topic Fallback authorization.Command authorization failed in Network Access Control

Fallback authorization.Command authorization failed

pemasirid — Sun, 10 Mar 2019 22:43:00 GMT

Hi I configured my firewall for authenticaitona and authorization. I could login via telent/console with AD username & password but I could not do any command exces. (ie.sh run, conf t etc) and I get following error

allback authorization. Username 'xxx' not in LOCAL database

Command authorization failed

Following are the configuration in firewall

aaa-server VPN protocol radius

accounting-mode simultaneous

aaa-server VPN host 172.20.20.11

key xxx

aaa-server VPN host 172.20.20.12

key xxx

aaa-server my-group protocol tacacs+

accounting-mode simultaneous

aaa-server my-group host 172.20.20.11

key xxx

aaa-server my-group host 172.20.20.12

key xxx

aaa authentication telnet console VPN LOCAL

aaa authentication enable console VPN LOCAL

aaa authorization command VPN LOCAL

aaa accounting command privilege 15 my-group

I used Radius for my VPN user authentication. Fitst time i tried using tacacs+ for aaa authenticaiton/authorization for console/telnet but it didnt work. then I change to Radius then it authenticated.

In ACS I cretated Shared Profile to allow_all in add the same in ACS group under Shell command Authorization Set.

But still I only can login to firewall but can't execute any commands and get the following erro.

Fallback authorization. Username 'mannai' not in LOCAL database

Command authorization failed

Can anyone give me a solution for this please.

thanks

Re: Fallback authorization.Command authorization failed

Jagdeep Gambhir — Fri, 14 Mar 2008 12:47:47 GMT

Pls see this example,something must be worng in shell author set.

http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

Re: Fallback authorization.Command authorization failed

pemasirid — Sun, 16 Mar 2008 09:02:24 GMT

Hi JG,

thanks for the reply. I followed the same procedure but this time I got the following error:

XXX-PIX515# sh run

Fallback authorization. Username 'enable_15' not in LOCAL database

Command authorization failed

Here is my configuration in Firewall:

aaa-server my-group protocol tacacs+

accounting-mode simultaneous

aaa-server my-group host 172.20.20.11

key cisco123

aaa-server my-group host 172.20.20.12

key cisco123

privilege cmd level 15 mode enable command configure

aaa authorization command my-group LOCAL

And ACS configuration is also attached.

I followed the steps in Firewall 7.2(2) guide for configuring AAA Authentication and Authorization and it said its is required to configure local aaa authorization. I configured local username & passowrd with privilege 15 but even its not ask for this username & password it accepts only default password.

Please help me to solve this issue.

thanks in advance

Fallback authorization.Command authorization failed

shakirovshm — Tue, 31 Jul 2012 17:37:20 GMT

Hi everybody.

I have the same ptoblem. I've got ASA 8.2(5) and ACS 5.2. But i can login ASA by username wich is located in

ASA LOCAL database . And i can not login by username wich is located in ACS 5.2, at the same time i can login Router 2951 by that username. After login by username which is located in ASA LOCAL database i can not execute any command. I ve got the following error:

FW-ASA-DPC-02-5520-1# sh run

Command authorization failed

FW-ASA-DPC-02-5520-1#

And if i will restart ACS, and during restarting i will execute the same command i will have the following error:

Fallback authorization. Username 'enable_15' not in LOCAL database

Command authorization failed

FW-ASA-DPC-02-5520-1#

FW-ASA-DPC-02-5520-1# sh run

Fallback authorization. Username 'enable_15' not in LOCAL database

Command authorization failed

FW-ASA-DPC-02-5520-1#

Fallback authorization.Command authorization failed

shakirovshm — Wed, 01 Aug 2012 09:13:34 GMT

I've svolved my problem by using following commands:

aaa-server AAA_ID protocol tacacs+

aaa-server AAA_ID (VLAN_19) host 10.2.19.21

key ***

aaa authentication ssh console AAA_ID LOCAL

aaa authorization command AAA_ID LOCAL

aaa authorization exec authentication-server

username aaaaa password AAAAAAAAA encrypted privilege 15

username aaaaa attributes

service-type admin

Hello shakirovshm,

netbeginner — Sat, 14 Nov 2015 08:14:03 GMT

Hello shakirovshm,

I am also facing the same problem ....ACS (5.6) credentials are not getting authenticate on ASA 5525 But we are able to login on ASA using local password and getting same output what u experienced. i.e COMMAND AUTHORIZATION FAILED on executing any CLI command.

This will be great help to us If you share "how you got the entry permission with all access on ASA and corrected the commands".

Rgds

****