https://community.cisco.com/t5/network-access-control/acs-command-authorization-on-pix-console/m-p/986988#M419544 <P></P><P>I have configured the pix firewall for ACS authentication and command authorization, everything is working fine</P><P></P><P>aaa-server TACACS+ protocol tacacs+ </P><P>aaa-server TACACS+ (inside) host 172.28.x.x x.x.x </P><P>aaa-server TACACS+ (inside) host 172.28.x. xx </P><P>aaa authentication ssh console TACACS+ LOCAL </P><P>aaa authentication serial console LOCAL </P><P>aaa authentication enable console TACACS+ LOCAL </P><P>aaa authorization command TACACS+ </P><P>aaa accounting command privilege 15 TACACS+ </P><P>aaa accounting enable console TACACS+ </P><P></P><P>but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when</P><P>ACS down, i wana to get console and access the device by using local username and password</P><P></P><P>but now after this configuration when i try to access the firewall via console, i m getting error of </P><P></P><P>command authorization fail.</P><P></P><P>I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue</P><P></P><P></P><P>I have made the command authorization set in ACS and it is working fine for me, </P><P></P><P></P> Sun, 10 Mar 2019 22:51:27 GMT wasiimcisco 2019-03-10T22:51:27Z https://community.cisco.com/t5/network-access-control/acs-command-authorization-on-pix-console/m-p/986988#M419544 <P></P><P>I have configured the pix firewall for ACS authentication and command authorization, everything is working fine</P><P></P><P>aaa-server TACACS+ protocol tacacs+ </P><P>aaa-server TACACS+ (inside) host 172.28.x.x x.x.x </P><P>aaa-server TACACS+ (inside) host 172.28.x. xx </P><P>aaa authentication ssh console TACACS+ LOCAL </P><P>aaa authentication serial console LOCAL </P><P>aaa authentication enable console TACACS+ LOCAL </P><P>aaa authorization command TACACS+ </P><P>aaa accounting command privilege 15 TACACS+ </P><P>aaa accounting enable console TACACS+ </P><P></P><P>but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when</P><P>ACS down, i wana to get console and access the device by using local username and password</P><P></P><P>but now after this configuration when i try to access the firewall via console, i m getting error of </P><P></P><P>command authorization fail.</P><P></P><P>I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue</P><P></P><P></P><P>I have made the command authorization set in ACS and it is working fine for me, </P><P></P><P></P> Sun, 10 Mar 2019 22:51:27 GMT https://community.cisco.com/t5/network-access-control/acs-command-authorization-on-pix-console/m-p/986988#M419544 wasiimcisco 2019-03-10T22:51:27Z https://community.cisco.com/t5/network-access-control/acs-command-authorization-on-pix-console/m-p/986989#M419547 <HTML><HEAD></HEAD><BODY><P>Wasim,</P><P>Seems to be a bug, the issue we are facing with ASA v 7.2, where fall back to local authentication gives 'command authorization' failed with few commands has been files as a BUG. </P><P></P><P>Here is the bug tool link: CSCsj56051</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl" target="_blank">http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl</A></P><P></P><P>***************************************************************</P><P></P><P>AAA authorization commands LOCAL fallback broken</P><P></P><P> </P><P>Alternate Headline: AAA authorization commands LOCAL fallback broken</P><P></P><P>Symptom: aaa authorization fallback to LOCAL fails, blocking some commands to be executed and displaying "Command authorization failed" error message even though local authorization should be granted.</P><P></P><P>Conditions:</P><P>TACACS+ server communication is lost; LOCAL is configured next in the list.</P><P></P><P>Workaround: none.