Enable mode authorization failed.

rice.randy — Sun, 10 Mar 2019 22:27:07 GMT

Have a user that cannot get to en prompt. Here is my trace output:

AAA/AUTHEN: update_user user='lduncan' ruser='(null)' port='telnet146' rem_addr=

'10.128.20.110' authen_type=1 service=ENABLE priv=152007 Oct 16 10:57:07.360 EST

-04:00

AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=ENABLE

TAC+: send AUTHEN/START packet ver=192 id=626074205

TAC+: Opening TCP/IP connection to 10.129.12.196

TAC+: ver=192 id=626074205 received AUTHEN status = GETPASS2007 Oct 16 10:57:08.

440 EST -04:00

AAA/AUTHEN (626074205): status = GETPASSPassword: 2007 Oct 16 10:57:11.200 EST -

04:00 *62*2007 Oct 16 10:57:11.440 EST -04:00 *69*2007 Oct 16 10:57:11.800 EST -

04:00 *67*2007 Oct 16 10:57:12.050 EST -04:00 *74*2007 Oct 16 10:57:12.300 EST -

04:00 *6f*2007 Oct 16 10:57:12.530 EST -04:00 *65*

2007 Oct 16 10:57:12.950 EST -04:00

AAA/AUTHEN/CONT (626074205): continue_login2007 Oct 16 10:57:12.950 EST -04:00

AAA/AUTHEN (626074205): status = GETPASS

TAC+: send AUTHEN/CONT packet id=626074205

TAC+: ver=192 id=626074205 received AUTHEN status = PASS2007 Oct 16 10:57:13.460

EST -04:00

AAA/AUTHEN (626074205): status = PASS2007 Oct 16 10:57:13.460 EST -04:00 return

PASS

2007 Oct 16 10:57:13.460 EST -04:00

AAA/AUTHOR : ptr2=enable

2007 Oct 16 10:57:13.470 EST -04:00

AAA/AUTHOR : Add AV service=shell

2007 Oct 16 10:57:13.470 EST -04:00

AAA/AUTHOR : Add AV cmd=enable

2007 Oct 16 10:57:13.470 EST -04:00

AAA/AUTHOR/TACACS+ cmd author (413075467): Port='telnet146' list='(null)' servic

e=CMD2007 Oct 16 10:57:13.480 EST -04:00

AAA/AUTHOR/TACACS+ cmd author: (413075467) user='lduncan'2007 Oct 16 10:57:13.4

80 EST -04:00

AAA/AUTHOR/TACACS+ cmd author: (413075467) send AV service=shell2007 Oct 16 10:5

7:13.480 EST -04:00

AAA/AUTHOR/TACACS+ cmd author: (413075467) send AV cmd=enable

AAA/AUTHOR/TACACS+ cmd author: (413075467) Method=TAC_PLUS2007 Oct 16 10:57:13.4

90 EST -04:00

AAA/AUTHOR/TAC+: (413075467): user=lduncan2007 Oct 16 10:57:13.490 EST -04:00

AAA/AUTHOR/TAC+: (413075467): send AV service=shell2007 Oct 16 10:57:13.490 EST

-04:00

AAA/AUTHOR/TAC+: (413075467): send AV cmd=enable

TAC+: Opening TCP/IP connection to 10.129.12.196

TAC+: (413075467): received author response status = FAIL2007 Oct 16 10:57:14.50

0 EST -04:00

AAA/AUTHOR (413075467): Post authorization status = FAIL2007 Oct 16 10:57:14.500

EST -04:00

AAA/AUTHOR : do_author result=12007 Oct 16 10:57:14.500 EST -04:00 %AAA: author:

tacacs_plus_author ret=1.

Enable mode authorization faile

I have checked his user info and group info in tacacs.

Re: Enable mode authorization failed.

Jagdeep Gambhir — Tue, 16 Oct 2007 14:51:54 GMT

It seems that you have command author configured that is why user in not able to issue it.

What kind of user is it ? Admin or normal user.

To make him login you need to make changes in the command author set.

Make one command autho set in acs --->shared profile componenets.

add-->give any name "Full access "---> Put radio button to permit and submit.

Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.

Now it should let you in.

Caution : This is let that uses to issue all commands

Also provide me more info if you want user to deny some commands. We need to set up command autho set accordingly.

Regards,

~JG

Please rate helpful posts

Re: Enable mode authorization failed.

rice.randy — Tue, 16 Oct 2007 15:10:13 GMT

Thanks, that fixed it...............

Re: Enable mode authorization failed.

Jagdeep Gambhir — Tue, 16 Oct 2007 15:12:04 GMT

Please mark it resolved so other can benefit from it.

Regards,

~JG

topic Re: Enable mode authorization failed. in Network Access Control

Enable mode authorization failed.

Re: Enable mode authorization failed.

Re: Enable mode authorization failed.

Re: Enable mode authorization failed.