topic Console authorization issue in Network Access Control

Console authorization issue

James Horne — Mon, 11 Mar 2019 04:30:50 GMT

Hi, all.

I'm getting “% Authorization Failed.” on the console when logging in despite the config below - have I missed something here?

!
aaa new-model
!
aaa authentication login default local
aaa authentication login VTY_AUTH group radius local
aaa authorization exec default none
aaa authorization exec VTY_AUTH group radius local
aaa accounting exec default start-stop group radius
!

!
line con 0
password 7 XXXXXXXXXXXXXX
line vty 0 4
access-class VTY_ACL in
password 7 XXXXXXXXXXXXXX
authorization exec VTY_AUTH
login authentication VTY_AUTH
transport input ssh
transport output ssh
line vty 5 15
transport input none
!

Debug output when I login:

AAA/AUTHEN/LOGIN (000004B6): Pick method list 'default'
AAA/AUTHOR (0x4B6): Pick method list 'VTY_AUTH'
AAA/AUTHOR/EXEC(000004B6): Authorization FAILED

I can’t for the life of me figure out why it’s trying the “VTY_AUTH” list - any ideas?

This is on a 3750-X stack running 12.2(55)SE3 at ipbase license level.

Hello,Yeah does not seems

Julio Carvajal — Tue, 11 Mar 2014 05:00:10 GMT

Hello,

Yeah does not seems good,

Quick question, did you add the command:

aaa authorization console

This is required to enable authorization on the console line,

Regards

I would get ride of this line

nspasov — Tue, 11 Mar 2014 05:11:18 GMT

I would get ride of this line as I have the feeling that it is causing issues for you.

aaa authentication login default local

If that does not fix it you can also add:

aaa authentication login console line

line con 0

login authentication console

Hope this helps!

Thank you for rating helpful posts!

well check the syntax and if

kaaftab — Tue, 11 Mar 2014 13:55:40 GMT

well check the syntax and if you are using the groups make sure they are avaiable in the radius and raduis server is clearly defined and reachable.

aaa authentication login default {group group-list [none]| local

group-list—Space-separated list of server groups that can include any configured RADIUS or TACACS+ server group name.

local—Specifies the local database of the
Cisco CG-OS router for authentication.

none—Uses no authentication.

debugs indicates that while

Jatin Katyal — Tue, 11 Mar 2014 17:47:20 GMT

debugs indicates that while you were trying to connect from console, it picked the right authentication method and wrong authorization method. I guess you might have globally enabled console authorization but then also it should not pick VTY_AUTH method list.

Can you try this if possible:

username <username> privilege 15 password <password>

aaa authentication login CON default local

aaa authorization exec CON default local

aaa authorization console

line console 0

login authentication CON

authorization exec CON

exit

Please try again and let me know if that works.

Regards,

Jatin Katyal

**Do rate helpful posts**

The aaa authorization console

James Horne — Wed, 12 Mar 2014 01:15:05 GMT

The aaa authorization console command is not in use - this idea is to have the console only ever use the local database. As you can see in my original post, the default method is set to local for login (and is selected correctly) and "none" is set for the default exec authorization (and is skipped?).

I'm sure it would work if I define a new list but one would assume that if the default is set it should use that (if at all)?

I have also tried setting the default to "if-authenticated" etc. but it goes to use the 'VTY_AUTH' in all cases. Though interestingly, when the RADIUS servers are unreachable the local login does work - I assume this is because the fallback authorization mode is local?

Seems like it could be a bug?

I will be back on site to test tomorrow morning.

Following up on this, I have

James Horne — Sat, 15 Mar 2014 03:09:58 GMT

Following up on this, I have tried most suggestions with the config currently as follows:

!
aaa new-model
!
aaa authentication login default local
aaa authentication login CON0 local
aaa authentication login VTY_AUTH group radius local
aaa authorization console
aaa authorization exec default none
aaa authorization exec CON0 if-authenticated
aaa authorization exec VTY_AUTH group radius local
aaa accounting exec default start-stop group radius
!

!
line con 0
password 7 XXXXXXXXXXXXXX
authorization exec CON0
login authentication CON0
line vty 0 4
access-class VTY_ACL in
password 7 XXXXXXXXXXXXXX
authorization exec VTY_AUTH
login authentication VTY_AUTH
transport input ssh
transport output ssh
line vty 5 15
transport input none
!

Debug output on login - you’ll notice that this is still picking the wrong list:

AAA/BIND(000004DE): Bind i/f
AAA/AUTHEN/LOGIN (000004DE): Pick method list 'CON0'
AAA/AUTHOR (0x4DE): Pick method list 'VTY_AUTH'
AAA/AUTHOR/EXEC(000004DE): Authorization FAILED

Any further ideas?

Came on to post about

James Horne — Fri, 18 Dec 2015 01:37:03 GMT

CONCLUSION

Came on to post about something else and saw this, remembering that I had never returned to update it with the final working config:

aaa new-model
aaa authentication login default local
aaa authentication login CON0 local
aaa authorization console
aaa authorization exec default none
aaa authorization exec CON0 if-authenticated
aaa session-id common

line con 0
password 7 XXXXXXXXXXXXXX
authorization exec CON0
login authentication CON0

Version is now 15.2(1)E2 and none of this worked until I moved off the version mentioned in the initial post.

James, glad you were able to

nspasov — Sat, 19 Dec 2015 01:57:54 GMT

James, glad you were able to solve your issue! Also, thank you for taking the time to come back here and provide the solution (+5 from me).

Now, since the issue is resolved, you should mark the thread as "answered" 🙂

Thank you for rating helpful posts!