Command authorization failed
I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :
============================
EUKFW2# show running-config
^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
============================
I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?
No there is no default user. To make him login you need to make changes in the command author set.
Make one command autho set in acs --->shared profile components.
add-->give any name "Full access "---> Put radio button to permit and submit.
Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
Now it should let you in.
Caution : This is let that uses to issue all commands
Find attached the way to set up command authorization.
Trick here is to give all user prov lvl 15 and then apply command autho set.
Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.
Regards,
~JG
Please rate if helps
Similar Messages
-
AAA -- Int range configuration gives "Command authorization failed" msg.
Versions involved:
AAA
ACS 4.1.4.13.12
Devices:
C2960-LANBASE-M, Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)
C3550-I9Q3L2-M, Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)
If we try to configure a single interface or just a very small range, it works fine, but if we try to configure a larger range of interfaces, we get a Command authorization failed message, as can be seen below:
HOST1184(config)#int range fastEthernet 0/1 - 3
HOST1184(config-if-range)# switchport access vlan 24
HOST1184(config-if-range)# switchport mode access
HOST1184(config-if-range)# switchport voice vlan 301
HOST1184(config-if-range)# dot1x pae authenticator
HOST1184(config-if-range)# dot1x port-control auto
HOST1184(config-if-range)# dot1x timeout reauth-period 7200
HOST1184(config-if-range)# dot1x timeout supp-timeout 120
HOST1184(config-if-range)# dot1x max-req 1
HOST1184(config-if-range)# dot1x max-reauth-req 1
HOST1184(config-if-range)# dot1x reauthentication
HOST1184(config-if-range)# dot1x guest-vlan 280
HOST1184(config-if-range)# spanning-tree portfast
HOST1184(config-if-range)#!
OST1184(config-if-range)#end
HOST1184#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HOST1184(config)#int range fastEthernet 0/4 - 14
HOST1184(config-if-range)# switchport access vlan 24
Command authorization failed.
Command authorization failed.
Command authorization failed.
HOST1184(config-if-range)# switchport mode access
HOST1184(config-if-range)# switchport voice vlan 301
HOST1184(config-if-range)# dot1x pae authenticator
HOST1184(config-if-range)# dot1x port-control auto
Command authorization failed.
HOST1184(config-if-range)# dot1x timeout reauth-period 7200
Command authorization failed.
HOST1184(config-if-range)# dot1x timeout supp-timeout 120
Command authorization failed.
HOST1184(config-if-range)# dot1x max-req 1
Command authorization failed.
HOST1184(config-if-range)# dot1x max-reauth-req 1
Command authorization failed.
HOST1184(config-if-range)# dot1x reauthentication
Command authorization failed.
HOST1184(config-if-range)# dot1x guest-vlan 280
Command authorization failed.
HOST1184(config-if-range)# spanning-tree portfast
Command authorization failed.
HOST1184(config-if-range)#!
The pieces of config are as follows:
aaa new-model
aaa group server radius dot1x
server 10.61.156.136 auth-port 1812 acct-port 1813
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group dot1x
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated none
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
enable secret 5 <removed>
logging 10.142.4.45
snmp-server community <removed> RO
snmp-server community <removed> RW
snmp-server location "SD"
snmp-server contact contact - [email protected]
tacacs-server host A.B.C.D timeout 5 key <removed>
tacacs-server host A.B.C.D timeout 5 key <removed>
tacacs-server host A.B.C.D timeout 5 key <removed>
no tacacs-server directed-request
radius-server host 10.61.156.136 auth-port 1812 acct-port 1813 key 7 096E5C3D4851
radius-server retransmit 3
Anyone out there has a solution for such a problem?
Regards,
ALHi JG, thanks for your response.
I don't have the appliance close to me, so I cannot check on this setting.
As soon as I have a chance, I will return with this info.
Anyway, why does it work for other devices and also, why we don't have any problem when configuring a small range of interfaces?
Once again, thanks for your reply.
Regards,
AL -
we are using CISCO ASR 9006 . and we configured aaa authentication and commit changes after that i am able to login ASR with local user but
no any command execute and get error.
Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
% Incomplete command.
please help.Hi Anop
How did you get over this problem? I am having the same issue.
