AAA issue ( command authorization failed)

Similar Messages

• Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request' % Incomplete command.

  we are using CISCO ASR 9006 . and we configured aaa authentication and commit changes after that i am able to login ASR with local user but
  no any command execute and get error.
  Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
  % Incomplete command.
  please help.

  Hi Anop
  How did you get over this problem? I am having the same issue.
  Regards
  Rohan

• AAA -- Int range configuration gives "Command authorization failed" msg.

  Versions involved:
  AAA
  ACS 4.1.4.13.12
  Devices:
  C2960-LANBASE-M, Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)
  C3550-I9Q3L2-M, Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)
  If we try to configure a single interface or just a very small range, it works fine, but if we try to configure a larger range of interfaces, we get a Command authorization failed message, as can be seen below:
  HOST1184(config)#int range fastEthernet 0/1 - 3
  HOST1184(config-if-range)# switchport access vlan 24
  HOST1184(config-if-range)# switchport mode access
  HOST1184(config-if-range)# switchport voice vlan 301
  HOST1184(config-if-range)# dot1x pae authenticator
  HOST1184(config-if-range)# dot1x port-control auto
  HOST1184(config-if-range)# dot1x timeout reauth-period 7200
  HOST1184(config-if-range)# dot1x timeout supp-timeout 120
  HOST1184(config-if-range)# dot1x max-req 1
  HOST1184(config-if-range)# dot1x max-reauth-req 1
  HOST1184(config-if-range)# dot1x reauthentication
  HOST1184(config-if-range)# dot1x guest-vlan 280
  HOST1184(config-if-range)# spanning-tree portfast
  HOST1184(config-if-range)#!
  OST1184(config-if-range)#end
  HOST1184#conf t
  Enter configuration commands, one per line. End with CNTL/Z.
  HOST1184(config)#int range fastEthernet 0/4 - 14
  HOST1184(config-if-range)# switchport access vlan 24
  Command authorization failed.
  Command authorization failed.
  Command authorization failed.
  HOST1184(config-if-range)# switchport mode access
  HOST1184(config-if-range)# switchport voice vlan 301
  HOST1184(config-if-range)# dot1x pae authenticator
  HOST1184(config-if-range)# dot1x port-control auto
  Command authorization failed.
  HOST1184(config-if-range)# dot1x timeout reauth-period 7200
  Command authorization failed.
  HOST1184(config-if-range)# dot1x timeout supp-timeout 120
  Command authorization failed.
  HOST1184(config-if-range)# dot1x max-req 1
  Command authorization failed.
  HOST1184(config-if-range)# dot1x max-reauth-req 1
  Command authorization failed.
  HOST1184(config-if-range)# dot1x reauthentication
  Command authorization failed.
  HOST1184(config-if-range)# dot1x guest-vlan 280
  Command authorization failed.
  HOST1184(config-if-range)# spanning-tree portfast
  Command authorization failed.
  HOST1184(config-if-range)#!
  The pieces of config are as follows:
  aaa new-model
  aaa group server radius dot1x
  server 10.61.156.136 auth-port 1812 acct-port 1813
  aaa authentication login default group tacacs+ enable
  aaa authentication enable default group tacacs+ enable
  aaa authentication dot1x default group dot1x
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ if-authenticated none
  aaa authorization commands 0 default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  enable secret 5 <removed>
  logging 10.142.4.45
  snmp-server community <removed> RO
  snmp-server community <removed> RW
  snmp-server location "SD"
  snmp-server contact contact - [email protected]
  tacacs-server host A.B.C.D timeout 5 key <removed>
  tacacs-server host A.B.C.D timeout 5 key <removed>
  tacacs-server host A.B.C.D timeout 5 key <removed>
  no tacacs-server directed-request
  radius-server host 10.61.156.136 auth-port 1812 acct-port 1813 key 7 096E5C3D4851
  radius-server retransmit 3
  Anyone out there has a solution for such a problem?
  Regards,
  AL

  Hi JG, thanks for your response.
  I don't have the appliance close to me, so I cannot check on this setting.
  As soon as I have a chance, I will return with this info.
  Anyway, why does it work for other devices and also, why we don't have any problem when configuring a small range of interfaces?
  Once again, thanks for your reply.
  Regards,
  AL

• Command authorization failed

  I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :
  ============================
  EUKFW2# show running-config
  ^
  ERROR: % Invalid input detected at '^' marker.
  ERROR: Command authorization failed
  ============================
  I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?

