AAA authorization not working

Similar Messages

• Analysis Authorization not working - Empty demarcation

  Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
  I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
  - S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
  - S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
  Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
  Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
  I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
  What I did:
  1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
  2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
  a) S_RS_COMP
  - Activity = 03 and 16
  - InfoArea = ZIA_TEST
  - InfoCube = ZIC_TEST
  - Type of report component = *
  - Name of report component = *.
  b) S_RS_COMP1
  - Kept * to all fields.
  c) S_RS_AUTH
  - I inactivated and deleted this Authorization Object.
  (I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
  3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
  - ZCA_CLI = "CLI_01"
  - 0TCAACTVT = "03"
  - 0TCAIPROV = "ZIC_TEST"
  - 0TCAVALID = "*".
  4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
  5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
  It seems to me that these steps are enough. But:
  a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
  b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
  Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
  c) The problem is that in both cases the query brings data from all Clients.
  Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
  I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
  So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
  Any help will be very appreciated.
  César

  OK Marc, it worked.
  Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
  1) Security Concept
  Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
  I changed to "Current Procedure with Analysis Authorizations".
  Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
  2) Variable Representation
  With "Multiple Single Values" it really led to problems.
  With "Selection Option" it worked well.
  3) 0TCAKYFNM
  I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
  Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
  Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
  4) Authorization Policy Definition
  The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
  There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
  I'm now sympathetic to this way:
  a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
  b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
  c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
  d) Associate Users to the Composite Roles.
  Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
  Well, thank you very much for your answers. Now I can go on with my studies on this subject.
  César Menezes

• Analysis authorization not working on WAS server

  Does BI Java  required for Analysis authorization to work ?
  Can we manage with WAS server to show analyis authorization ?
  Actually we don't have BI java configured in our system...so we are executing the query on WAS server ( BI ABAP).....but on this we are not able to see analysis authorization working....system is showing all the possible values and not the authorized value in AA.....
  Regards
  Tripple k

  Jason
  1. 0BI_ALL is not assigned to the user.
  2. I have already set the Authorization scheme as "New analysis authorization" in SPRO.
  3. i am executing the report from T-Code RSRT
      A> Select the report and click on ABAP Web ( Choose query display as List or Analyzer or HTML) - System is showing entire orgunit while it should show only 3 org unit   assigned to user in RSECADMIN.
     B> Select the query and execute on Java Web - Error in connectin as BI java is not there on portal side
     C> Select the query and choose Query Display as "HTML" click on Execute button - Only 3 values restricted in RSECADMIN are appearing.
  Hope somebody can throw some light on this.
  Regards
  Tripple k

• AAA authentication not working and 'default' method list

  Guys,
  I hope someone can help me here in troubleshooting AAA issue. I have copied configuration and debug below. The router keeps using local username/password even though ACS servers are reachable and working. From debugs it seems it keeps using 'default' method list ignoring TACACS config. Any help will be appreciated
  Config
  aaa new-model
  username admin privilege 15 secret 5 xxxxxxxxxx.
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa authorization reverse-access default group tacacs+ local
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa session-id common
  tacacs-server host x.x.x.x
  tacacs-server host x.x.x.x
  tacacs-server host x.x.x.x
  tacacs-server host x.x.x.x
  tacacs-server directed-request
  tacacs-server key 7 0006140E54xxxxxxxxxx
  ip tacacs source-interface Vlan200
  Debugs
  002344: Dec  5 01:36:03.087 ICT: AAA/BIND(00000022): Bind i/f
  002345: Dec  5 01:36:03.087 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
  002346: Dec  5 01:36:11.080 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
  core01#
  002347: Dec  5 01:36:59.404 ICT: AAA: parse name=tty0 idb type=-1 tty=-1
  002348: Dec  5 01:36:59.404 ICT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
  002349: Dec  5 01:36:59.404 ICT: AAA/MEMORY: create_user (0x6526934) user='admin' ruser='core01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
  002350: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port='tty0' list='' service=CMD
  002351: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user='admin'
  002352: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV service=shell
  002353: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd=configure
  002354: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=terminal
  002355: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=<cr>
  002356: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found list "default"
  002357: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=tacacs+ (tacacs+)
  002358: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): user=admin
  002359: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV service=shell
  002360: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd=configure
  002361: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=terminal
  002362: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=<cr>
  Enter configuration commands, one per line.  End with CNTL/Z.
  core01(config)#
  002363: Dec  5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = ERROR
  002364: Dec  5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=LOCAL
  002365: Dec  5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = PASS_ADD
  002366: Dec  5 01:37:04.261 ICT: AAA/MEMORY: free_user (0x6526934) user='admin' ruser='core01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15
  core01(config)#

  Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.
  As rick suggested sh tacacs would be good as well. That would show failures and successes
  HTH
  Kishore