Regards
Rohan -
Command authorization failed ACS 5.6
I have a new ACS 5.6 appliance set up that uses Active Directory authentication.
I created a shell profile, mapped it to the authorization rule, and then added devices to the system.
The first device I added was able to use ACS to authenticate and authorize users without any issues. In the ACS logs, it shows me log in and get the shell profile/privileges (15).
The second device I added authenticates me, but then I get a "command authorization failed" message every time I try to do something. In the ACS logs, it shows me log in (using AD), and get the same shell profile (level 15). Not sure what the problem is.
Here are the AAA settings on the switch
aaa authentication login listASH group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec listASH group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
tacacs-server host 10.1.2.212
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key <key>
line vty 0 4
access-class vty-access in
logging synchronous level all
login authentication listASH
transport input ssh
Network connectivity is fine, and obviously, the key works (because I authenticate). Nevertheless, I cannot get proper authorization.Hmm, the config looks correct, especially if it works on one device but fails on the second. Have you tried to issue some debugs and see if you are getting any errors?
debug aaa authentication
debug aaa authorization
debug tacacs authorization
Also, is there a version of code difference between the two devices? Perhaps you are hitting a bug.
Thank you for rating helpful posts! -
AAA issue ( command authorization failed)
I am getting the issue, and following is the script , cannot find and locate the cause of error !
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hexxor
boot-start-marker
boot-end-marker
enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
enable password 7 0525112F05411F075231123E
username hexxor password 7 024D2A103F26243363593D1C2B5C
aaa new-model
aaa authentication login T-AUTH group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
aaa accounting exec T-ACC start-stop group tacacs+
aaa accounting commands 15 T-ACC start-stop group tacacs+
interface Vlan1
no ip address
interface Vlan50
ip address 128.1.50.54 255.255.255.0
no ip route-cache
ip default-gateway 128.1.50.254
no ip http server
ip http secure-server
ip sla enable reaction-alerts
logging trap debugging
logging 10.241.40.20
logging 128.1.50.245
access-list 1 permit 128.1.50.245
snmp-server host 10.241.40.27 Armageddon
snmp-server host 128.1.50.245 Armageddon
tacacs-server host 10.241.40.22
tacacs-server host 10.241.40.23
tacacs-server directed-request
tacacs-server key 7 020813480E052F2E4D
line con 0
exec-timeout 5 0
password 7 1142374E2332201E2B3D1F210678
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport preferred none
line vty 0 4
exec-timeout 5 0
password 7 06281801684358174E231727
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport input telnet
transport output telnet
line vty 5 15
password 7 0228137B2F0B5E2F077A0C35
endBased on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
I would suggest this as a first test:
- login to the device.
- go into enabl mode.
- attempt the show run command. (I assume that it will fail)
- check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
If you want to do a second test to verify the cause of the problem then I would suggest this:
- remove from the config these lines
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
then login to the device, go into enable mode, attempt the show run command
Try one or both of these tests and post back to tell us of the results.
HTH
Rick -
AAA authorization fails, but still command is executed...
Hi everyone,
i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).
Now I try to configure a loopback or Vlan interface, which should not be allowed.
COMMANDS IMPLEMENTED:
aaa authorization config-commands
aaa authorization commands 0 vty group tacacs+ none
aaa authorization commands 1 vty group tacacs+ none
aaa authorization commands 15 vty group tacacs+ none
line vty 0 15
authorization commands 0 vty
authorization commands 1 vty
authorization commands 15 vty
COMMAND AND OUTPUT FROM TESTING:
SWITCH(config)#int vlan 2
Command authorization failed.
DEBUG AAA AUTHORIZATION:
SWITCH#
Dec 7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1
Dec 7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
Dec 7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=
'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD
Dec 7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>
Dec 7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL
Dec 7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r
em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15
As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.
RESULT:
SWITCH#sh run int vlan 2
Building configuration...
Current configuration : 38 bytes
interface Vlan2
no ip address
end
QUESTION:
I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.
But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.
Is this me not understandig the basic concept of AAA or is this some other problem?
The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).
The Tacacs runs Cisco Secure ACS4.2.0.124
Thanks,
TomHi Tom,
this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
hth
Herbert -
ACS command Authorization on PIX Console
I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
aaa-server TACACS+ (inside) host 172.28.x. xx
aaa authentication ssh console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
ACS down, i wana to get console and access the device by using local username and password
but now after this configuration when i try to access the firewall via console, i m getting error of
command authorization fail.
I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
I have made the command authorization set in ACS and it is working fine for me,kindly once again check my modified configuration,
I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
aa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (edn) host 172.28.31.132
aaa-server TACACS+ (edn) host 172.28.31.133
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but i m not able to login i m getting following eror
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> enable
Command authorization failed
i also defined the local command authorization set like this
privilege cmd level 15 mode exec command exit
privilege show level 5 mode exec command running-config
privilege show level 15 mode exec command version
privilege show level 0 mode exec command access-list
privilege show level 0 mode configure command access-list
privilege cmd level 15 mode configure command exit
privilege cmd level 15 mode configure command no
privilege cmd level 0 mode configure command access-list
privilege cmd level 15 mode interface command exit
privilege cmd level 15 mode subinterface command exit
privilege cmd level 15 mode dynupd-method command exit
privilege cmd level 15 mode trange command exit
privilege cmd level 15 mode route-map command exit
privilege cmd level 15 mode router command exit
privilege cmd level 15 mode ldap command exit
privilege cmd level 15 mode aaa-server-host command exit
privilege cmd level 15 mode aaa-server-group command exit
privilege cmd level 15 mode context command exit
privilege cmd level 15 mode group-policy command exit
privilege cmd level 15 mode username command exit
privilege cmd level 15 mode tunnel-group-general command exit
privilege cmd level 15 mode tunnel-group-ipsec command exit
privilege cmd level 15 mode tunnel-group-ppp command exit
privilege cmd level 15 mode mpf-class-map command exit
privilege cmd level 15 mode mpf-policy-map command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-param command exit
Please tell me how to solve this problem -
Pix command authorization problem
help required
i am trying to configure pix firewall command authorization using cisco
secure acs 4.2 and a pix 515 running 7.0(5) but have run into a problem
i cant get it to work!
i have included the pix firewall configuration below and have included
screen shots of the acs configuration as attachments
as you can see i can authenticate ok but that is as far as i can go
as soon as i try and use the enable command authorization fails
i cant even enter a password
i have created two shell command authorization sets
one called admins which is configured to allow all commands
and one called restricted which restrics me to only a few commands
if i apply the admins authorization set to the group where the user
resides i can authenticate and authorize and i have access to all
commands but if i apply the restrictd authorization set i get the
problem depicted below
i would appreciate it if someone could take a look and give me
some pointers as to where i am going wrong
regards
melvyn brown
interface ethernet0
nameif outside
ip address 110.1.1.1 255.255.255.0
speed 100
duplex full
no shut
interface ethernet1
nameif inside
ip address 192.168.8.2 255.255.255.0
speed 100
duplex full
no shut
route inside 192.168.7.0 255.255.255.0 192.168.8.1
route inside 192.168.3.0 255.255.255.0 192.168.8.1
aaa-server ACS1 protocol tacacs+
aaa-server ACS1 host 192.168.7.2
key cisco123
domain-name acme.com
crypto key generate rsa modulus 1024
telnet 192.168.3.2 255.255.255.255 inside
ssh 192.168.3.2 255.255.255.255 inside
aaa authentication enable console ACS1
aaa authentication serial console ACS1
aaa authentication ssh console ACS1
aaa authentication telnet console ACS1
aaa authorization command ACS1
Username: fred
Password: **********
Type help or '?' for a list of available commands.
pixfirewall> en
Command authorization failed
pixfirewall> ?
clear Reset functions
enable Turn on privileged commands
exit Exit from the EXEC
help Interactive help for commands
login Log in as a particular user
logout Exit from the EXEC
ping Send echo messages
quit Exit from the EXEC
show Show running system informationFixed it. It was one of those ID10T type errors. The user I was testing against was in in group1 on the ACS. Trouble is I was adding command authorizations to group0. Duh!
-
Dynamic Authorization Failed - Posture with Guest Portal - ISE - WLC
Hello everybody,
I'm implementing a NAC solution based on Cisco ISE. Unfortunately, I'm facing a problem related to the CoA (Change of Authorization).
The guest can authenticate successfully via portal and then he is redirected to the page of client provisioning.