  No there is no default user. To make him login you need to make changes in the command author set.
  Make one command autho set in acs --->shared profile components.
  add-->give any name "Full access "---> Put radio button to permit and submit.
  Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
  Now it should let you in.
  Caution : This is let that uses to issue all commands
  Find attached the way to set up command authorization.
  Trick here is to give all user prov lvl 15 and then apply command autho set.
  Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.
  Regards,
  ~JG
  Please rate if helps

• Command authorization failed ACS 5.6

  I have a new ACS 5.6 appliance set up that uses Active Directory authentication.
  I created a shell profile, mapped it to the authorization rule, and then added devices to the system.
  The first device I added was able to use ACS to authenticate and authorize users without any issues. In the ACS logs, it shows me log in and get the shell profile/privileges (15).
  The second device I added authenticates me, but then I get a "command authorization failed" message every time I try to do something. In the ACS logs, it shows me log in (using AD), and get the same shell profile (level 15). Not sure what the problem is.
  Here are the AAA settings on the switch
  aaa authentication login listASH group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec listASH group tacacs+ local
  aaa authorization commands 0 default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  tacacs-server host 10.1.2.212
  tacacs-server timeout 3
  tacacs-server directed-request
  tacacs-server key <key>
  line vty 0 4
  access-class vty-access in
  logging synchronous level all
  login authentication listASH
  transport input ssh
  Network connectivity is fine, and obviously, the key works (because I authenticate). Nevertheless, I cannot get proper authorization.

  Hmm, the config looks correct, especially if it works on one device but fails on the second. Have you tried to issue some debugs and see if you are getting any errors?
  debug aaa authentication
  debug aaa authorization
  debug tacacs authorization
  Also, is there a version of code difference between the two devices? Perhaps you are hitting a bug.
  Thank you for rating helpful posts!

• Configuring aaa local command authorization

  i am a bit struggling with how to configure aaa local command authorization, i am not getting any material also for configuring it. Please tell me how to configure aaa local command authorization.. or possible give me some useful links for that..

  Hi,
  For aaa authorization command set.Kindly refer to link.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d4.html
  I hope this help.Please rate this post.
  cheers
  Sachin

• AAA authorization fails, but still command is executed...

  Hi everyone,
  i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).
  Now I try to configure a loopback or Vlan interface, which should not be allowed.
  COMMANDS IMPLEMENTED:
  aaa authorization config-commands
  aaa authorization commands 0 vty group tacacs+ none
  aaa authorization commands 1 vty group tacacs+ none
  aaa authorization commands 15 vty group tacacs+ none
  line vty 0 15
  authorization commands 0 vty
  authorization commands 1 vty
  authorization commands 15 vty
  COMMAND AND OUTPUT FROM TESTING:
  SWITCH(config)#int vlan 2
  Command authorization failed.
  DEBUG AAA AUTHORIZATION:
  SWITCH#
  Dec  7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1
  Dec  7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
  Dec  7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=
  'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD
  Dec  7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>
  Dec  7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL
  Dec  7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r
  em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15
  As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.
  RESULT:
  SWITCH#sh run int vlan 2
  Building configuration...
  Current configuration : 38 bytes
  interface Vlan2
  no ip address
  end
  QUESTION:
  I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.
  But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.
  Is this me not understandig the basic concept of AAA or is this some other problem?
  The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).
  The Tacacs runs Cisco Secure ACS4.2.0.124
  Thanks,
  Tom

  Hi Tom,
  this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
  The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
  As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
  You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
  hth
  Herbert

• ACS command Authorization on PIX Console

  I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
  aaa-server TACACS+ (inside) host 172.28.x. xx
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authorization command TACACS+
  aaa accounting command privilege 15 TACACS+
  aaa accounting enable console TACACS+
  but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
  ACS down, i wana to get console and access the device by using local username and password
  but now after this configuration when i try to access the firewall via console, i m getting error of
  command authorization fail.
  I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
  I have made the command authorization set in ACS and it is working fine for me,

