https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3196112#M1065620 <P>Hello,</P> <P>&nbsp;</P> <P>At first glance, your problem looks like to be user privilege&nbsp;on ACS. As per your description you only upgrade the ASA but make sure everything is ok on ACS. Maybe you can delete ASA as client on ACS and add it again. Do the same for your user.</P> <P>&nbsp;This can be some syncronization isseu between two platforms after upgrade..</P> <P>&nbsp;</P> <P>-If I helped you somehow, please, rate it as useful.-</P> Mon, 09 Oct 2017 18:11:57 GMT Flavio Miranda 2017-10-09T18:11:57Z https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3195973#M1065619 <P>Hi,</P> <P>&nbsp;</P> <P>I currently upgraded the IOS of the firewall 5540.</P> <P>Prior to the upgrade, I deleted the aaa commands in case I could get locked once it rebooted.</P> <P>&nbsp;</P> <P><STRONG>no aaa authentication serial console TACACS+ LOCAL</STRONG><BR /><STRONG>no aaa authentication enable console TACACS+ LOCAL</STRONG><BR /><STRONG>no aaa authorization command TACACS+ LOCAL</STRONG></P> <P>&nbsp;</P> <P>TACACS+ refers to the ACS.</P> <P>&nbsp;</P> <P>After the upgrade, I added the aaa commands back and noticed that I couldn't run any command on console and got this error message</P> <P>&nbsp;</P> <P>enc-wups-ex-vpnasa5540-1/act# sh run</P> <P><STRONG>Command authorization failed</STRONG></P> <P>&nbsp;</P> <P>As I typed any command, I got that error message.</P> <P>If I removed "<SPAN><STRONG>aaa authorization command TACACS+ LOCAL</STRONG>" I could run any command on console.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>And,&nbsp;I could run any command thru SSH having those aaa commands.</P> <P>&nbsp;</P> <P>My colleague resolved this issue. He said</P> <P>&nbsp;</P> <P>remove it and logg off console</P> <P>then add it from ssh</P> <P>and then login</P> <P>&nbsp;</P> <P>But I'm not sure when he said "remove it and logg off console"</P> <P>Did he remove it on console? If he did, how could he remove it although he couldn't run any command?</P> <P>Maybe he used local username?</P> <P>&nbsp;</P> <P>Please help!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thank you!</P> Fri, 21 Feb 2020 14:27:40 GMT https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3195973#M1065619 ohforce55 2020-02-21T14:27:40Z https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3196112#M1065620 <P>Hello,</P> <P>&nbsp;</P> <P>At first glance, your problem looks like to be user privilege&nbsp;on ACS. As per your description you only upgrade the ASA but make sure everything is ok on ACS. Maybe you can delete ASA as client on ACS and add it again. Do the same for your user.</P> <P>&nbsp;This can be some syncronization isseu between two platforms after upgrade..</P> <P>&nbsp;</P> <P>-If I helped you somehow, please, rate it as useful.-</P> Mon, 09 Oct 2017 18:11:57 GMT https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3196112#M1065620 Flavio Miranda 2017-10-09T18:11:57Z https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3196142#M1065621 <P>Hi,</P> <P>&nbsp;</P> <P>Thanks for your reply.</P> <P>When I checked the ACS, there was no any issue.</P> <P>I don't think this is the privilege issue as well because I could run any command before the upgrade with the credential.</P> Mon, 09 Oct 2017 19:11:16 GMT https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3196142#M1065621 ohforce55 2017-10-09T19:11:16Z https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3197276#M1065622 <P>Hi&nbsp; ohforce55,</P> <P>&nbsp;</P> <P>Have you checked the event logs at ACS? that will give you a good idea that why ACS is unauthorizing you to enter any command.</P> Wed, 11 Oct 2017 18:36:19 GMT https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3197276#M1065622 Spooster IT Services 2017-10-11T18:36:19Z https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3197277#M1065623 <P>Hi&nbsp; ohforce55,<BR />&nbsp;<BR />Have you checked the event logs at ACS? that will give you a good idea that why ACS is unauthorizing you to enter any command.</P> Wed, 11 Oct 2017 18:37:26 GMT https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3197277#M1065623 Spooster IT Services 2017-10-11T18:37:26Z https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3198358#M1065624 <P>Hi,</P> <P>&nbsp;</P> <P>There wasn't even the log for it since I couldn't run any command.</P> Fri, 13 Oct 2017 14:26:01 GMT https://community.cisco.com/t5/network-security/not-able-to-run-any-command-thru-console-command-authorization/m-p/3198358#M1065624 ohforce55 2017-10-13T14:26:01Z