When he is compliant with the policy he gets access without any problem and this means that CoA works perfectly. The issue occurs when he has to remediate (download the file from ISE and install it). In this case, we need a change of authorization profile.
The authentication logs show that the posture status changed from non-compliant to compliant but the users doesn't obtain access .
Here are details :
Authentication Details
Source Timestamp
2015-04-30 18:43:13.179
Received Timestamp
2015-04-30 18:43:13.18
Policy Server
ISE-CISCO
Event
5417 Dynamic Authorization failed
Failure Reason
11213 No response received from Network Access Device after sending a Dynamic Authorization request
Resolution
Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
Root cause
No response received from Network Access Device after sending a Dynamic Authorization request
Username
User Type
Endpoint Id
E0:9D:31:07:**:**
Endpoint Profile
IP Address
Identity Store
Identity Group
Audit Session Id
ca0019ac00000003ae674255
Authentication Method
Authentication Protocol
Service Type
Network Device
WLC-1
Device Type
Location
NAS IP Address
172.25.0.202
NAS Port Id
NAS Port Type
Authorization Profile
Posture Status
Compliant
Security Group
Response Time
15002
Other Attributes
ConfigVersionId
4
RadiusPacketType
CoARequest
Event-Timestamp
1430415778
AcsSessionID
50149c2f-08fb-4f9d-b1b5-f655e71d039f
StepLatency
3=15001
Device IP Address
172.25.0.202
CiscoAVPair
subscriber:command=reauthenticate
audit-session-id
ca0019ac00000003ae674255
Session Events
2015-04-30 18:43:13.18
Dynamic Authorization failed
2015-04-30 18:41:44.159
Dynamic Authorization failed
2015-04-30 18:35:42.64
Guest Authentication Passed
2015-04-30 18:34:39.214
RADIUS Accounting start requestYou can use LWA for this . he WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Service Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning.
Refer to the following link for configuration example
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
Command authorization issue.
Hello.
I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
The shell command set that I'm using is a "permit unmatched commands".
Any idea?
Thanks.
AndreaWhat you're experiencing is a known defect:
CSCtg38468 cat4k/IOS: banner exec failed with blank characters
Symptom:
%PARSE_RC-4-PRC_NON_COMPLIANCE:
The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
Conditions:
Problem happens, when AAA authorization is used together with TACACS+
Workaround:
Make sure there is no blank character at the begining of line in the banner message.
Problem Details: trying to configure banner exec with blank character at beginning of line failed.
This happens when configuring the banner exec via telnet/ssh !
When configuring the same banner exec via console-port, everything is fine.
Note the blank characters at beginning of each line. When removing those, banner exec works fine.
Again, this was working till IOS version 12.2(46)SG.
Beginning with 12.2(50)SG1 and up, the behaviour has changed.
~BR
Jatin Katyal
**Do rate helpful posts** -
3850 Stack - "Authorization Failed" from Console
Hello,
I have a stack of 3 x 3850s. All connected up via the stack cables. I have the Primary Active Switch, The Standby and Member.
When I connect a console cable into the Primary Active I get access to the stack. If I connect to any of the other 2 switches in the stack via console I just keep seeing authorization failed.
I disconnected all the switches from the stack (it's a lab environment) and was then able to access each switch via console. The issue with Authorization Failed only seems to be apparent when they are stacked. I have another stack of 3850s which allows me access to the CLI from any of the stack members.
Anyone came across this slight issue?Hi,
Try these commands:
Switch(config)# redundancy
Switch(config-red)# main-cpu
Switch(config-r-mc)# standby console enable
Switch(config-r-mc)#
You need Cisco IOS XE 3.2SE or later.
Link:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/ha_stack_manager/command_reference/b_hastck_3se_3850_cr/b_hastck_3se_3850_cr_chapter_010.html#wp2758849103
HTH -
When logging to some of our routers, we get sometimes (not always!!!) a command authorization failure, sometimes the command works, sometimes the same command fails, also in the tacacs logs there is no trace of the attempt to log in on this router.
We need to check the debugs as that will let us know why the command failed.
debug tacacs
debug aaa authorization
What is the IOS ver running on the routers?