  kindly once again check my modified configuration,
  I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
  aa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (edn) host 172.28.31.132
  aaa-server TACACS+ (edn) host 172.28.31.133
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication http console LOCAL
  aaa authorization command TACACS+ LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa accounting enable console TACACS+
  but i m not able to login i m getting following eror
  Command authorization failed
  TDC-INT-525-01> exit
  Command authorization failed
  TDC-INT-525-01> exit
  Command authorization failed
  TDC-INT-525-01> enable
  Command authorization failed
  i also defined the local command authorization set like this
  privilege cmd level 15 mode exec command exit
  privilege show level 5 mode exec command running-config
  privilege show level 15 mode exec command version
  privilege show level 0 mode exec command access-list
  privilege show level 0 mode configure command access-list
  privilege cmd level 15 mode configure command exit
  privilege cmd level 15 mode configure command no
  privilege cmd level 0 mode configure command access-list
  privilege cmd level 15 mode interface command exit
  privilege cmd level 15 mode subinterface command exit
  privilege cmd level 15 mode dynupd-method command exit
  privilege cmd level 15 mode trange command exit
  privilege cmd level 15 mode route-map command exit
  privilege cmd level 15 mode router command exit
  privilege cmd level 15 mode ldap command exit
  privilege cmd level 15 mode aaa-server-host command exit
  privilege cmd level 15 mode aaa-server-group command exit
  privilege cmd level 15 mode context command exit
  privilege cmd level 15 mode group-policy command exit
  privilege cmd level 15 mode username command exit
  privilege cmd level 15 mode tunnel-group-general command exit
  privilege cmd level 15 mode tunnel-group-ipsec command exit
  privilege cmd level 15 mode tunnel-group-ppp command exit
  privilege cmd level 15 mode mpf-class-map command exit
  privilege cmd level 15 mode mpf-policy-map command exit
  privilege cmd level 15 mode mpf-policy-map-class command exit
  privilege cmd level 15 mode mpf-policy-map-class command exit
  privilege cmd level 15 mode mpf-policy-map-param command exit
  Please tell me how to solve this problem

• 3850 Stack - "Authorization Failed" from Console

  Hello,
  I have a stack of 3 x 3850s. All connected up via the stack cables. I have the Primary Active Switch, The Standby and Member.
  When I connect a console cable into the Primary Active I get access to the stack. If I connect to any of the other 2 switches in the stack via console I just keep seeing authorization failed.
  I disconnected all the switches from the stack (it's a lab environment) and was then able to access each switch via console. The issue with Authorization Failed only seems to be apparent when they are stacked. I have another stack of 3850s which allows me access to the CLI from any of the stack members.
  Anyone came across this slight issue?

  Hi,
  Try these commands:
  Switch(config)# redundancy
  Switch(config-red)# main-cpu
  Switch(config-r-mc)# standby console enable
  Switch(config-r-mc)#
  You need Cisco IOS XE 3.2SE or later.
  Link:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/ha_stack_manager/command_reference/b_hastck_3se_3850_cr/b_hastck_3se_3850_cr_chapter_010.html#wp2758849103
  HTH

• Pix command authorization problem

  help required
  i am trying to configure pix firewall command authorization using cisco
  secure acs 4.2 and a pix 515 running 7.0(5) but have run into a problem
  i cant get it to work!
  i have included the pix firewall configuration below and have included
  screen shots of the acs configuration as attachments
  as you can see i can authenticate ok but that is as far as i can go
  as soon as i try and use the enable command authorization fails
  i cant even enter a password
  i have created two shell command authorization sets
  one called admins which is configured to allow all commands
  and one called restricted which restrics me to only a few commands
  if i apply the admins authorization set to the group where the user
  resides i can authenticate and authorize and i have access to all
  commands but if i apply the restrictd authorization set i get the
  problem depicted below
  i would appreciate it if someone could take a look and give me
  some pointers as to where i am going wrong
  regards
  melvyn brown
  interface ethernet0
  nameif outside
  ip address 110.1.1.1 255.255.255.0
  speed 100
  duplex full
  no shut
  interface ethernet1
  nameif inside
  ip address 192.168.8.2 255.255.255.0
  speed 100
  duplex full
  no shut
  route inside 192.168.7.0 255.255.255.0 192.168.8.1
  route inside 192.168.3.0 255.255.255.0 192.168.8.1
  aaa-server ACS1 protocol tacacs+
  aaa-server ACS1 host 192.168.7.2
  key cisco123
  domain-name acme.com
  crypto key generate rsa modulus 1024
  telnet 192.168.3.2 255.255.255.255 inside
  ssh 192.168.3.2 255.255.255.255 inside
  aaa authentication enable console ACS1
  aaa authentication serial console ACS1
  aaa authentication ssh console ACS1
  aaa authentication telnet console ACS1
  aaa authorization command ACS1
  Username: fred
  Password: **********
  Type help or '?' for a list of available commands.
  pixfirewall> en
  Command authorization failed
  pixfirewall> ?
    clear   Reset functions
    enable  Turn on privileged commands
    exit    Exit from the EXEC
    help    Interactive help for commands
    login   Log in as a particular user
    logout  Exit from the EXEC
    ping    Send echo messages
    quit    Exit from the EXEC
    show    Show running system information

  Fixed it. It was one of those ID10T type errors. The user I was testing against was in in group1 on the ACS. Trouble is I was adding command authorizations to group0. Duh!

