https://community.cisco.com/t5/network-access-control/cisco-5525-asa-tacacs-authentication-problem/m-p/2829198#M56695 <P>Hi Experts,</P> <P></P> <P>Due to some suspected recent policy implementation/changes on&nbsp;5525 ASA , same is not getting&nbsp;autheticate on TACACs (ACS) However we are getting prompt for username/password.</P> <P>We also&nbsp;have local username/password, through which we are able to logged into ASA but not able to execute any command , it's showing "command authorization failed". Like.</P> <P>Cisco-asa&gt; en<BR />Password: ***********<BR /><SPAN style="color: #ff0000;"><STRONG>Cisco-asa# conf t</STRONG></SPAN><BR /><SPAN style="color: #ff0000;"><STRONG>Command authorization failed</STRONG></SPAN><BR />Cisco-asa#</P> <P>Due to this issue, we are also not getting authenticate&nbsp;on upper devices (above ASA).</P> <P></P> <P>Below is Configuration for ACS(TACACS) for reference (taken from old configuration backup)</P> <P>aaa-server ACS protocol tacacs+<BR />&nbsp;accounting-mode simultaneous<BR />aaa-server ACS (Inside) host 10.50.10.100<BR />&nbsp;key Cisco@123<BR />aaa-server ACS (Inside) host 10.50.10.101<BR />&nbsp;key Cisco@123<BR />user-identity default-domain LOCAL<BR />aaa authentication enable console ACS LOCAL<BR />aaa authentication http console ACS LOCAL<BR />aaa authentication ssh console ACS LOCAL<BR />aaa authorization command ACS <BR />aaa accounting enable console ACS<BR />aaa accounting ssh console ACS<BR />aaa accounting command ACS</P> <P></P> <P>Requesting to&nbsp;pls guide&nbsp;for resolving the problem.</P> <P></P> <P>Rgds</P> <P>***&nbsp;</P> Mon, 11 Mar 2019 06:14:14 GMT netbeginner 2019-03-11T06:14:14Z https://community.cisco.com/t5/network-access-control/cisco-5525-asa-tacacs-authentication-problem/m-p/2829198#M56695 <P>Hi Experts,</P> <P></P> <P>Due to some suspected recent policy implementation/changes on&nbsp;5525 ASA , same is not getting&nbsp;autheticate on TACACs (ACS) However we are getting prompt for username/password.</P> <P>We also&nbsp;have local username/password, through which we are able to logged into ASA but not able to execute any command , it's showing "command authorization failed". Like.</P> <P>Cisco-asa&gt; en<BR />Password: ***********<BR /><SPAN style="color: #ff0000;"><STRONG>Cisco-asa# conf t</STRONG></SPAN><BR /><SPAN style="color: #ff0000;"><STRONG>Command authorization failed</STRONG></SPAN><BR />Cisco-asa#</P> <P>Due to this issue, we are also not getting authenticate&nbsp;on upper devices (above ASA).</P> <P></P> <P>Below is Configuration for ACS(TACACS) for reference (taken from old configuration backup)</P> <P>aaa-server ACS protocol tacacs+<BR />&nbsp;accounting-mode simultaneous<BR />aaa-server ACS (Inside) host 10.50.10.100<BR />&nbsp;key Cisco@123<BR />aaa-server ACS (Inside) host 10.50.10.101<BR />&nbsp;key Cisco@123<BR />user-identity default-domain LOCAL<BR />aaa authentication enable console ACS LOCAL<BR />aaa authentication http console ACS LOCAL<BR />aaa authentication ssh console ACS LOCAL<BR />aaa authorization command ACS <BR />aaa accounting enable console ACS<BR />aaa accounting ssh console ACS<BR />aaa accounting command ACS</P> <P></P> <P>Requesting to&nbsp;pls guide&nbsp;for resolving the problem.</P> <P></P> <P>Rgds</P> <P>***&nbsp;</P> Mon, 11 Mar 2019 06:14:14 GMT https://community.cisco.com/t5/network-access-control/cisco-5525-asa-tacacs-authentication-problem/m-p/2829198#M56695 netbeginner 2019-03-11T06:14:14Z https://community.cisco.com/t5/network-access-control/cisco-5525-asa-tacacs-authentication-problem/m-p/2829199#M56699 <P>I think you could just delete the Authorization command, in my experience if you are allowed to login then you want to be authorised automatically,authentication is usually enough.&nbsp;</P> Mon, 16 Nov 2015 06:49:12 GMT https://community.cisco.com/t5/network-access-control/cisco-5525-asa-tacacs-authentication-problem/m-p/2829199#M56699 Richard Bradfield 2015-11-16T06:49:12Z