• Bluetooth authorization not working (bluez-simple-agent)

  Hello
  I'm trying to connect my Sony BD remote control to my laptop. Pairing and manual connect using hcitool works fine, but when my remote control initiates the connection,  my laptop seem to deny its connection requests. (See attached hcidump output).
  I have tried using bluez-simple-agent, and I get the authorization request prompt. I enter 'yes', hit return, and I immediately get "Cancel" printed on the terminal. The remote control is still not authorized.
  I have dbus running, as well as bluetoothd, hci2hci and hidd running.
  Please help! I'm clueless at this point.
  hcidump says:
  * Connection pending - Authorization pending
  * Connection refused - security block
  * Reason: Remote User Terminated Connection
  hcidump output:
  > ACL data: handle 11 flags 0x02 dlen 12
  L2CAP(s): Connect req: psm 19 scid 0x0148
  < ACL data: handle 11 flags 0x02 dlen 16
  L2CAP(s): Connect rsp: dcid 0x0041 scid 0x0148 result 1 status 2
  Connection pending - Authorization pending
  < ACL data: handle 11 flags 0x02 dlen 16
  L2CAP(s): Connect rsp: dcid 0x0041 scid 0x0148 result 3 status 0
  Connection refused - security block
  > HCI Event: Number of Completed Packets (0x13) plen 5
  handle 11 packets 2
  > ACL data: handle 11 flags 0x02 dlen 12
  L2CAP(s): Disconn req: dcid 0x0040 scid 0x0147
  < ACL data: handle 11 flags 0x02 dlen 12
  L2CAP(s): Disconn rsp: dcid 0x0040 scid 0x0147
  > HCI Event: Number of Completed Packets (0x13) plen 5
  handle 11 packets 2
  > ACL data: handle 11 flags 0x02 dlen 12
  L2CAP(s): Disconn req: dcid 0x0041 scid 0x0148
  < ACL data: handle 11 flags 0x02 dlen 12
  L2CAP(s): Disconn rsp: dcid 0x0041 scid 0x0148
  > ACL data: handle 11 flags 0x02 dlen 12
  L2CAP(s): Disconn rsp: dcid 0x0147 scid 0x0040
  > HCI Event: Number of Completed Packets (0x13) plen 5
  handle 11 packets 2
  > HCI Event: Number of Completed Packets (0x13) plen 5
  handle 11 packets 1
  > HCI Event: Disconn Complete (0x05) plen 4
  status 0x00 handle 11 reason 0x13
  Reason: Remote User Terminated Connection
  Last edited by oskarn (2009-10-29 17:03:43)

  Is there any way to add a device to a list of trusted devices?
  I once read about a certain file called "trusted" in a bluetooth directory, and it almost worked when I added my device there, but once connected it disconnected and the device was removed from the trusted list.
  Any idea what is going on here?

• Hierarchy Authorization not working on Navigational Attribute

  Hello,
  We have 0ORGUNIT as nav attribute in 0EMPLOYEE and 0ORGUNIT has enterprise hierarchy set.
  Now we have analysis authorization based on both 0ORGUNIT and 0EMPLOYEE__0ORGUNIT (nav attr).
  When an user tries to run a web report which has normal 0ORGUNIT in it, in the variable screen he is able to see the entire hierarchy tree structure as per his authorizations. On the other hand when the same user tries to run another report which has nav attr 0EMPLOYEE__0ORGUNIT in it, in the variable screen he can see only the top nodes of the hierarchy to which he is authorized. He cant see the tree structure.
  Please note we are on BI 7 SPS 21 and in both the queries we are using hierarchy variable set on correct hierarchy. Also the attributes in the query have hierarchy activated on them.
  Please suggest any ideas/views for the same.
  Thanks!!
  Regards,
  Shashank

  Neo - We need current info on 0ORGUNIT and hence cant go with concept of historic truth as per what you mentioned.
  Bhawani - We have set it to level 1 which is perfectly fine as it works for other hierarchy's perfectly.
  Regards,
  SHahsank

• Authorization not working

  I have a problem with authorization - I tried to play music that my brother had bought on his computer, and was prompted to authorize (it was already authorized). After authorizing the song did not play, but when I clicked on it it prompted me to authorize again. Each time I authorized it displayed a message along the lines of "Authorization Successful, 5 out of 5 machines authorized." I went to the account and deauthorized all computers. Now when I try to authorize it says Authorization Successful, 1 out of 5 machines authorized, but when I try to play it again prompts me to authorize.
  I have recently uninstalled iTunes 7.6 and installed 7.5(.02?) because of other problems that I was having. Could this be the source of the problem? To me it doesn't seem likely and I would really hate to go back to 7.6.
  Thanks for any help

  Click here and follow the instructions.
  (29743)

• Authorization not working on new computer; can't play music!