• CSCtg09895 - percentMGBL-exec-3-ACCT_ERR main: command accounting failed

  Dear fellows,
  I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up 
  RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
  RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
  RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:hostname(config-if)#commit
  Thu Jan 15 12:48:50.521 IST
  RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  it is not allowing even to commit any change
  and unable to find any online solutions for this.
  please help
  following packages are active right now
   disk0:asr9k-doc-px-4.3.4
      disk0:asr9k-fpd-px-4.3.4
      disk0:asr9k-k9sec-px-4.3.4
      disk0:asr9k-mcast-px-4.3.4
      disk0:asr9k-mgbl-px-4.3.4
      disk0:asr9k-bng-px-4.3.4
      disk0:asr9k-mini-px-4.3.4
      disk0:asr9k-mpls-px-4.3.4

  it is a fresh installation and the device is not connnected to ny network yet. 
  I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up
  RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
  RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
  RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:hostname(config-if)#commit
  Thu Jan 15 12:48:50.521 IST
  RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  it is not allowing even to commit any change
  and I am unable to find any online solutions for this.
  please help
  following packages are active right now
  disk0:asr9k-doc-px-4.3.4
      disk0:asr9k-fpd-px-4.3.4
      disk0:asr9k-k9sec-px-4.3.4
      disk0:asr9k-mcast-px-4.3.4
      disk0:asr9k-mgbl-px-4.3.4
      disk0:asr9k-bng-px-4.3.4
      disk0:asr9k-mini-px-4.3.4
      disk0:asr9k-mpls-px-4.3.4
  PS: please tell what more output are needed so that this problem can be solved.

• Command authorization issue.

  Hello.
  I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
  The shell command set that I'm using is a "permit unmatched commands".
  Any idea?
  Thanks.
  Andrea

  What you're experiencing is a known defect:
  CSCtg38468    cat4k/IOS: banner exec failed with blank characters
  Symptom:
  %PARSE_RC-4-PRC_NON_COMPLIANCE:
  The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
  Conditions:
  Problem happens, when AAA authorization is used together with TACACS+
  Workaround:
  Make sure there is no blank character at the begining of line in the banner message.
  Problem Details: trying to configure banner exec with blank character at beginning of line failed.
  This happens when configuring the banner exec via telnet/ssh !
  When configuring the same banner exec via console-port, everything is fine.
  Note the blank characters at beginning of each line. When removing those, banner exec works fine.
  Again, this was working till IOS version 12.2(46)SG.
  Beginning with 12.2(50)SG1 and up, the behaviour has changed.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• 3640 - AAA/AUTHOR: config command authorization not enabled

  Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
  I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
  I attach you the files with config and logs.
  Thanks you in advance.

  Yep! I'm really running 12.1!
  I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
  Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
  sh run | i aaa
  aaa new-model
  aaa authentication attempts login 5
  aaa authentication banner ^C
  aaa authentication fail-message ^C
  aaa authentication login My-RADIUS group radius local
  aaa accounting exec My-RADIUS start-stop group radius
  aaa session-id common
  Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
  Let me know what other thoughts you may have.
  Thanks
  Nik

• Command authorization error when using aaa cache

  Hi,
  I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
  % tty2 Unknown authorization method 6 set for list command
  The command is then always authorized against the tacacs server.
  The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
  I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
  Deleting the cache entry and using only the tacacs group the error message disappears.
  Any suggestions?
  Thanks.
  Frank
  ======
  config
  ======
  aaa new-model
  aaa group server tacacs+ group_tacacs
  server 10.10.10.10
  server 10.10.10.11
  cache expiry 12
  cache authorization profile admin_user
  cache authentication profile admin_user
  aaa authentication login default cache group_tacacs group group_tacacs local
  aaa authentication enable default cache group_tacacs group group_tacacs enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default cache group_tacacs group group_tacacs local
  aaa authorization commands 15 default cache group_tacacs group group_tacacs local
  aaa accounting exec default start-stop group group_tacacs
  aaa cache profile admin_user
  profile admin no-auth
  aaa session-id common
  tacacs-server host 10.10.10.10 single-connection
  tacacs-server host 10.10.10.11 single-connection
  tacacs-server directed-request
  tacacs-server key 7 <removed>
  ============
  debug output
  ============
  ap#
  Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
  Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
  Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
  Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
  Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
  ap#
  Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
  Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
  Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
  Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
  Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
  Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
  Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
  Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
  priv=15 vrf= (id=0)

  Hi,
  I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
  Regards,
  Vivek

• AAA Authorization Fail between WLC 2125 & LWAP 1042n

  In my Wireless environment, WLC 2125 is connected to a LWAP 1042n. The WLC is succesfully providing DHCP IP to the AP but is unable to discover it. All are connected. During debug mode following error message is encountered in WLC 2125, "AAA Authorization Fail....".
  Please suggest what to do.

  Here is a good doc that explains different errors:
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml