07-09-2008 12:14 AM - edited 03-10-2019 03:57 PM
Hi All,
I've got an issue when adding a device to ACS.When I try to login to the device after adding it to the ACS, it does'nt prompt me to enter my tacacs username and password, instead it prompts me to enter the tacacs username/password details when I try to get into the enable mode. Also, once I am in the enable mode, I cant execute any commands as shown below:
Router01#debug aaa authentication
Command authorization failed.
^
% Invalid input detected at '^' marker.
Router01#sh run
Command authorization failed.
% Incomplete command.
The aaa config is as listed below:
aaa authentication login default group TACACS-GROUP enable
aaa authentication enable default group TACACS-GROUP enable
aaa authentication ppp default local
aaa authorization commands 1 default group TACACS-GROUP if-authenticated
aaa authorization commands 15 default group TACACS-GROUP if-authenticated
aaa accounting commands 1 default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
Everything works fine once I remove the device from ACS. How do I get over this issue? Any advice would be much appreciated.
Regards,
PV
07-09-2008 04:58 AM
PV,
The reason you are not able to issue any command is because, you have command authorization enabled on Router.
It seems that you don't want that. You need to remove these commands,
no aaa authorization commands 1 default group TACACS-GROUP if-authenticated
no aaa authorization commands 15 default group TACACS-GROUP if-authenticated
These commands are used to authorize what all command user can issue.
Please see this link, it explain about setting up command authorization using acs,
Regards,
~JG
Do rate helpful posts
07-09-2008 03:24 PM
Hi JG,
Thanks for you reply.I've got the same command authorization enabled on the other routers as well but I am not having any problems with issuing commands on them.I understand that removing authorization commands will solve the problem but am wondering if there is anything else which may be causing the issue.
Regards,
PV
07-10-2008 04:12 AM
PV,
Please get the output of debug aaa authorization and debug tacacs
Regards,
~JG
07-10-2008 08:51 PM
Hi JG,
I cant run any debug commands when the device is on ACS.Please see output below.
Router01#debug aaa authorization
Command authorization failed.
^
% Invalid input detected at '^' marker.
Router01#debug tacacs
Command authorization failed.
% Incomplete command.
Regards,
PV
07-11-2008 04:52 AM
Remove that device from ACS. Now login and enable debugs. Once that is done, put device back to acs. Open a new session (don't close old) and login.
You will see debug on your old session. Also check what error you get in acs failed attempts when command failed.
07-13-2008 06:07 PM
Hi JG,
I did as you advised. I didnt see any debug results on the session which I started before adding the device to ACS. I had a look at the failed attempts in ACS and the Authorisation-Failed Code says 'User unknown'.But, I can see a 'Authentication OK' message under Passed Authentication indicating that I've logged in successfully. I've enclosed the result as an attachment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide