-1 tty=-1
    541122: Mar  7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA: name=tty4 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=4 channel=0
    541123: Mar  7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/MEMORY: create_user (0x29DA580) user='radiususer' ruser='NULL' ds0=0 port='tty4' rem_addr='10.183.182.128' authen_type=ASCII service=LOGIN priv=15 initial_task_id='0', vrf= (id=0)
    541124: Mar  7 2013 17:14:30.729 EST: CLUSTER_MEMBER_2: AAA/AUTHOR (0x4788): Pick method list 'default'
    541125: Mar  7 2013 17:14:30.754 EST: CLUSTER_MEMBER_2: AAA/AUTHOR/EXEC(00004788): Authorization FAILED
    541126: Mar  7 2013 17:14:32.859 EST: CLUSTER_MEMBER_2: AAA/MEMORY: free_user (0x29DA580) user='radiususer' ruser='NULL' port='tty4' rem_addr='10.183.182.128' authen_type=ASCII service=LOGIN priv=15
    Debug on 2960S (stack) is the same.
    The radius server is a Microsoft NPS (IAS on 2012) and all switches have AAA configured the same:
    NPS is sending these AV Pairs:
    shell:priv-lvl=15
    Service-Type = Administrative
    Service-Type = NAS-Prompt-User
    Switches are configured like this:
    aaa new-model
    aaa group server radius RadiusAAA
    server x.x.x.x auth-port 1645 acct-port 1646
    server y.y.y.y auth-port 1645 acct-port 1646
    ip radius source-interface VlanXX
    deadtime 1
    aaa authentication login default group RadiusAAA local
    aaa authorization exec default group RadiusAAA if-authenticated local
    aaa session-id common
    ! etc etc
    radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 <radius key>
    radius-server host y.y.y.y auth-port 1645 acct-port 1646 key 7 <radius key>
    radius-server deadtime 1
    I've also tried moving around the
    aaa authorization exec default group RadiusAAA if-authenticated local
    to:
    aaa authorization exec default group RadiusAAA local if-authenticated
    But the results are the same... Telnet and SSH work great, but I'd like for the cluster to keep working!
    Any ideas?
    Thanks in advance for your help, I've spent a lot of time on this, and I don't even know if it's supported!
    Esteban

    Here is a good doc that explains different errors:
    http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml

  • AAA authorization not working

    Hi,
    Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.
    When connected to console it worked-  Authenticated and then supplied the enable password.
    When telneted : it says "access approved" and  "authorization failed"
    Relevant switch configuration is as follows  and also debug of aaa authorization.
    +++++++++++++++++++++++++++++
    no service single-slot-reload-enable
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    hostname Switch
    aaa new-model
    aaa authentication login default group radius local
    aaa authentication enable default enable
    aaa authorization config-commands
    aaa authorization exec default group radius if-authenticated local
    aaa authorization commands 15 default group radius if-authenticated local
    enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/
    username cisco privilege 15 password 7 05080F1C224233 
    vlan 10
    vlan 120
    ip subnet-zero
    vtp mode transparent
    spanning-tree extend system-id
    interface FastEthernet0/1
      switchport access vlan 10
      switchport mode access
      no ip address
      spanning-tree portfast
    interface GigabitEthernet0/1
      no ip address
    interface GigabitEthernet0/2
      no ip address
    interface Vlan1
      no ip address
      shutdown
    interface Vlan120
      ip address 10.12.8.70 255.255.255.240
    ip default-gateway 10.12.8.65
    ip classless
    ip http server
    radius-server host 192.168.38.169 auth-port 1812 acct-port 1813
    radius-server host 10.12.1.142 auth-port 1812 acct-port 1813
    radius-server retransmit 3
    radius-server key cisco
    line con 0
    line vty 0 4
      password 7 grrfcb7swe
      transport input telnet
    line vty 5 15
    end
    Debug output :
    Switch#
    21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
    21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
    21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
    21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
    21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
    21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
    21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
    21:45:07: AAA/AUTHEN (2947331915): status = PASS
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
    21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
    21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------#  authorization failed #
    21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
    21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='10.12.7.71' authen_type=ASCII service=LOGIN priv=1
    Switch#
    Switch#
    Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.
    Please share the experience.
    Thanks in advance,
    Subodh

    Hi Subodh,
    I understand that you are trying to use command authorization using RADIUS.
    aaa authorization commands 15 default group radius if-authenticated local
    Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed       on a router and which cannot.
    Please refer the following link:
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
    You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.
    Regards,
    Karthik Chandran
    *kindly rate helpful post*

Maybe you are looking for