Regards,
~JG
Do rate helpful posts -
-2 ERR_USRFAIL: User authorization failed
Hello guys,
First to mention my system:
OS: Windows 2003 server
DB: MaxDB 7_7_06_17
I have one problem to connect through Database Manager to one DB instance that just now I have installed.
What I want to do is to install one MDM server.
The bellow are the steps that were already performed:
-installed Java server with sapinst (this created its database ZJD)
-after this Java server was finished installed I started to create one DB MDM instance using SDBSETUP.exe
-I was able to create this MDM instance successful
And the problem is here: This MDM database instance that was created with defaults users DBA and DBM. When the creation of this MDM was finished I tried to connect with both Database Manager and DBMCLI to MDM instance using these users but I am not able to connect. I get the "-2 ERR_USRFAIL: User authorization failed" error. Can you tell me which is the reason?
I am sure that I typed the right user and password. I tried to uninstall all and installed again inclusive OS and the same error. I mention that to instance ZJD I am able to connect.
I tried with default users for Maxdb (DBA with pass: SECRET and DBA and DBM with pass: SECRET and DBM) but this doesn't work.
Can you help me to solve this problem?
Best regards,
Florin RaduleaHello,
Bellow is the output for
sdbregview u2013l command:
package "DB Analyzer":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.7.06.17
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: Base >= 7.7.06.17
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: bin/dbanalyzer.exe
IS SUBPACKAGE: NO
DBANALYZER PATH: E:/sapdb/programs
package "Server Utilities":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.7.06.17
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: Base >= 7.7.06.17
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: bin/x_server.exe
IS SUBPACKAGE: NO
INDEPENDENT PROGRAM PATH: E:/sapdb/programs
package "PCR 7300":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.3.00.59
PACKAGE VERSION: 0
VALID: YES
MODIFICATION DATE: 13.04.2010
REQUIRE: Base >= 7.3.00.59
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: runtime/7300/pgm/libpcr.dll
IS SUBPACKAGE: NO
PRECOMPILER 7300 PATH: e:/sapdb/programs
package "PCR 7301":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.3.01.22
PACKAGE VERSION: 0
VALID: YES
MODIFICATION DATE: 13.04.2010
REQUIRE: Base
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: runtime/7301/pgm/libpcr.dll
IS SUBPACKAGE: NO
PRECOMPILER 7301 PATH: e:/sapdb/programs
package "PCR 7500":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.5.00.51
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: Base >= 7.5.00.51
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: runtime/7500/pgm/pgm64/libpcr.dll
IS SUBPACKAGE: NO
PRECOMPILER 7500 PATH: E:/sapdb/programs
package "Webtools":
PACKAGE DIRECTORY: e:/sapdb/programs/web
SOFTWARE VERSION: 7.6.03.09
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: ODBC >= 7.6.03.09 64
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: pgm/webdbm.dll
IS SUBPACKAGE: NO
WEBTOOLS PATH: E:/sapdb/programs/web
package "SAP Utilities":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.7.06.17
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: Base >= 7.7.06.17
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: bin/dbmrfc.exe
IS SUBPACKAGE: NO
: E:/sapdb/data
INDEPENDENT PROGRAM PATH: E:/sapdb/programs
package "Redist Python":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.7.06.17
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: Base
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: bin/x_python.exe
IS SUBPACKAGE: NO
REDIST PYTHON PATH: E:/sapdb/programs
package "Base":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.7.06.17
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE:
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: pgm/dbmcli.exe
IS SUBPACKAGE: NO
INDEPENDENT DATA PATH: E:/sapdb/data
INDEPENDENT PROGRAM PATH: E:/sapdb/programs
