Re: AAA Authorization issue

pvzcisco07 · ‎07-09-2008

Hi All,

I've got an issue when adding a device to ACS.When I try to login to the device after adding it to the ACS, it does'nt prompt me to enter my tacacs username and password, instead it prompts me to enter the tacacs username/password details when I try to get into the enable mode. Also, once I am in the enable mode, I cant execute any commands as shown below:

Router01#debug aaa authentication

Command authorization failed.

^

% Invalid input detected at '^' marker.

Router01#sh run

Command authorization failed.

% Incomplete command.

The aaa config is as listed below:

aaa authentication login default group TACACS-GROUP enable

aaa authentication enable default group TACACS-GROUP enable

aaa authentication ppp default local

aaa authorization commands 1 default group TACACS-GROUP if-authenticated

aaa authorization commands 15 default group TACACS-GROUP if-authenticated

aaa accounting commands 1 default start-stop group TACACS-GROUP

aaa accounting commands 15 default start-stop group TACACS-GROUP

Everything works fine once I remove the device from ACS. How do I get over this issue? Any advice would be much appreciated.

Regards,

PV

Jagdeep Gambhir · ‎07-09-2008

PV,

The reason you are not able to issue any command is because, you have command authorization enabled on Router.

It seems that you don't want that. You need to remove these commands,

no aaa authorization commands 1 default group TACACS-GROUP if-authenticated

no aaa authorization commands 15 default group TACACS-GROUP if-authenticated

These commands are used to authorize what all command user can issue.

Please see this link, it explain about setting up command authorization using acs,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

pvzcisco07 · ‎07-09-2008

Hi JG,

Thanks for you reply.I've got the same command authorization enabled on the other routers as well but I am not having any problems with issuing commands on them.I understand that removing authorization commands will solve the problem but am wondering if there is anything else which may be causing the issue.

Regards,

PV

Jagdeep Gambhir · ‎07-10-2008

PV,

Please get the output of debug aaa authorization and debug tacacs

Regards,

~JG

pvzcisco07 · ‎07-10-2008

Hi JG,

I cant run any debug commands when the device is on ACS.Please see output below.

Router01#debug aaa authorization

Command authorization failed.

^

% Invalid input detected at '^' marker.

Router01#debug tacacs

Command authorization failed.

% Incomplete command.

Regards,

PV

Jagdeep Gambhir · ‎07-11-2008

Remove that device from ACS. Now login and enable debugs. Once that is done, put device back to acs. Open a new session (don't close old) and login.

You will see debug on your old session. Also check what error you get in acs failed attempts when command failed.

pvzcisco07 · ‎07-13-2008

Hi JG,

I did as you advised. I didnt see any debug results on the session which I started before adding the device to ACS. I had a look at the failed attempts in ACS and the Authorisation-Failed Code says 'User unknown'.But, I can see a 'Authentication OK' message under Passed Authentication indicating that I've logged in successfully. I've enclosed the result as an attachment.