topic Neno, in Network Access Control

Command Authorization Failed on certain show commands

Terence Lockette — Mon, 11 Mar 2019 06:21:27 GMT

Hello,

Here is my current AAA configuration on our switches:

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authentication enable default enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+
aaa authorization exec console local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 0 console local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization commands 15 console local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

line con 0
authorization commands 0 console
authorization commands 15 console
authorization exec console
logging synchronous
login authentication console

The issue I'm having is that I'm getting 'command authorization failed' while logged in with the local account rather than a TACACS+ account when attempting to run certain show commands. Some of the commands are 'show etherchannel summ', 'show interface status', and 'show version'. I can, however, perform a show run and get into global config mode. If I disconnect the uplink from the network, then I can run any and all show commands. It's only when I'm connected to the network and our ACS server is reachable that I get these errors. Any ideas why I can do a show run but not other show commands?

Regards,

Terence

Hi Terence,

nspasov — Mon, 28 Dec 2015 19:53:01 GMT

Hi Terence,

The way AAA works is that the "groups" of databases/devices are checked in the order that they are configured. If the first database/device is available any subsequent ones will only be checked if that database/device is not available. So in your configuration, the TACACS+ server is the first one on the list while the local database is second. Thus, the local database is only considered/checked if the TACACS+ server becomes unavailable.

I hope this helps!

Thank you for rating helpful posts!

Terence,

Javier Henderson — Mon, 28 Dec 2015 19:58:21 GMT

Terence,

You have "commands 0", but the show commands above are executed at level 1.

Neno,

Terence Lockette — Tue, 29 Dec 2015 18:06:16 GMT

Neno,

But why would some show commands work and not others? My console line is configured to use the local database only; not TACACS+

Terence,

Javier Henderson — Wed, 30 Dec 2015 14:03:12 GMT

Terence,

Please see my comment above. You're trying to authorize commands as if they run at privilege level 0, but they run at privilege level 1.