</P><P></P><P>Further Problem Description:</P><P></P><P>7.2.2 does not show this behavior</P><P></P><P>**************************************************************</P><P>The issue is resolved in 007.002(002.034), 008.000(002.011),</P><P>008.002(000.045)</P><P></P><P>Regards,</P><P>~JG</P><P></P></BODY></HTML> Tue, 20 May 2008 13:46:37 GMT https://community.cisco.com/t5/network-access-control/acs-command-authorization-on-pix-console/m-p/986989#M419547 Jagdeep Gambhir 2008-05-20T13:46:37Z https://community.cisco.com/t5/network-access-control/acs-command-authorization-on-pix-console/m-p/986990#M419549 <HTML><HEAD></HEAD><BODY><P>kindly once again check my modified configuration, </P><P></P><P>I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me. </P><P></P><P>aa-server TACACS+ protocol tacacs+</P><P>aaa-server TACACS+ (edn) host 172.28.31.132</P><P>aaa-server TACACS+ (edn) host 172.28.31.133</P><P>aaa authentication ssh console TACACS+ LOCAL</P><P>aaa authentication enable console TACACS+ LOCAL</P><P>aaa authentication serial console LOCAL </P><P>aaa authentication http console LOCAL </P><P>aaa authorization command TACACS+ LOCAL</P><P>aaa accounting command privilege 15 TACACS+</P><P>aaa accounting enable console TACACS+</P><P></P><P>but i m not able to login i m getting following eror</P><P></P><P>Command authorization failed</P><P>TDC-INT-525-01&gt; exit</P><P>Command authorization failed</P><P>TDC-INT-525-01&gt; exit</P><P>Command authorization failed</P><P>TDC-INT-525-01&gt; enable</P><P>Command authorization failed</P><P></P><P>i also defined the local command authorization set like this</P><P></P><P>privilege cmd level 15 mode exec command exit</P><P>privilege show level 5 mode exec command running-config</P><P>privilege show level 15 mode exec command version</P><P>privilege show level 0 mode exec command access-list</P><P>privilege show level 0 mode configure command access-list</P><P>privilege cmd level 15 mode configure command exit</P><P>privilege cmd level 15 mode configure command no</P><P>privilege cmd level 0 mode configure command access-list</P><P>privilege cmd level 15 mode interface command exit</P><P>privilege cmd level 15 mode subinterface command exit</P><P>privilege cmd level 15 mode dynupd-method command exit</P><P>privilege cmd level 15 mode trange command exit</P><P>privilege cmd level 15 mode route-map command exit</P><P>privilege cmd level 15 mode router command exit</P><P>privilege cmd level 15 mode ldap command exit</P><P>privilege cmd level 15 mode aaa-server-host command exit</P><P>privilege cmd level 15 mode aaa-server-group command exit</P><P>privilege cmd level 15 mode context command exit</P><P>privilege cmd level 15 mode group-policy command exit</P><P>privilege cmd level 15 mode username command exit</P><P>privilege cmd level 15 mode tunnel-group-general command exit</P><P>privilege cmd level 15 mode tunnel-group-ipsec command exit</P><P>privilege cmd level 15 mode tunnel-group-ppp command exit</P><P>privilege cmd level 15 mode mpf-class-map command exit</P><P>privilege cmd level 15 mode mpf-policy-map command exit</P><P>privilege cmd level 15 mode mpf-policy-map-class command exit</P><P>privilege cmd level 15 mode mpf-policy-map-class command exit</P><P>privilege cmd level 15 mode mpf-policy-map-param command exit</P><P></P><P>Please tell me how to solve this problem </P><P></P></BODY></HTML> Tue, 20 May 2008 19:54:21 GMT https://community.cisco.com/t5/network-access-control/acs-command-authorization-on-pix-console/m-p/986990#M419549 wasiimcisco 2008-05-20T19:54:21Z https://community.cisco.com/t5/network-access-control/acs-command-authorization-on-pix-console/m-p/986991#M419552 <HTML><HEAD></HEAD><BODY><P>Is the issue happening only with console ? If ssh works fine then did the check the bug I mentioned in my last post ?</P></BODY></HTML> Tue, 20 May 2008 20:05:51 GMT https://community.cisco.com/t5/network-access-control/acs-command-authorization-on-pix-console/m-p/986991#M419552 Jagdeep Gambhir 2008-05-20T20:05:51Z