https://community.cisco.com/t5/network-access-control/command-authorization-failed-acs-5-6/m-p/2561164#M75227 <P>Hmm, the config looks correct, especially if it works on one device but fails on the second. Have you tried to issue some debugs and see if you are getting any errors?</P> <PRE> debug aaa authentication debug aaa authorization debug tacacs authorization</PRE> <P>Also, is there a version of code difference between the two devices? Perhaps you are hitting a bug.</P> <P>&nbsp;</P> <P><EM>Thank you for rating helpful posts!</EM></P> Wed, 07 Jan 2015 18:02:24 GMT nspasov 2015-01-07T18:02:24Z https://community.cisco.com/t5/network-access-control/command-authorization-failed-acs-5-6/m-p/2561163#M75226 <P>I have a new ACS 5.6 appliance set up that uses Active Directory authentication.</P><P>&nbsp;</P><P>I created a shell profile, mapped it to the authorization rule, and then added devices to the system.</P><P>&nbsp;</P><P>The first device I added was able to use ACS to authenticate and authorize users without any issues. In the ACS logs, it shows me log in and get the shell profile/privileges (15).</P><P>&nbsp;</P><P>The second device I added authenticates me, but then I get a "command authorization failed" message every time I try to do something. In the ACS logs, it shows me log in (using AD), and get the same shell profile (level 15). Not sure what the problem is.</P><P>&nbsp;</P><P>Here are the AAA settings on the switch</P><P>&nbsp;</P><P>aaa authentication login listASH group tacacs+ local<BR />aaa authentication enable default group tacacs+ enable<BR />aaa authorization exec listASH group tacacs+ local<BR />aaa authorization commands 0 default group tacacs+ if-authenticated<BR />aaa authorization commands 1 default group tacacs+ if-authenticated<BR />aaa authorization commands 15 default group tacacs+ if-authenticated<BR />&nbsp;<BR />tacacs-server host 10.1.2.212<BR />tacacs-server timeout 3<BR />tacacs-server directed-request<BR />tacacs-server key &lt;key&gt;<BR />&nbsp;<BR />line vty 0 4<BR />access-class vty-access in<BR />logging synchronous level all<BR />login authentication listASH<BR />transport input ssh</P><P>&nbsp;</P><P>Network connectivity is fine, and obviously, the key works (because I authenticate). Nevertheless, I cannot get proper authorization.</P> Mon, 11 Mar 2019 05:19:30 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed-acs-5-6/m-p/2561163#M75226 Colin Higgins 2019-03-11T05:19:30Z https://community.cisco.com/t5/network-access-control/command-authorization-failed-acs-5-6/m-p/2561164#M75227 <P>Hmm, the config looks correct, especially if it works on one device but fails on the second. Have you tried to issue some debugs and see if you are getting any errors?</P> <PRE> debug aaa authentication debug aaa authorization debug tacacs authorization</PRE> <P>Also, is there a version of code difference between the two devices? Perhaps you are hitting a bug.</P> <P>&nbsp;</P> <P><EM>Thank you for rating helpful posts!</EM></P> Wed, 07 Jan 2015 18:02:24 GMT https://community.cisco.com/t5/network-access-control/command-authorization-failed-acs-5-6/m-p/2561164#M75227 nspasov 2015-01-07T18:02:24Z