  I moved all of my music from my old computer to my new computer, and I did so using my iPod and the instructions that Apple provides on their website. All of the music shows up in iTunes on the new computer, but it won't play. I get a pop-up indicating that I need to authorize this computer to play whatever song I have selected, but even after it tells me "Authorization Successful, You have authorized two out of five computers," I cannot play the music. I have tried everything humanly possible to fix the problem, to no avail. Can anyone help? This is very frustrating.
    Windows XP  

  Suedarn,
  When you bought and downloaded the episodes, you got what you paid for. When you goto another computer you can't redownload them, you have to transfer the file from the old PC to the new one or make a backup of what you bought so when your PC crashes, you can reload the PC with a backup.
  If you only saved the "Programs" folder and not the "My Music" folder where iTunes puts all its bought songs at, then your most likly out of luck. You can try to email the Music storee to see if they will set up a "Re download" of your lost episodes and download them using "Check for purchases" under the advance menu in iTUnes. Just keep in mind there under no obligation to do so, it states on there site if you loose it you have to buy it again. I had a system failer and emailed them and LUCKLY they offered a re download option for me to get my songs back and I made a backup ASAP
  Heres a link to email the music store http://www.apple.com/support/itunes/musicstore/download/
  Heres a link on how to backup purchases in iTunes http://www.apple.com/support/itunes/musicstore/backup/

• Help! Apps won't load and authorization not working.

  Hi.
  When I updated my new iPod recently, many of my apps seem to have required 'authorization' in order to upload them to my recently bought iPod Touch 5S. However, when I try to validate, it says it cannot access iTunes Store, even though I can otherwise. My apps aren't uploaded to my iPod. Any help?

  Can't connect to the iTunes Store

• Windows to Mac - authorization not working

  I just bought a brand new MacBook Pro and wanted to move my iTunes library from my PC to the Mac. I authorized the Mac, turned on Home Sharing, but NONE of the purchased music will import. I'm being told the computer isn't authorized, though it very clearly is. What can I do to get EVERYTHING off my PC onto the Mac so it will be the computer I sync to for numerous devices? Thank you!

  If you got to the support page there are some things you can try before you use the chat option to ask Apple for help:
  http://www.apple.com/uk/support/itunes/
  Go to the Authorisation section and there is a menu for Troubleshooting problems - one of the links is to [Some of my iTunes Store purchases won't play|http://support.apple.com/kb/HT1325]
  I'm sorry I don't know how to fix your problem as I've never moved from Windows to Mac. Hopefully someone else with more knowledge will see this and respond.
  Regards,
  Colin R.

• AAA Authorization with ACS Shell-Sets

  Hi all,
  I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
  I am having trouble getting AAA Authorization to work correctly with ACS.
  I am able to set the users up on ACS fine and assign them shell and priv level 7.
  I then setup a Shell Auth Set, and enter in the commands show and configure.
  When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
  to access global config mode by typing in conf (or configure) terminal or t.
  If I type con? the only command there is connect, configure is never an option...
  The only way I can get this to work is by entering the command:
  privilege exec level 7 configure terminal
  I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
  This is most frustrating
  The ACS Server is set up with a Shell Command Authorization Set named Level_7
  It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
  The "Permit Unmatched Args" is also selected.
  See an excerpt of my IOS config below:
  aaa new-model
  aaa group server tacacs+ ACS
  server 10.90.0.11
  aaa authentication login default group ACS local
  aaa authorization exec default group ACS
  aaa authorization commands 7 default group ACS local
  tacacs-server host 10.90.0.11 key cisco
  privilege exec level 7 configure terminal
  privilege exec level 7 configure
  privilege exec level 7 show running-config
  privilege exec level 7 show
  Hope you can help me with this one..
  P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?

  Hi,
  So here it is,
  You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
  Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
  This is what I suggest the commands back to normal level.
  Below provided are steps to configure shell command authorization:
  Follow the following steps over the router:
  !--- is the desired username
  !--- is the desired password
  !--- we create a local username and password
  !--- in case we are not able to get authenticated via
  !--- our tacacs+ server. To provide a back door.
  username password privilege 15
  !--- To apply aaa model over the router
  aaa new-model
  !--- Following command is to specify our ACS
  !--- server location, where is the
  !--- ip-address of the ACS server. And
  !--- is the key that should be same over the ACS and the router.
  tacacs-server host key
  !--- To get users authentication via ACS, when they try to log-in
  !--- If our router is unable to contact to ACS, then we will use
  !--- our local username & password that we created above. This
  !--- prevents us from locking out.
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ local
  aaa authorization config-commands
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  !--- Following commands are for accounting the user's activity,
  !--- when user is logged into the device.
  aaa accounting exec default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Configuration on ACS
  [1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
  Provide any name to the set.
  provide the sufficent description (if required)
  (a) For Full Access administrative set.
  In Unmatched Commands, select 'Permit'
  (b) For Limited Access set.
  In Unmatched commands, select 'Deny'.
  And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
  For example: If we want user to be only able to access the following commads:
  login
  logout
  exit
  enable
  disable
  show
  Then the configuration should be:
  ------------------------Permit unmatched Args--
  login permit
  logout permit
  exit permit
  enable permit
  disable permit
  configure permit terminal
  interface permit ethernet
  permit 0
  show permit running-config
  in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
  [2] Press 'Submit'.
  [3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
  (cont...)

