AAA -- Int range configuration gives "Command authorization failed" msg.

Similar Messages

• Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request' % Incomplete command.

  we are using CISCO ASR 9006 . and we configured aaa authentication and commit changes after that i am able to login ASR with local user but
  no any command execute and get error.
  Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
  % Incomplete command.
  please help.

  Hi Anop
  How did you get over this problem? I am having the same issue.
  Regards
  Rohan

• Command authorization failed

  I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :
  ============================
  EUKFW2# show running-config
  ^
  ERROR: % Invalid input detected at '^' marker.
  ERROR: Command authorization failed
  ============================
  I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?

  No there is no default user. To make him login you need to make changes in the command author set.
  Make one command autho set in acs --->shared profile components.
  add-->give any name "Full access "---> Put radio button to permit and submit.
  Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
  Now it should let you in.
  Caution : This is let that uses to issue all commands
  Find attached the way to set up command authorization.
  Trick here is to give all user prov lvl 15 and then apply command autho set.
  Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.
  Regards,
  ~JG
  Please rate if helps

• Command authorization failed ACS 5.6

  I have a new ACS 5.6 appliance set up that uses Active Directory authentication.
  I created a shell profile, mapped it to the authorization rule, and then added devices to the system.
  The first device I added was able to use ACS to authenticate and authorize users without any issues. In the ACS logs, it shows me log in and get the shell profile/privileges (15).
  The second device I added authenticates me, but then I get a "command authorization failed" message every time I try to do something. In the ACS logs, it shows me log in (using AD), and get the same shell profile (level 15). Not sure what the problem is.
  Here are the AAA settings on the switch
  aaa authentication login listASH group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec listASH group tacacs+ local
  aaa authorization commands 0 default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  tacacs-server host 10.1.2.212
  tacacs-server timeout 3
  tacacs-server directed-request
  tacacs-server key <key>
  line vty 0 4
  access-class vty-access in
  logging synchronous level all
  login authentication listASH
  transport input ssh
  Network connectivity is fine, and obviously, the key works (because I authenticate). Nevertheless, I cannot get proper authorization.

  Hmm, the config looks correct, especially if it works on one device but fails on the second. Have you tried to issue some debugs and see if you are getting any errors?
  debug aaa authentication
  debug aaa authorization
  debug tacacs authorization
  Also, is there a version of code difference between the two devices? Perhaps you are hitting a bug.
  Thank you for rating helpful posts!

• AAA issue ( command authorization failed)

  I am getting the issue, and following is the script , cannot find  and locate the cause of error !
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname hexxor
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
  enable password 7 0525112F05411F075231123E
  username hexxor password 7 024D2A103F26243363593D1C2B5C
  aaa new-model
  aaa authentication login T-AUTH group tacacs+ local
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
  aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
  aaa accounting exec T-ACC start-stop group tacacs+
  aaa accounting commands 15 T-ACC start-stop group tacacs+
  interface Vlan1
  no ip address
  interface Vlan50
  ip address 128.1.50.54 255.255.255.0
  no ip route-cache
  ip default-gateway 128.1.50.254
  no ip http server
  ip http secure-server
  ip sla enable reaction-alerts
  logging trap debugging
  logging 10.241.40.20
  logging 128.1.50.245
  access-list 1 permit 128.1.50.245
  snmp-server host 10.241.40.27 Armageddon
  snmp-server host 128.1.50.245 Armageddon
  tacacs-server host 10.241.40.22
  tacacs-server host 10.241.40.23
  tacacs-server directed-request
  tacacs-server key 7 020813480E052F2E4D
  line con 0
  exec-timeout 5 0
  password 7 1142374E2332201E2B3D1F210678
  authorization commands 15 T-AUTHOR
  authorization exec T-AUTHOR
  accounting commands 15 T-ACC
  accounting exec T-ACC
  login authentication T-AUTH
  transport preferred none
  line vty 0 4
  exec-timeout 5 0
  password 7 06281801684358174E231727
  authorization commands 15 T-AUTHOR
  authorization exec T-AUTHOR
  accounting commands 15 T-ACC
  accounting exec T-ACC
  login authentication T-AUTH
  transport input telnet
  transport output telnet
  line vty 5 15
  password 7 0228137B2F0B5E2F077A0C35
  end

  Based on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
  I would suggest this as a first test:
  - login to the device.
  - go into enabl mode.
  - attempt the show run command. (I assume that it will fail)
  - check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
  If you want to do a second test to verify the cause of the problem then I would suggest this:
  - remove from the config these lines
  aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
  aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
  then login to the device, go into enable mode, attempt the show run command
  Try one or both of these tests and post back to tell us of the results.
  HTH
  Rick

