Solved: AAA % Authorization failed.

thiago.tomen · ‎05-02-2013

Even my credentials being accepted in the acs authorization failure, anyone have any idea what it could be?

(Unauthorized use is prohibited)

username: tparrilha

password:

% Authorization failed.

logs of debug aaa

*May 2 09:48:30.840: AAA/AUTHOR/EXEC(00000026): Authorization FAILED

*May 2 09:48:41.612: AAA/BIND(00000027): Bind i/f

*May 2 09:48:41.612: AAA/AUTHEN/LOGIN (00000027): Pick method list 'default'

*May 2 09:48:45.440: AAA/AUTHOR (0x27): Pick method list 'default' - FAIL

*May 2 09:48:45.456: AAA/AUTHOR/EXEC(00000027): Authorization FAILED

aaa new-model

!

aaa group server tacacs+ Bainet

server 172.20.244.10

!

aaa authentication fail-message ^CCCC Sorry the password is wrong^C

aaa authentication login default group Bainet local

aaa authentication enable default group Bainet enable none

aaa authorization config-commands

aaa authorization exec default group Bainet local

aaa authorization commands 1 default group Bainet local

aaa authorization commands 2 default group Bainet local

aaa authorization commands 3 default group Bainet local

aaa authorization commands 4 default group Bainet local

aaa authorization commands 5 default group Bainet local

aaa authorization commands 6 default group Bainet local

aaa authorization commands 7 default group Bainet local

aaa authorization commands 8 default group Bainet local

aaa authorization commands 9 default group Bainet local

aaa authorization commands 10 default group Bainet local

aaa authorization commands 11 default group Bainet local

aaa authorization commands 12 default group Bainet local

aaa authorization commands 13 default group Bainet local

aaa authorization commands 14 default group Bainet local

aaa authorization commands 15 default group Bainet local

aaa authorization configuration default group Bainet

aaa accounting send stop-record authentication failure

aaa accounting exec default

action-type start-stop

group Bainet

!

aaa accounting commands 0 default

action-type start-stop

group Bainet

!

aaa accounting commands 1 default

action-type start-stop

group Bainet

!

aaa accounting commands 2 default

action-type start-stop

group Bainet

!

aaa accounting commands 3 default

action-type start-stop

group Bainet

!

aaa accounting commands 4 default

action-type start-stop

group Bainet

!

aaa accounting commands 5 default

action-type start-stop

group Bainet

!

aaa accounting commands 6 default

action-type start-stop

group Bainet

!

aaa accounting commands 7 default

action-type start-stop

group Bainet

!

aaa accounting commands 8 default

action-type start-stop

group Bainet

!

aaa accounting commands 9 default

action-type start-stop

group Bainet

!

aaa accounting commands 10 default

action-type start-stop

group Bainet

!

aaa accounting commands 11 default

action-type start-stop

group Bainet

!

aaa accounting commands 12 default

action-type start-stop

group Bainet

!

aaa accounting commands 13 default

action-type start-stop

group Bainet

!

aaa accounting commands 14 default

action-type start-stop

group Bainet

!

aaa accounting commands 15 default

action-type start-stop

group Bainet

!

aaa accounting network default

action-type start-stop

group Bainet

!

aaa accounting connection default

action-type start-stop

group Bainet

!

aaa accounting system default

action-type start-stop

group Bainet

ip tacacs source-interface FastEthernet0/0.1

tacacs-server host 192.168.110.1 single-connection

tacacs-server directed-request

tacacs-server key 7 11485807161B4A0E0524282B6972

#show ver

RT-NAMIBE-NBE#show version

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9_IVS_LI-M), Version 12.4(24)T4, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Fri 03-Sep-10 05:39 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

RT-NAMIBE-NBE uptime is 12 weeks, 5 days, 23 hours, 56 minutes

System returned to ROM by power-on

System image file is "flash:c2800nm-adventerprisek9_ivs_li-mz.124-24.T4.bin"

Jatin Katyal · ‎05-02-2013

After the debug message *May 2 09:48:45.440: AAA/AUTHOR (0x27): Pick method list 'default' - FAIL* the control will passed to TACACS. From this log we are not clear that why it got failed in tacacs authorization. Looking at your configuration, its clear that you're expecting next prompt for enable password only if priv-lvl=15 is not being configured on ACS for the user/group.

Could you also remove single-connection from the below listed command and try again.

tacacs-server host 192.168.110.1 single-connection

In case it doesn't work, send the complete output of following debugs if possible.

Debug aaa authentication

Debug aaa authorization

Debug tacacs authentication

Debug tacacs authorization

Debug tacacs events

Jatin Katyal

- Do rate helpful posts -

~Jatin

View solution in original post

Jatin Katyal · ‎05-02-2013

After the debug message *May 2 09:48:45.440: AAA/AUTHOR (0x27): Pick method list 'default' - FAIL* the control will passed to TACACS. From this log we are not clear that why it got failed in tacacs authorization. Looking at your configuration, its clear that you're expecting next prompt for enable password only if priv-lvl=15 is not being configured on ACS for the user/group.

Could you also remove single-connection from the below listed command and try again.

tacacs-server host 192.168.110.1 single-connection

In case it doesn't work, send the complete output of following debugs if possible.

Debug aaa authentication

Debug aaa authorization

Debug tacacs authentication

Debug tacacs authorization

Debug tacacs events

Jatin Katyal

- Do rate helpful posts -

~Jatin

thiago.tomen · ‎05-09-2013

It worked,

Thank you for your help!!!!!

Jatin Katyal · ‎05-09-2013

Glad to know. Thanks for updating Thiago

Cheers

Jatin Katyal

- Do rate helpful posts -

~Jatin