topic AAA issue ( command authorization failed) in Network Access Control

AAA issue ( command authorization failed)

game123 — Mon, 11 Mar 2019 04:13:52 GMT

I am getting the issue, and following is the script , cannot find and locate the cause of error !

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname hexxor

boot-start-marker

boot-end-marker

enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1

enable password 7 0525112F05411F075231123E

username hexxor password 7 024D2A103F26243363593D1C2B5C

aaa new-model

aaa authentication login T-AUTH group tacacs+ local

aaa authorization console

aaa authorization config-commands

aaa authorization exec T-AUTHOR group tacacs+ if-authenticated

aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated

aaa accounting exec T-ACC start-stop group tacacs+

aaa accounting commands 15 T-ACC start-stop group tacacs+

interface Vlan1

no ip address

interface Vlan50

ip address 128.1.50.54 255.255.255.0

no ip route-cache

ip default-gateway 128.1.50.254

no ip http server

ip http secure-server

ip sla enable reaction-alerts

logging trap debugging

logging 10.241.40.20

logging 128.1.50.245

access-list 1 permit 128.1.50.245

snmp-server host 10.241.40.27 Armageddon

snmp-server host 128.1.50.245 Armageddon

tacacs-server host 10.241.40.22

tacacs-server host 10.241.40.23

tacacs-server directed-request

tacacs-server key 7 020813480E052F2E4D

line con 0

exec-timeout 5 0

password 7 1142374E2332201E2B3D1F210678

authorization commands 15 T-AUTHOR

authorization exec T-AUTHOR

accounting commands 15 T-ACC

accounting exec T-ACC

transport preferred none

line vty 0 4

exec-timeout 5 0

password 7 06281801684358174E231727

authorization commands 15 T-AUTHOR

authorization exec T-AUTHOR

accounting commands 15 T-ACC

accounting exec T-ACC

transport input telnet

transport output telnet

line vty 5 15

password 7 0228137B2F0B5E2F077A0C35

end

AAA issue ( command authorization failed)

Amjad Abdullah — Thu, 02 Jan 2014 09:40:07 GMT

1- check your radius server logs and see what it says about this message.

2- add the following lines to your config:

>aaa authorization commands 0 T-AUTHOR group tacacs+ if-authenticated

>aaa authorization commands 1 T-AUTHOR group tacacs+ if-authenticated

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

AAA issue ( command authorization failed)

Richard Burts — Fri, 03 Jan 2014 16:05:09 GMT

There are several authorization commands configured. It would be helpful to know which one might be the one causing the issue. Are we correct in assuming that authentication is processing successfully to TACACS and that TACACS authorization is where the problem is coming from?

Can you tell us whether the authorization failed message is generated when you attempt to login? Or is it generated when you attempt to enter some command?

HTH

Rick

AAA issue ( command authorization failed)

game123 — Tue, 07 Jan 2014 00:43:13 GMT

Actually, the script I pasted above is giving me errors on authorization .

I can input the AD credentials for login username and password, yet enter the enable mode, but in enable mdoe cannot run the SHOW RUN or SHOW VER commands and says COMMAND AUTHIRZATION FAILED ?

Need help on that.

AAA issue ( command authorization failed)

Richard Burts — Tue, 07 Jan 2014 03:54:39 GMT

Based on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.

I would suggest this as a first test:

- login to the device.

- go into enabl mode.

- attempt the show run command. (I assume that it will fail)

- check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.

If you want to do a second test to verify the cause of the problem then I would suggest this:

- remove from the config these lines

aaa authorization exec T-AUTHOR group tacacs+ if-authenticated

aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated

then login to the device, go into enable mode, attempt the show run command

Try one or both of these tests and post back to tell us of the results.

HTH

Rick

AAA issue ( command authorization failed)

game123 — Mon, 13 Jan 2014 18:55:02 GMT

Honestly,

All tips are fine ... but i just restarted my ACS and things started working fine.

amazing !

this happened in the CCIE lab also to me 4 years ago !!!

thanks for all the advice anyways.

keep up the good work!

-K-

AAA issue ( command authorization failed)

Richard Burts — Mon, 13 Jan 2014 20:32:00 GMT

Thanks for posting back to the forum and letting us know that it has started to work correctly after a restart. It is sometimes helpful to be reminded that when strange symptoms are encountered that sometimes a restart will cause things to work normally again.

HTH

Rick