• ACS command Authorization on PIX Console

  I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
  aaa-server TACACS+ (inside) host 172.28.x. xx
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authorization command TACACS+
  aaa accounting command privilege 15 TACACS+
  aaa accounting enable console TACACS+
  but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
  ACS down, i wana to get console and access the device by using local username and password
  but now after this configuration when i try to access the firewall via console, i m getting error of
  command authorization fail.
  I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
  I have made the command authorization set in ACS and it is working fine for me,

  kindly once again check my modified configuration,
  I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
  aa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (edn) host 172.28.31.132
  aaa-server TACACS+ (edn) host 172.28.31.133
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication http console LOCAL
  aaa authorization command TACACS+ LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa accounting enable console TACACS+
  but i m not able to login i m getting following eror
  Command authorization failed
  TDC-INT-525-01> exit
  Command authorization failed
  TDC-INT-525-01> exit
  Command authorization failed
  TDC-INT-525-01> enable
  Command authorization failed
  i also defined the local command authorization set like this
  privilege cmd level 15 mode exec command exit
  privilege show level 5 mode exec command running-config
  privilege show level 15 mode exec command version
  privilege show level 0 mode exec command access-list
  privilege show level 0 mode configure command access-list
  privilege cmd level 15 mode configure command exit
  privilege cmd level 15 mode configure command no
  privilege cmd level 0 mode configure command access-list
  privilege cmd level 15 mode interface command exit
  privilege cmd level 15 mode subinterface command exit
  privilege cmd level 15 mode dynupd-method command exit
  privilege cmd level 15 mode trange command exit
  privilege cmd level 15 mode route-map command exit
  privilege cmd level 15 mode router command exit
  privilege cmd level 15 mode ldap command exit
  privilege cmd level 15 mode aaa-server-host command exit
  privilege cmd level 15 mode aaa-server-group command exit
  privilege cmd level 15 mode context command exit
  privilege cmd level 15 mode group-policy command exit
  privilege cmd level 15 mode username command exit
  privilege cmd level 15 mode tunnel-group-general command exit
  privilege cmd level 15 mode tunnel-group-ipsec command exit
  privilege cmd level 15 mode tunnel-group-ppp command exit
  privilege cmd level 15 mode mpf-class-map command exit
  privilege cmd level 15 mode mpf-policy-map command exit
  privilege cmd level 15 mode mpf-policy-map-class command exit
  privilege cmd level 15 mode mpf-policy-map-class command exit
  privilege cmd level 15 mode mpf-policy-map-param command exit
  Please tell me how to solve this problem

• AAA authorization fails, but still command is executed...

  Hi everyone,
  i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).
  Now I try to configure a loopback or Vlan interface, which should not be allowed.
  COMMANDS IMPLEMENTED:
  aaa authorization config-commands
  aaa authorization commands 0 vty group tacacs+ none
  aaa authorization commands 1 vty group tacacs+ none
  aaa authorization commands 15 vty group tacacs+ none
  line vty 0 15
  authorization commands 0 vty
  authorization commands 1 vty
  authorization commands 15 vty
  COMMAND AND OUTPUT FROM TESTING:
  SWITCH(config)#int vlan 2
  Command authorization failed.
  DEBUG AAA AUTHORIZATION:
  SWITCH#
  Dec  7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1
  Dec  7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
  Dec  7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=
  'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD
  Dec  7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>
  Dec  7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL
  Dec  7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r
  em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15
  As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.
  RESULT:
  SWITCH#sh run int vlan 2
  Building configuration...
  Current configuration : 38 bytes
  interface Vlan2
  no ip address
  end
  QUESTION:
  I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.
  But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.
  Is this me not understandig the basic concept of AAA or is this some other problem?
  The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).
  The Tacacs runs Cisco Secure ACS4.2.0.124
  Thanks,
  Tom

  Hi Tom,
  this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
  The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
  As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
  You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
  hth
  Herbert

• Failed Configuration Terminal Command and Router's Buffer Log Reporting

  Certain users aren't allowed to issue the 'conf t' command on routers. When they attempt to do so they get the message 'command authorization failed.' However, in the router's buffer log the following is stated:
  %SYS-5-CONFIG_I: Configured from console by <user> on vty0 <user's ip addr>
  If the 'conf t' command failed authorization why would the router report the system was configured?

