https://community.cisco.com/t5/network-access-control/acs-5-2-command-authorization/m-p/1642392#M329967 <P>We are using command authorization on our ios devices with cisco secure acs 5.2&nbsp; We have local accounts defined on our gear in the event that the ACS server is unavailable.&nbsp; However, when we test this, we are able to login to the device, but any command issued at that point with the local account is denied.&nbsp; I am sure there is an additional command required.&nbsp; Any ideas?</P> Mon, 11 Mar 2019 00:50:12 GMT awatson20 2019-03-11T00:50:12Z https://community.cisco.com/t5/network-access-control/acs-5-2-command-authorization/m-p/1642392#M329967 <P>We are using command authorization on our ios devices with cisco secure acs 5.2&nbsp; We have local accounts defined on our gear in the event that the ACS server is unavailable.&nbsp; However, when we test this, we are able to login to the device, but any command issued at that point with the local account is denied.&nbsp; I am sure there is an additional command required.&nbsp; Any ideas?</P> Mon, 11 Mar 2019 00:50:12 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-command-authorization/m-p/1642392#M329967 awatson20 2019-03-11T00:50:12Z https://community.cisco.com/t5/network-access-control/acs-5-2-command-authorization/m-p/1642393#M330039 <HTML><HEAD></HEAD><BODY><P>In your "aaa authorization command" configuration, did you add local as a fallback method?</P><P>When you define the local user account on IOS router, did you set privilege to 15?</P></BODY></HTML> Thu, 17 Feb 2011 17:15:34 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-command-authorization/m-p/1642393#M330039 Yudong Wu 2011-02-17T17:15:34Z https://community.cisco.com/t5/network-access-control/acs-5-2-command-authorization/m-p/1642394#M330119 <HTML><HEAD></HEAD><BODY><P>Yes.&nbsp; Below is what the configuration looks like. </P><P></P><P>aaa authentication login default group tacacs+ local<BR />aaa authentication login local_auth local<BR />aaa authorization config-commands<BR />aaa authorization exec default group Admin local if-authenticated<BR />aaa authorization commands 0 default group tacacs+<BR />aaa authorization commands 1 default group tacacs+<BR />aaa authorization commands 15 default group tacacs+<BR />aaa accounting exec default start-stop group Admin<BR />aaa accounting network default start-stop group Admin</P><P></P><P></P><P>This is the message I get when I attempt to go in enable mode.</P><P></P><P>switch&gt;en</P><P><BR />% Authorization failed.</P><P></P><P>switch&gt;</P></BODY></HTML> Thu, 17 Feb 2011 18:22:28 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-command-authorization/m-p/1642394#M330119 awatson20 2011-02-17T18:22:28Z https://community.cisco.com/t5/network-access-control/acs-5-2-command-authorization/m-p/1642395#M330220 <HTML><HEAD></HEAD><BODY><P>You need change the following commands</P><P>aaa authorization commands 0 default group tacacs+<BR />aaa authorization commands 1 default group tacacs+<BR />aaa authorization commands 15 default group tacacs+</P><P></P><P>to</P><P></P><P>aaa authorization commands 0 default group tacacs+ local<BR />aaa authorization commands 1 default group tacacs+ local<BR />aaa authorization commands 15 default group tacacs+ local</P><P></P><P>when you define the user account on the router, you need add it like the following</P><P>user <USERNAME> password <PASSWORD> privilege <PRIVILEGE>&nbsp; &lt;-- use 15 as privilege number if you would like to let user to use all commands.</PRIVILEGE></PASSWORD></USERNAME></P></BODY></HTML> Thu, 17 Feb 2011 19:04:22 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-command-authorization/m-p/1642395#M330220 Yudong Wu 2011-02-17T19:04:22Z