Config command authorization not enabled

Can someone tell me why I'm getting this message. I'm beginning to think this has something to do with my device failing authorization.
Show version
Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.1(19)EW1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Yep! I'm really running 12.1!
I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
sh run | i aaa
aaa new-model
aaa authentication attempts login 5
aaa authentication banner ^C
aaa authentication fail-message ^C
aaa authentication login My-RADIUS group radius local
aaa accounting exec My-RADIUS start-stop group radius
aaa session-id common
Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
Let me know what other thoughts you may have.
Thanks
Nik

Similar Messages

  • 3640 - AAA/AUTHOR: config command authorization not enabled

    Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
    I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
    I attach you the files with config and logs.
    Thanks you in advance.

    Yep! I'm really running 12.1!
    I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
    Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
    sh run | i aaa
    aaa new-model
    aaa authentication attempts login 5
    aaa authentication banner ^C
    aaa authentication fail-message ^C
    aaa authentication login My-RADIUS group radius local
    aaa accounting exec My-RADIUS start-stop group radius
    aaa session-id common
    Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
    Let me know what other thoughts you may have.
    Thanks
    Nik

  • ACS 3.3 Config Command Authorization

    Hi,
    I want to allow an user only to add/remove routes on a router. The shell command authorization works fine. But when the user is in config mode, he can start any command!
    The debug says:
    1w2d: AAA/AUTHOR: config command authorization not enabled
    How can I enable this and how/where can I configure it on the ACS?
    Thanks in advance

    On ACs just allow the user to enter the "route" command like you have any other shell command they're allowed to do.
    On the router/NAS, you have to tell it specifically that you want authorization for config commands with the following:
    aaa authorization config-commands
    Note that the format of this command changes slightly on different IOS versions, but if you do "aaa authorization ?" you'll be able to figure it out.

  • AUTH command is not enabled.

    I have just fresh installed a new MTA, everything is fine but when telnet <own-ip> 25 and when I try to do auth login, I have got this error:
    *AUTH command is not enabled.
    I supposed the auth login is by default being enabled, may I know how to enable it?
    Regards,
    gthian

    haw_9368 wrote:
    I have just fresh installed a new MTA, everything is fine but when telnet <own-ip> 25 and when I try to do auth login, I have got this error:
    *AUTH command is not enabled.
    I supposed the auth login is by default being enabled, may I know how to enable it?SMTP authentication is only enabled if you have mustsaslserver or maysaslserver keyword on the channel which you are connecting to.
    By default the tcp_intranet channel doesn't have this keyword. Try adding maysaslserver to the tcp_intranet channel, then run ./imsimta cnbuild;./imsimta restart.
    When you telnet <own-ip> 25, type in, EHLO blah.com, you should see the following:
    250-AUTH PLAIN LOGIN
    250-AUTH=LOGIN
    This means SMTP Auth is enabled.
    Regards,
    Shane.

  • AUTH Command is not enabled, when try to enable webmail with smtp auth

    Hi,
    I'm trying to force all the webmail users to authenticate (smtp auth) when they send an email.
    I already configure this:
    local.service.http.smtpauthpassword = xxxxx
    local.service.http.smtpauthuser = admin
    and reload the http service. (the password is correct)
    Then, enter to the webmail interface and tried to sent an email but when pressed "sent" the following message appears:
    SMTP: Error 5.7.1 AUTH Command is not enabled.
    Do I have to do something else? Any lead?
    Regards

    Thanks Jay,
    I know about the little use of the webmail authentication but it is something I need to do because in my configuration I have to differentiate between users who can send emails to internet and users who can not, and in order to do that, I need to authenticate all the users. So far is working if the user uses an email client.
    For webmail I did not know that I have to add in the tcp_intranet channel definition the attribute: mustsaslserver.

  • Config commands authorization on ASA

    Hi, is there a way to control the config commands with tacacs+ authorization ?
    When I enable the configure command, in ACS shell coomand authorization set, all other config commands are enabled.
    In IOS there's the "aaa authorization config-commands", how to with ASA ?

