https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852047#M408573 <HTML><HEAD></HEAD><BODY><P>JG, thanks for that, I though so that might be the only solution. One question though, the last column of that table has my problem and the solution it suggests it "Log in and reset the passwords and aaa commands." but the problem is when I login, I am only able to login by the locked out user so I can not fire any commands, not even the password change so should I enter the setup of the firewall (ROMMON) to reset the password and does the ROMMON accept all the configure commands ?</P><P></P><P>Regards,</P><P>Murtaza</P></BODY></HTML> Thu, 18 Oct 2007 18:51:45 GMT csco11029214 2007-10-18T18:51:45Z https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852041#M408563 <P>I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :</P><P>============================</P><P>EUKFW2# show running-config</P><P> ^</P><P>ERROR: % Invalid input detected at '^' marker.</P><P>ERROR: Command authorization failed </P><P>============================</P><P></P><P>I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?</P> Sun, 10 Mar 2019 22:27:19 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852041#M408563 csco11029214 2019-03-10T22:27:19Z https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852042#M408565 <HTML><HEAD></HEAD><BODY><P>No there is no default user. To make him login you need to make changes in the command author set.</P><P></P><P>Make one command autho set in acs ---&gt;shared profile components.</P><P></P><P>add--&gt;give any name "Full access "---&gt; Put radio button to permit and submit.</P><P></P><P>Now go to that group--&gt;Under Shell Command Authorization Set---&gt; Choose---&gt;Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.</P><P></P><P>Now it should let you in.</P><P></P><P>Caution : This is let that uses to issue all commands</P><P></P><P>Find attached the way to set up command authorization. </P><P></P><P>Trick here is to give all user prov lvl 15 and then apply command autho set.</P><P></P><P>Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.</P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Please rate if helps</P><P></P><P> </P><P></P></BODY></HTML> Wed, 17 Oct 2007 19:30:09 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852042#M408565 Jagdeep Gambhir 2007-10-17T19:30:09Z https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852043#M408567 <HTML><HEAD></HEAD><BODY><P>Thanks for the attachments, I have had a look at them but the problem is that the changes you specified are made through HTTP browser and my firewall was not fully configured hence it can not be connected through HTTP nor SSH nor Telnet, so the only option I have is the console on which it is connected <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P></P><P>Regards,</P><P>Murtaza</P></BODY></HTML> Wed, 17 Oct 2007 19:47:31 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852043#M408567 csco11029214 2007-10-17T19:47:31Z https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852044#M408569 <HTML><HEAD></HEAD><BODY><P>You need to make these changes in tacacs server and not in ASA.</P><P></P><P></P><P></P></BODY></HTML> Wed, 17 Oct 2007 19:49:33 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852044#M408569 Jagdeep Gambhir 2007-10-17T19:49:33Z https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852045#M408571 <HTML><HEAD></HEAD><BODY><P>Ok, but I did not configure the aaa authorization to use TACACS server, I set it to use LOCAL. Can I disable the authorization from ROMMON ? Actually I just want to disable the aaa command authorization on the ASA so that I can login to the user mode directly and then the EXEC mode with the password I set during the setup.</P></BODY></HTML> Wed, 17 Oct 2007 19:54:03 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852045#M408571 csco11029214 2007-10-17T19:54:03Z https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852046#M408572 <HTML><HEAD></HEAD><BODY><P>This is how you need to recover it,</P><P></P><P>Lockout Scenarios</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1044015" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1044015</A></P><P></P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Please rate helpful posts</P></BODY></HTML> Thu, 18 Oct 2007 15:08:45 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852046#M408572 Jagdeep Gambhir 2007-10-18T15:08:45Z https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852047#M408573 <HTML><HEAD></HEAD><BODY><P>JG, thanks for that, I though so that might be the only solution. One question though, the last column of that table has my problem and the solution it suggests it "Log in and reset the passwords and aaa commands." but the problem is when I login, I am only able to login by the locked out user so I can not fire any commands, not even the password change so should I enter the setup of the firewall (ROMMON) to reset the password and does the ROMMON accept all the configure commands ?</P><P></P><P>Regards,</P><P>Murtaza</P></BODY></HTML> Thu, 18 Oct 2007 18:51:45 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852047#M408573 csco11029214 2007-10-18T18:51:45Z https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852048#M408574 <HTML><HEAD></HEAD><BODY><P>Please check this link,</P><P></P><P><A class="jive-link-custom" href="http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K10386224" target="_blank">http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K10386224</A></P><P></P><P>Please rate helpful posts</P><P></P><P>Regards,</P><P>~JG</P><P></P><P></P></BODY></HTML> Thu, 18 Oct 2007 19:16:05 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852048#M408574 Jagdeep Gambhir 2007-10-18T19:16:05Z https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852049#M408575 <HTML><HEAD></HEAD><BODY><P>Thank you, I think that URL has guided me to the corrective solution.</P><P></P><P>Regards,</P><P>Murtaza</P></BODY></HTML> Thu, 18 Oct 2007 21:00:36 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/852049#M408575 csco11029214 2007-10-18T21:00:36Z https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/3910793#M408576 <A href="http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K10386224" target="_blank">http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K10386224</A> not opening<BR /><BR />404 Page Not Found Tue, 20 Aug 2019 11:46:40 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/3910793#M408576 ios_networks 2019-08-20T11:46:40Z https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/4072029#M559850 <P>Hello All,&nbsp;</P><P>&nbsp;</P><P>I am facing the same issue and unfortunately, am not able to open the link which provided in the above ticket, it says&nbsp;</P><P>Policy Error.</P><P>&nbsp;</P><P>Can some1 please let me know the steps or solution given over there...</P><P>&nbsp;</P><P><A href="http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K10386224" target="_blank" rel="nofollow noopener noreferrer">http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K10386224</A></P> Thu, 23 Apr 2020 05:04:59 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed/m-p/4072029#M559850 sanjay.j.iyengar 2020-04-23T05:04:59Z