package "JDBC":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.6.06.05
PACKAGE VERSION: 0
VALID: YES
MODIFICATION DATE: 13.04.2010
REQUIRE: Base
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: NO
IS SUBPACKAGE: NO
JAVA DRIVER PATH: E:/sapdb/programs
package "Messages":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: MSG 0.7732
PACKAGE VERSION: 0
VALID: YES
MODIFICATION DATE: 13.04.2010
REQUIRE: Base
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: NO
IS SUBPACKAGE: NO
MESSAGES PATH: E:/sapdb/programs
package "ODBC":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.7.06.17
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: Base >= 7.7.06.17
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: pgm/sdbodbc.dll
IS SUBPACKAGE: NO
ODBC PATH: E:/sapdb/programs
package "SQLDBC 77":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.7.06.17
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: Database Connectivity >= 7.7.06.17
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: pgm/libSQLDBC77.dll
IS SUBPACKAGE: NO
DBC PATH: E:/sapdb/programs
package "Database Kernel":
PACKAGE DIRECTORY: f:/sapdb/mdm/db
SOFTWARE VERSION: 7.7.06.17
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: Server Utilities >= 7.7.06.17
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: pgm/kernel.exe
IS SUBPACKAGE: NO
DEPENDENT PATH: f:/sapdb/mdm/db
PACKAGE DIRECTORY: e:/sapdb/zjd/db
SOFTWARE VERSION: 7.7.06.17
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: Server Utilities >= 7.7.06.17
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: pgm/kernel.exe
IS SUBPACKAGE: NO
DEPENDENT PATH: e:/sapdb/zjd/db
package "Loader":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.7.06.17
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: Redist Python >= 7.7.06.17
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: bin/loadercli.exe
IS SUBPACKAGE: NO
LOADER PATH: E:/sapdb/programs
package "SQLDBC":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.7.06.17
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: Base
FILELIST: YES
HAS DISPLAY NAME: YES
SCRIPT: YES
TEST FILE: pgm/libSQLDBC.dll
IS SUBPACKAGE: NO
DBC PATH: E:/sapdb/programs
package "SQLDBC 76":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.6.06.07
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: Database Connectivity >= 7.6.06.07
FILELIST: YES
HAS DISPLAY NAME: YES
SCRIPT: YES
TEST FILE: pgm/libSQLDBC76.dll
IS SUBPACKAGE: NO
DBC PATH: E:/sapdb/programs
package "Fastload API":
PACKAGE DIRECTORY: e:/sapdb/programs
SOFTWARE VERSION: 7.7.06.17
PACKAGE VERSION: 0
VALID: YES
MODE: 64 bit
MODIFICATION DATE: 13.04.2010
REQUIRE: SQLDBC 77
FILELIST: YES
HAS DISPLAY NAME: NO
SCRIPT: YES
TEST FILE: pgm/libSDBLoader.dll
IS SUBPACKAGE: NO
FASTLOAD PATH: E:/sapdb/programs -
Enable mode authorization failed.
Have a user that cannot get to en prompt. Here is my trace output:
AAA/AUTHEN: update_user user='lduncan' ruser='(null)' port='telnet146' rem_addr=
'10.128.20.110' authen_type=1 service=ENABLE priv=152007 Oct 16 10:57:07.360 EST
-04:00
AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=ENABLE
TAC+: send AUTHEN/START packet ver=192 id=626074205
TAC+: Opening TCP/IP connection to 10.129.12.196
TAC+: ver=192 id=626074205 received AUTHEN status = GETPASS2007 Oct 16 10:57:08.
440 EST -04:00
AAA/AUTHEN (626074205): status = GETPASSPassword: 2007 Oct 16 10:57:11.200 EST -
04:00 *62*2007 Oct 16 10:57:11.440 EST -04:00 *69*2007 Oct 16 10:57:11.800 EST -
04:00 *67*2007 Oct 16 10:57:12.050 EST -04:00 *74*2007 Oct 16 10:57:12.300 EST -
04:00 *6f*2007 Oct 16 10:57:12.530 EST -04:00 *65*
2007 Oct 16 10:57:12.950 EST -04:00
AAA/AUTHEN/CONT (626074205): continue_login2007 Oct 16 10:57:12.950 EST -04:00
AAA/AUTHEN (626074205): status = GETPASS
TAC+: send AUTHEN/CONT packet id=626074205
TAC+: ver=192 id=626074205 received AUTHEN status = PASS2007 Oct 16 10:57:13.460
EST -04:00
AAA/AUTHEN (626074205): status = PASS2007 Oct 16 10:57:13.460 EST -04:00 return
PASS
2007 Oct 16 10:57:13.460 EST -04:00
AAA/AUTHOR : ptr2=enable
2007 Oct 16 10:57:13.470 EST -04:00
AAA/AUTHOR : Add AV service=shell