    Please check this link that explains about command authorization on ASA.
    these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
    aaa-server authserver protocol tacacs+
    aaa-server authserver host 10.1.1.1
    aaa authorization command authserver
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • Nexus, command authorization using TACACS.

    Hello.
    Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
    Thanks.
    Regards.
    Andrea

    Hi Andrea,
    We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
    username admin password role network-admin ; local admin user
    feature tacacs+ ; enable the tacacs feature
    tacacs-server host key ; define key for tacacs server
    aaa group server tacacs+ tacacs ; create group called 'tacacs'
        server ;define tacacs server IP
        use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
        source-interface mgmt0 ; ...and send them from the mgmt interface
    aaa authentication login default group tacacs ; use tacacs for login auth
    aaa authentication login console group tacacs  ; use tacacs for console login auth
    aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
    aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
    aaa accounting default group tacacs ; send accounting records to tacacs
    Hope that works for you!
    (That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
    Rob...

  • Aaa authorization config-commands

    Hello,
    Can anybody explain what is the purpose of this command. I studied the documentation (command reference) but unable to clearly understand the purpose of this command.
    Thanks in advance,
    Regards,
    Mo

    This was the best desciption of this command I could find on cisco's site. It sounds to me like if you use the no form of this command you will not be able to use any configuration commands.
    Cisco:
    Usage Guidelines
    If the aaa authorization commands level method command is enabled, all commands, including configuration commands, are authorized by authentication, authorization, and accounting (AAA) using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using the no aaa authorization config-commands command stops the network access server from attempting configuration command authorization.
    After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
    Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
    Note You will get the same result if you (1) do not configure this command, or (2) configure no aaa authorization config-commands.
    The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
    aaa new-model
    aaa authorization command 15 group tacacs+ none
    no aaa authorization config-commands
    http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf16.html#wp1086510

  • ACS 5.1 command authorization in config mode

    Hello all,
    I have setup an ACS 5.1 system and a Cisco 3560 as test device. On the ACS system I have defined a user that will have limited access to Cisco CLI commands (privilege 15 through Shell Profile and limited commands through Command Sets). While this is working great for commands run under enable mode (meaning that the authorization denied the commands that I've specified in the Command Sets), it seems that it's not working under configure mode (e.g. I have denied commands like "router ospf" , "router bgp" , but the user can still apply them).
    Before I've search this forum and found 2 posts:
    https://supportforums.cisco.com/thread/2041611
    https://supportforums.cisco.com/message/3057298
    that suggest to have the AAA configured with:
    aaa authorization config-commands
    I already have this command and it still doesn't work. Actually my entire AAA config looks like this:
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    Did I miss something? Do you have any suggestion for me?
    Thank you!
    Calin

    can you run a "debug aaa authorization" to see what happens?

  • Command confusion - aaa authorization config-commands

    I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.
      >> Shell Command Authorization Sets
          Name: Restricted_Voice
          Description: Configure port voice vlan only.
          Unmatched Commands: Deny
          Add: enable
          Add: configure / permit terminal <cr>
          Add: interface / permit Gi*
          Add: interface / permit Fa*
          Add: switchport / permit voice vlan *
    My switch configuration has the following aaa authorization related lines:
         aaa authorization commands 1 default group tacacs+ if-authenticated
         aaa authorization commands 15 default group tacacs+ if-authenticated
    When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.
    I went and read up the command reference for "aaa authorization config-commands" in
    http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587.
    My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.
    It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me.  I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?

    Hi Axa,
    I have a similar setup and have full Exec Level permissions using only aaa authorization commands level method
    The below is taken from cisco.com and explains that you should not require the
    aaa authorization config-commands unless you have at some point used the no aaa authorization config-commands command to prevent configuration commands from the Exec User
    This in essense is a hidden configured default i.e.you switch on auth for config-commands automatically when you use the aaa authorization commands level method command!
    From Cisco.com (I have underlined the key points)
    aaa authorization config-commands
    To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization commands level method1 command was issued.
    aaa authorization config-commands
    no aaa authorization config-commands
    Syntax Description
    This command has no arguments or keywords.
    Defaults
    After the aaa authorization commands level method has been issued, this command is enabled by default—meaning that all configuration commands in the EXEC mode will be authorized.
    Usage Guidelines
    If aaa authorization commands level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server from attempting configuration command authorization.
    After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
    Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
    Examples
    The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
    aaa new-model
    aaa authorization command 15 tacacs+ none
    no aaa authorization config-commands