  I am not positive about this but I have an idea that the explanation involves the fact that the buffer log message is generated when someone exits from config mode. I believe that what is happening is that when the person enters the conf t command the router enters config mode, but before the prompt is presented to the person the router checks for authorization. If the authorization is negative then the router generates the error message 'command authorization failed.' and exits config mode which generates the log message that you are seeing.
  HTH
  Rick

• Pix command authorization problem

  help required
  i am trying to configure pix firewall command authorization using cisco
  secure acs 4.2 and a pix 515 running 7.0(5) but have run into a problem
  i cant get it to work!
  i have included the pix firewall configuration below and have included
  screen shots of the acs configuration as attachments
  as you can see i can authenticate ok but that is as far as i can go
  as soon as i try and use the enable command authorization fails
  i cant even enter a password
  i have created two shell command authorization sets
  one called admins which is configured to allow all commands
  and one called restricted which restrics me to only a few commands
  if i apply the admins authorization set to the group where the user
  resides i can authenticate and authorize and i have access to all
  commands but if i apply the restrictd authorization set i get the
  problem depicted below
  i would appreciate it if someone could take a look and give me
  some pointers as to where i am going wrong
  regards
  melvyn brown
  interface ethernet0
  nameif outside
  ip address 110.1.1.1 255.255.255.0
  speed 100
  duplex full
  no shut
  interface ethernet1
  nameif inside
  ip address 192.168.8.2 255.255.255.0
  speed 100
  duplex full
  no shut
  route inside 192.168.7.0 255.255.255.0 192.168.8.1
  route inside 192.168.3.0 255.255.255.0 192.168.8.1
  aaa-server ACS1 protocol tacacs+
  aaa-server ACS1 host 192.168.7.2
  key cisco123
  domain-name acme.com
  crypto key generate rsa modulus 1024
  telnet 192.168.3.2 255.255.255.255 inside
  ssh 192.168.3.2 255.255.255.255 inside
  aaa authentication enable console ACS1
  aaa authentication serial console ACS1
  aaa authentication ssh console ACS1
  aaa authentication telnet console ACS1
  aaa authorization command ACS1
  Username: fred
  Password: **********
  Type help or '?' for a list of available commands.
  pixfirewall> en
  Command authorization failed
  pixfirewall> ?
    clear   Reset functions
    enable  Turn on privileged commands
    exit    Exit from the EXEC
    help    Interactive help for commands
    login   Log in as a particular user
    logout  Exit from the EXEC
    ping    Send echo messages
    quit    Exit from the EXEC
    show    Show running system information

  Fixed it. It was one of those ID10T type errors. The user I was testing against was in in group1 on the ACS. Trouble is I was adding command authorizations to group0. Duh!

• Command Authorization Config best practice using ACS

  Hi
  Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
  Regards
  V Vinodh.

  Vinodh,
  The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
  Please check this link,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Configuring aaa local command authorization

  i am a bit struggling with how to configure aaa local command authorization, i am not getting any material also for configuring it. Please tell me how to configure aaa local command authorization.. or possible give me some useful links for that..

  Hi,
  For aaa authorization command set.Kindly refer to link.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d4.html
  I hope this help.Please rate this post.
  cheers
  Sachin

• 3640 - AAA/AUTHOR: config command authorization not enabled

  Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
  I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
  I attach you the files with config and logs.
  Thanks you in advance.

  Yep! I'm really running 12.1!
  I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
  Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
  sh run | i aaa
  aaa new-model
  aaa authentication attempts login 5
  aaa authentication banner ^C
  aaa authentication fail-message ^C
  aaa authentication login My-RADIUS group radius local
  aaa accounting exec My-RADIUS start-stop group radius
  aaa session-id common
  Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
  Let me know what other thoughts you may have.
  Thanks
  Nik

• AAA command authorization ASA

  I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.
  Current commands
  aaa authentication ssh console CSACS-TACACS+
  aaa authentication http console CSACS-TACACS+
  Entered commands
  aaa authentication enable console CSACS-TACACS+
  aaa authorization command CSACS-TACACS+

  Douglas,
  Try the following configuration:
  aaa authentication ssh console CSACS-TACACS+
  aaa authentication http console CSACS-TACACS+
  aaa authentication enable console CSACS-TACACS+
  With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.
  Remember to keep another session open in privilege mode before testing "
  aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report.

• AAA Command Authorization

  I have an ACS 4.0 device. In the shell command authorization set section, you have the ability to define permitted or denied commands (show) and arguments (running-config). I am limiting users to a specific set of commands. One of the commands is 'exit'. To my knowledge, 'exit' does not have any arguments. If I add 'exit' as a permitted command but enter nothing for the argument section, I get authorization failed at the router. If I select 'permit unmatched args' (for exit), authorization is successful. I would prefer to not select 'permit unmatched args'. Is there an argument for 'exit' that I am not aware of?

  It worked thanks. The ACS servers gives me an error saying the correct format is permit or deny followed by an argument, but the 'permit' has been saved and is working.
  Thanks again.

• Restrict aaa access using command authorization windows acs3.6

  i need to enable aaa users to shut and unshut interfaces but nothing else. i already have all the users and groups setup but when i modify the command auth set to include "configure" "permit term" they are given unrestricted access.
  any help appreciated

  On the router there's a:
  aaa authorization config-commands
  command, make sure you have that in. You then have to set up command authorization on the TACACS server to allow "interface permit any", "shutdown" and "no shutdown" commands.