topic Re: Command authorization failed in Network Security

Command authorization failed

yong khang NG — Tue, 12 Mar 2019 01:49:33 GMT

Hi all,

Below is the problem statement:

For device admin purpose, when enable AAA access/Authorization in ASDM, it not allow user to configure the ASA via CLI.

when trying to configure, It will promopt message of "command authorization failed"

For the topology setup:

01.ASA code running in version 8.4.2

02. Cisco ACS running in version 5.3.0.40

For device admin purpose, using Cisco ACS 5.3 as the backend AAA server, running on protocol TACACS+

There's no issue on AAA setting of authenticaiton and authorization part. Shell profile's privilege level and command set's command were running well in Cisco ios router/switch device.

For ASA ASDM access, it able to support users' Shell profile's privilege level assigned at Cisco ACS server.

Specific user privilege on ASA were using "configure command privleges", it's using default setting, apply to all. View-only on privilege 3, admin level on 15.

Problem only after enable ASDM AAA access/ authorization, it not allow to configure the ASA via CLI

attach the snipet of ASA firewall config and the debug log,

Hope you guys able to pin point my mistake.

Million Thanks

Noel

Command authorization failed

Julio Carvajal — Mon, 27 May 2013 06:48:58 GMT

Hello Yong,

Is there a way you can share a snapshot of the error u are getting on the ACS (The log on the TACACS+ authorization AAA monitoring area)

That would lead us to a solution as right now seems to be a missconfiguration with the command set configured as result for that specific user,

Regards

Re: Command authorization failed

yong khang NG — Mon, 27 May 2013 07:51:41 GMT

Hi jc

thanks for the reply.

i attached some snapshot on the ACS configuration.

Quesiton 1: it show username as enable_15. while i am using username:admin to perform authentication which i created at ACS

thanks

Noel

Re: Command authorization failed

Jatin Katyal — Mon, 27 May 2013 12:33:25 GMT

Hi Yong,

Since you are doing command authorization against ACS/TACACS and then local.

aaa authorization command ACS LOCAL

so If we are configuring command authorization on ASA, we have to make sure that we have enable authenticaiton configured from the same tacacs server. otherwise we would see failed logs for "enable_15".

Please add the below listed command on the ASA and make sure we define and use the enable password from ACS.

aaa authentication enable console ACS LOCAL

Let me know how it goes.

Jatin Katyal
- Do rate helpful posts -

Re: Command authorization failed

Julio Carvajal — Mon, 27 May 2013 16:58:08 GMT

Hello Yong,

Agree with Jatin,

The thing with the ASA is that when performing authorization it will do a preservation of the username, in this case it will preserve the username in privilege mode ( as you are not authenticating the enable password it will use the default privilige_15 username )

Authenticate the enable password against the ACS and you should be good to go,

Let us know the result,

Regards

Re: Command authorization failed

yong khang NG — Tue, 28 May 2013 07:42:20 GMT

hi both

thanks for the idea and it do work on this case.

but i hit another problem !

My test case only telling username: admin with privilege level 15; whilst i have another user with lower privilege, username:ops with privilege level 3, role is monitoring, and read-only on configuration (CLI)

In CLI, it can pass thru the authentication process, but not able to let username:ops get into exec mode. It stuck in enable password.

Even i create the enable password with privilege level 3, but it also not let go.

Anything i can tune?

Thanks again

Re: Command authorization failed

Jatin Katyal — Tue, 28 May 2013 07:50:46 GMT

Since TACACS is your primary authentication method so it doesn't matter what role you have on the local database. I would like to see what enable privileges you have assisgned user:ops on the ACS. Can you get the screen shot from the policy elements.

Also, take a look at the tacacs authentication section in the logging and monitoring section to see what error you are getting.As far as I guess, it should be related to enable privileges.

Jatin Katyal
- Do rate helpful posts -

Re: Command authorization failed

yong khang NG — Tue, 28 May 2013 09:03:38 GMT

Hi Jatin,

yeah i do think there's something missing.

i attached the ASA config snipet and the ACS config snapshot for your to view.

Thanks

Noel

Re: Command authorization failed

Jatin Katyal — Tue, 28 May 2013 12:31:01 GMT

set the maximum privilege to 15 in policy elements. Even after doing that, you will still be able to access only show commands. This is a required settings for enable authentication.

Jatin Katyal
- Do rate helpful posts -

Re: Command authorization failed

yong khang NG — Wed, 29 May 2013 05:04:33 GMT

Hi Jatin

It work as expected, thanks for these days support

Noel

I got the same issue with

benissetaib — Thu, 26 Nov 2015 02:53:51 GMT

I got the same issue with admin context, when I hit a command, an error message : command authorization failed.

An account : enable_15 who is authneticated not my normal account.

The solution was to create a new account in ACS with enable_15 as credential.

Re: Command authorization failed

Flavio Miranda — Mon, 09 Oct 2017 18:11:43 GMT