  • Migrating IOS to NX-OS equivalent command snmp-server enable traps config

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Hello,
    I am trying to figure out what is the equivalent command to configure the IOS "snmp-server enable traps config" on a Nexus 5020 running NX-OS version 4.2.1.N2.1 ,can someone please help me with this problem.
    Also I would like to know if there is a cisco howto document or tool to migrate from IOS to NX-OS  ?
    Any help is greatly appreciated
    Thanks
    Frank

    Hello,
    both Nexus 5k are not generating a trap after a config change, because on both Nexus running same NX-OS version show up the snmp-server enable traps config command. This is really strange behavior, because we are using the same software version for the Nexus 5k devices it doesn't make sense to me. In the meantime I checked the command line guide for this software version but the command wasnt showing up.
    nx5k-mt-2# show snmp trap | grep config
    nx5k-mt-2#
    nx5k-mt-2# show snmp trap
    Trap type                                                              Enabled
    entity               : entity_mib_change                            Yes
    entity               : entity_module_status_change                  Yes
    entity               : entity_power_status_change                   Yes
    entity               : entity_module_inserted                       Yes
    entity               : entity_module_removed                        Yes
    entity               : entity_unrecognised_module                   Yes
    entity               : entity_fan_status_change                     Yes
    link                 : linkDown                                     Yes
    link                 : linkUp                                       Yes
    link                 : extended-linkDown                            Yes
    link                 : extended-linkUp                              Yes
    link                 : cieLinkDown                                  Yes
    link                 : cieLinkUp                                    Yes
    link                 : connUnitPortStatusChange                     Yes
    link                 : fcTrunkIfUpNotify                            Yes
    link                 : fcTrunkIfDownNotify                          Yes
    link                 : delayed-link-state-change                    Yes
    link                 : fcot-inserted                                Yes
    link                 : fcot-removed                                 Yes
    callhome             : event-notify                                 Yes
    callhome             : smtp-send-fail                               Yes
    cfs                  : state-change-notif                           Yes
    cfs                  : merge-failure                                Yes
    fcdomain             : dmNewPrincipalSwitchNotify                   Yes
    fcdomain             : dmDomainIdNotAssignedNotify                  Yes
    fcdomain             : dmFabricChangeNotify                         Yes
    rf                   : redundancy_framework                         Yes
    aaa                  : server-state-change                          Yes
    license              : notify-license-expiry                        Yes
    license              : notify-no-license-for-feature                Yes
    license              : notify-licensefile-missing                   Yes
    license              : notify-license-expiry-warning                Yes
    scsi                 : scsi-disc-complete                           Yes
    fcns                 : reject-reg-req                               Yes
    fcns                 : local-entry-change                           Yes
    fcns                 : db-full                                      Yes
    fcns                 : remote-entry-change                          Yes
    rscn                 : rscnElsRejectReqNotify                       Yes
    rscn                 : rscnIlsRejectReqNotify                       Yes
    rscn                 : rscnElsRxRejectReqNotify                     Yes
    rscn                 : rscnIlsRxRejectReqNotify                     Yes
    fcs                  : request-reject                               Yes
    fcs                  : discovery-complete                           Yes
    fctrace              : route                                        Yes
    zone                 : request-reject1                              Yes
    zone                 : merge-success                                Yes
    zone                 : merge-failure                                Yes
    zone                 : default-zone-behavior-change                 Yes
    zone                 : unsupp-mem                                   Yes
    vsan                 : vsanStatusChange                             Yes
    vsan                 : vsanPortMembershipChange                     Yes
    fspf                 : fspfNbrStateChangeNotify                     Yes
    upgrade              : UpgradeOpNotifyOnCompletion                  Yes
    upgrade              : UpgradeJobStatusNotify                       Yes
    feature-control      : FeatureOpStatusChange                        Yes
    snmp                 : authentication                               Yes
    nx5k-mt-2#
    nx5k-mt-2#