2007 Oct 16 10:57:13.470 EST -04:00
AAA/AUTHOR : Add AV cmd=enable
2007 Oct 16 10:57:13.470 EST -04:00
AAA/AUTHOR/TACACS+ cmd author (413075467): Port='telnet146' list='(null)' servic
e=CMD2007 Oct 16 10:57:13.480 EST -04:00
AAA/AUTHOR/TACACS+ cmd author: (413075467) user='lduncan'2007 Oct 16 10:57:13.4
80 EST -04:00
AAA/AUTHOR/TACACS+ cmd author: (413075467) send AV service=shell2007 Oct 16 10:5
7:13.480 EST -04:00
AAA/AUTHOR/TACACS+ cmd author: (413075467) send AV cmd=enable
AAA/AUTHOR/TACACS+ cmd author: (413075467) Method=TAC_PLUS2007 Oct 16 10:57:13.4
90 EST -04:00
AAA/AUTHOR/TAC+: (413075467): user=lduncan2007 Oct 16 10:57:13.490 EST -04:00
AAA/AUTHOR/TAC+: (413075467): send AV service=shell2007 Oct 16 10:57:13.490 EST
-04:00
AAA/AUTHOR/TAC+: (413075467): send AV cmd=enable
TAC+: Opening TCP/IP connection to 10.129.12.196
TAC+: (413075467): received author response status = FAIL2007 Oct 16 10:57:14.50
0 EST -04:00
AAA/AUTHOR (413075467): Post authorization status = FAIL2007 Oct 16 10:57:14.500
EST -04:00
AAA/AUTHOR : do_author result=12007 Oct 16 10:57:14.500 EST -04:00 %AAA: author:
tacacs_plus_author ret=1.
Enable mode authorization faile
I have checked his user info and group info in tacacs.It seems that you have command author configured that is why user in not able to issue it.
What kind of user is it ? Admin or normal user.
To make him login you need to make changes in the command author set.
Make one command autho set in acs --->shared profile componenets.
add-->give any name "Full access "---> Put radio button to permit and submit.
Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
Now it should let you in.
Caution : This is let that uses to issue all commands
Also provide me more info if you want user to deny some commands. We need to set up command autho set accordingly.
Regards,
~JG
Please rate helpful posts -
I have an ACS 4.0 device. In the shell command authorization set section, you have the ability to define permitted or denied commands (show) and arguments (running-config). I am limiting users to a specific set of commands. One of the commands is 'exit'. To my knowledge, 'exit' does not have any arguments. If I add 'exit' as a permitted command but enter nothing for the argument section, I get authorization failed at the router. If I select 'permit unmatched args' (for exit), authorization is successful. I would prefer to not select 'permit unmatched args'. Is there an argument for 'exit' that I am not aware of?
It worked thanks. The ACS servers gives me an error saying the correct format is permit or deny followed by an argument, but the 'permit' has been saved and is working.
Thanks again.
Maybe you are looking for
-
How to Delete the dimension from the cube ?
Hi , how to Delete the dimension from the cube ? i have added the new dimension by assiging one characteristic to that dimension . now i want to delete it , but system saying that Dimension ZXXX contains InfoObjects; deletion not possible . how t
-
Hi I purchased a game app for my daughter (6 years old ) littlest pet shop and been charged for 2 bills of £20.98 she doesn't know and I don't know how this has happened as it was a free app ?
-
MacBook Pro Core i7 intermittent freezes lasting ~5-30 seconds
MacBook Pro CPU Core i7 2.66GHz RAM 4GB 1067MHz DDR3 HDD Seagate 500GB 7200RPM MacBookPro6,2 Boot ROM Version: MBP61.0057.B09 SMC Version (system): 1.58f16 Serial ATA HDD: ST9500420ASG Revision: 0008APM2 Link Speed: 3 Gigabit Negotiated Link Speed: 1
-
What is Lightroom, where is it found and how is it installed???
Recently purchased Costco Special Edition Adobe Photoshop Elemnts 11, but come to find out that I require something called Lightroom to Email photos. Where do I find Lightroom to download and how does one set it up????
-
Is it a bug -- can't find movie file data "expo-3" ???
I am having a problem with the new iLife 06 suite though I believe this relates back to Tiger. After installation, I launched Garageband and received the below message. The same thing happens while opening a QT-file with FCE. Both applications are te