topic Re: Authorization Issue in Network Access Control

Authorization Issue

JAISONTHOMAS — Tue, 30 Jan 2024 12:45:34 GMT

I have a catalyst WS-C3850-48U-S that has some problem with getting it to enable mode. I am getting the below error,

XXX-XXX-XXX-X>en
% Authorization failed.

I tried to console the switch and it is the same. Is there a way I can get into the switch and check its config.?

Thank you in advance.

Re: Authorization Issue

M02@rt37 — Tue, 30 Jan 2024 12:49:36 GMT

Hello @JAISONTHOMAS

The C3850 is in production environment ?

Re: Authorization Issue

JAISONTHOMAS — Tue, 30 Jan 2024 12:53:16 GMT

Unfortunately, it is in prod. I am desperately trying to get to it.

Re: Authorization Issue

MHM Cisco World — Tue, 30 Jan 2024 12:53:17 GMT

show run | i aaa

MHM

Re: Authorization Issue

M02@rt37 — Tue, 30 Jan 2024 12:54:39 GMT

@JAISONTHOMAS

Auth relies on RADIUS or TACACS server ?

Re: Authorization Issue

JAISONTHOMAS — Tue, 30 Jan 2024 12:54:37 GMT

xxxx-xxx-xxx>sh run | i aaa
^
% Invalid input detected at '^' marker.

xxxx-xxx-xxx>

Re: Authorization Issue

JAISONTHOMAS — Tue, 30 Jan 2024 12:55:21 GMT

TACACS server

Re: Authorization Issue

MHM Cisco World — Tue, 30 Jan 2024 13:15:06 GMT

OK, I forget you cant access by console also
do

enable 5 or enable 1

the try show

hope it work

MHM

Re: Authorization Issue

M02@rt37 — Tue, 30 Jan 2024 13:10:17 GMT

@JAISONTHOMAS

"Authorization failed" message at the console is because in the config AAA authentication must be configured and no fallback option of enable or local username is there.

Re: Authorization Issue

M02@rt37 — Tue, 30 Jan 2024 13:16:47 GMT

@JAISONTHOMAS

If you are unable to access enable mode due to authorization issues, you might need to perform a password recovery procedure. This involves restarting the switch and interrupting the boot sequence to access a recovery mode where you can add a AAA fallback with local credentials.

Maintenance window...

Re: Authorization Issue

Aref Alsouqi — Tue, 30 Jan 2024 13:21:30 GMT

It seems that the account you used to log into the switch doesn't have permissions to higher its privilege level. If you are using ISE as the TACACS server then I think you can workaround this by creating a new network access user in ISE with enable password configured, and then you create an authentication rule on ISE with TACACS service equals to enable, and finally you point that authentication rule to ISE internal users database.

When you log into the switch with these new user credentials, and you type "en" you should then use the new enable password you configured in ISE, that should work.

Alternatively, but depending on your TACACS configs on the switch, you simulate a link failure between the switch and ISE, maybe by placing a deny all firewall rule between the switch and ISE if the firewall happens to be in the path, and if your TACACS configs applied to the switch are configured to fall back to local or if "if-authenticated" keyword is configured, then authorizing the enable command would be skipped.

Re: Authorization Issue

MHM Cisco World — Tue, 30 Jan 2024 13:27:06 GMT

M02@rt37 @Aref Alsouqi
the issue seem from AAA and he have two solution (depend on his config)
either password recovery (sorry @JAISONTHOMAS )
or make TACACS push priv 15 via authz <<- this done by ISE or AAA server and it make you directly enter priv 15 no need enable

so let wait his reply can he access priv1 or priv5 or not

MHM

Re: Authorization Issue

JAISONTHOMAS — Tue, 30 Jan 2024 13:32:27 GMT

@MHM Cisco World enable 1 and 5 didn't work.

@Aref Alsouqi yes we are using ISE as our tacacs server. I will try the ISE option you mentioned. if that fails, will put a FW rule to deny the connectivity to ISE and see if it failover to local authentication. Thank you guys, appreciated

Re: Authorization Issue

MHM Cisco World — Tue, 30 Jan 2024 13:39:24 GMT

if you use ISE push priv 15 to SW
cisco-av-pair = priv-lev=15 <<- this need to add in ISE

if you can not enter enable priv 15 then adjust the authz in SW is impossible, try solution from ISE

MHM

Re: Authorization Issue

Aref Alsouqi — Tue, 30 Jan 2024 13:39:46 GMT

Yes that's right, changing the TACACS profile privilege level would be another option.

Re: Authorization Issue

MHM Cisco World — Tue, 30 Jan 2024 13:41:33 GMT

thanks for confirm
have a nice day
MHM

Re: Authorization Issue

Aref Alsouqi — Tue, 30 Jan 2024 13:43:34 GMT

As @MHM Cisco World mentioned another option would be to change TACACS profile in ISE to push privilege 15 for example down to the switch. If you check your authorization rule in ISE you should see a profile associated next the rule to the right. You can check what privilege level is configured as the default in that profile, it would be something different than 15. If you don't want to change the settings of this original profile, then you can clone it and set the default privilege and the maximum to be level 15. And then you associate this profile to the authorization rule, this should place you in privilege level 15 when you log into the switch.