  • How to enable "Shell Command Authorization Sets"

    Hi there
    I use aaa over tacacs to verfiy user from ms active directory.
    I configured a new "Shell Command Authorization Set" see the attachment for details.
    But this does not work. So I just want to test whether the use of a command is working or not.
    You can see in the attached file I tried something with "show" command.
    But if I login I'm still able to use "show aaa servers" for example but in the "show" commandbox I putted the agrument "deny aaa" inside.
    Why does this not work?
    Thanx for help
    bb

    Hi BB,
    This is what you need on IOS device,
    Router(config)# username [username] password [password]
    tacacs-server host [ip]
    tacacs-server key [key]
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa authorization config-commands
    On acs bring users/groups in at level 15
    1. Go to user or group setup in ACS
    2. Drop down to "TACACS+ Settings"
    3. Place a check in "Shell (Exec)"
    4. Place a check in "Privilege level" and enter "15" in the adjacent field
    Rest all seems to be ok.
    ~JG
    Please rate if that helps

  • Command Authorization Config best practice using ACS

    Hi
    Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
    Regards
    V Vinodh.

    Vinodh,
    The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
    Please check this link,
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • Authorization config-commands - doubts

    Hello Everyone,
    So, for AAA Authorization,
    When I issue : aaa authorization commands 15 default local. -> It will authorize every command on the exec for lvl 15.
    The command above will overlap the: aaa authorization config-commands. ?!
    I should use : aaa authorization config-commands. Just when i'm trying to authorize configuration commands ?!

    No, the aaa authorization config-commands is a must for the aaa authorization commands 15 default local to work. If the config-commands is missing from your config then no authorization will happen for level 15 commands. Take a look at this post:
    https://supportforums.cisco.com/discussion/11409121/command-confusion-aaa-authorization-config-commands
    Thank you for rating helpful posts!

  • DACP commands are not working on Ipv6 enabled Airplay ITune service on MAC book.

    DACP commands are not working on Ipv6 enabled Airplay ITune service on MAC book.
    As we have gone through the source code(Airplay
    Audio POSIX receiver v190.9.p6) in dnssd_clientshim.c file and in API DNSServiceGetAddrInfoResponse has provided the implementation for ipv4 only.
    The test setup to test the DACP over IPV6 is by disabling the IPV4
    from MAC book and only enabling the Ipv6 .
    We are not sure if the test procedure is correct, please clarify the same.

    Hi,
    It is because of the license. In WS-C3750X-48P-L, you have a LANBASE license whereas in WS-C3750X-24P-S you have an IPSERVICES license.
    FDR_SW#show  version 
    Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
    License Level: lanbase
    License Type: Permanent
    Next reload license Level: lanbase
    In a LANBASE license, ip routing and ip multicast commands are not supported.
    Hope  this helps.
    Thanks,
    Arun

Maybe you are looking for

  • GR/IR monthly settlements, automatic assignments in Sales order & Co code

    Hi, 1) what are the transactions involved in the GR-IR month or period  end settlements? 2) If I select account assignment in line item in PO, the goods directly received by cost center, what will be the entry to be passed? 3)Goods receipt happend bu

  • How do I get my visual voicemail back on my iPhone 4?

    how do I get my visual voicemail back on my iPhone 4?

  • Loosing signal between my macbook pro and Neatgear 1000

    I am loosing connection between my macbook pro and my netgear 1000 on a daily basis. It seems to work fine with other wifi devices such as the printer. Howevere, I do have the same problems with my iphone that also looses wifi contact on a daily basi

  • DW050 error on Mac OS 10.7.5

    I get DW050 error when trying to install CC app updates on Mac OS 10.7.5. Dreamweaver, Illustrator, InDesign. Photoshop and Bridge updated without error. I've checked permissions and firewall. There is ample space on the disk.

  • Eduardo Avila

    Some ody know how can I communicate with usb port in Java ? please write to the next e-mail : [email protected]