• Aaa authorization is confusing

  hi...this command make me mess for many times :(. is it true aaa authorization can return acl and time for user? how aaa authorization know what user will be associated in case aaa authentication is aaa authentication login default local? for make it more complete...is aaa authorization only work with tacacs? tx a lot ;)

  Hi,
  If the tacacs server fails to respond, then local network authorization will be performed.
  Assuming this command: aaa authorization network test tacacs local.
  Keep in mind that only a limited set of functions can be controlled via the local database.
  HTH
  Regards,
  Bjornarsb

• AAA auth with ip http server not working

  Hi all,
  I am unable to get ip http server to authenticate against tacacs. attached is the debug output when logging in with the user "mark".
  Router config:
  aaa new-model
  aaa authentication login default group tacacs+ local enable
  aaa authentication login ALREADY-IN none
  aaa authentication login web group tacacs+ local enable
  aaa authorization exec web group tacacs+ local if-authenticated
  aaa session-id common
  ip http server
  ip http authentication aaa login-authentication web
  ip http authentication aaa exec-authorization web
  the priv-lvl 15 attribute is being sent, but IP HTTP Auth fails.. any ideas why?
  Cheers,
  Mark
  Update: Fixed it! I believe the access-enable autocommand was the cause!

  Hi,
  I have seen that additional attributes such as "access-enable timeout 1920" would not allow http authentication to work with certain IOS versions.
  Regards,
  Vivek

• Please please please AAA not working

  dears,
  my company works as ISP and there are customers are using ADSL connectivity , i did my test but i can not access to ADSL i used follwing commands for AAA:
  aaa authentication ppp default group radius
  aaa authorization network default group radius
  aaa accounting network default start-stop group radius
  aaa accounting connection default start-stop group radius.
  PLEASE see the attached file for mor details.
  please any body tell me why i can not access???

  Tareq
  It looks to me like things are working ok up to this point:
  *Sep 23 02:53:17.674: Vi3 AAA/AUTHOR/LCP: Process Author
  *Sep 23 02:53:17.674: Vi3 AAA/AUTHOR/LCP: Process Attr: timeout
  *Sep 23 02:53:17.674: AAA/AUTHOR: Processing PerUser AV timeout
  *Sep 23 02:53:17.674: Vi3 AAA/AUTHOR/LCP: Process Attr: service-type
  *Sep 23 02:53:17.674: Vi3 AAA/AUTHOR/LCP: Process Attr: link-compression
  *Sep 23 02:53:17.674: AAA/AUTHOR: Processing PerUser AV link-compression
  *Sep 23 02:53:17.674: Vi3 AAA/AUTHOR/LCP: Process Attr: h323-return-code
  *Sep 23 02:53:17.674: AAA/AUTHOR: mandatory attribute 'h323-return-code' unhandled
  and from there the session if failing and is being terminated and cleaned up. Unfortunately I am not clear whether the problem is with the setup of the user in the Radius serve or in the setup of the remote client.
  HTH
  Rick

• 2960 AAA Not Working

  I am trying to get AAA Authentication working on a Cisco 2960-24pc-l running 12.2(55)SE5 IOS and cannot get it to work.  I have it currently working on a Cisco 3750-24te-m running 12.2(55)SE IOS.  Here is my config:
  enable secret 5 xxxxxxxxxxxx
  username admin privilege 15 secret 5 xxxxxxxxxxxx
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ local
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common
  tacacs-server host 10.20.8.9 single-connection key xxxxxxxxxxxx
  tacacs-server directed-request
  line con 0
  session-timeout 5
  line vty 0 4
  session-timeout 5
  transport input telnet
  line vty 5 15
  session-timeout 5
  When I login to the 3750, AAA is used.  When I login to the 2960, the local username is used.  Any thoughs here as to why it works on the 3850 and not the 2960?

  Can you try adding "login authentication default" under both the console and the vty lines?
  So you will have
  line con 0
  session-timeout 5
  login authentication default
  line vty 0 4
  session-timeout 5
  transport input telnet
  login authentication default
  line vty 5 15
  session-timeout 5
  login authentication default
  Thank you for rating!