topic Re: lin con 0 authorization failed in Network Access Control

lin con 0 authorization failed

Conucci — Tue, 19 Sep 2023 06:55:02 GMT

Hello,

I can't configure the line con 0 with the command login authentication CONSOLE. I get the following error:

sy-xxxx-ch-xxx-s-0xx(config-line)#login authentication CONSOLE
Command authorization failed.

The tacacs is up and running because I'm already connected to the device with ssh over tacacs+ and I have done several commends like on the console 0 too:
***
line con 0
authorization exec CONSOLE
***

What I'm doing wrong? Is it not possible to do this command on a running system?
It's a new C9200CX

Thank you for your advice

Kind Regards

Marco

Re: lin con 0 authorization failed

Conucci — Tue, 19 Sep 2023 06:55:49 GMT

Sorry, that was missing in my post

aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization exec CONSOLE group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

Re: lin con 0 authorization failed

M02@rt37 — Tue, 19 Sep 2023 07:31:58 GMT

Hello @Conucci,

add aaa authorization exec CONSOLE if-authenticated

Re: lin con 0 authorization failed

Conucci — Tue, 19 Sep 2023 08:18:44 GMT

Dear M02@rt37

Thank you, it's working. Strange is, that I didn't configure on C9200L and it's working. I have never seen before

Re: lin con 0 authorization failed

M02@rt37 — Tue, 19 Sep 2023 08:24:38 GMT

You're very welcome @Conucci.

Re: lin con 0 authorization failed

Aref Alsouqi — Tue, 19 Sep 2023 08:47:22 GMT

I think it should've worked with the commands you already applied. The only thing that comes to my mind that could potentially have caused this issue is that on the TACACS server you don't have the right authorization rules so potentially it was hitting a default deny rule. I think with the command suggested by M02@rt37 it wouldn't check against the TACACS policies configured on the TACACS server, and it would only look if the session has passed the authentication.

Usually we add the "if-authenticated" keyword at the end of the aaa authorization command, something like this "aaa authorization exec CONSOLE group tacacs+ local if-authenticated". The "if-authenticated" keyword would allow the authorization to be allowed when the TACACS server is not available at the time the network device relays the authorization requests, and in that case, the network device would only verify if the session has been successfully authenticated. This is a security measure that would avoid being locked-out in case right after the authetnication the communication with the TACACS server goes down for any reason.