cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1278
Views
0
Helpful
1
Replies
bapatsubodh
Beginner

AAA authorization not working

Hi,

Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.

When connected to console it worked-  Authenticated and then supplied the enable password.

When telneted : it says "access approved" and  "authorization failed"

Relevant switch configuration is as follows  and also debug of aaa authorization.

+++++++++++++++++++++++++++++

no service single-slot-reload-enable

no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Switch
!
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group radius if-authenticated local
aaa authorization commands 15 default group radius if-authenticated local
enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/
!

username cisco privilege 15 password 7 05080F1C224233 
!
vlan 10
!
vlan 120
ip subnet-zero
!
vtp mode transparent
!
spanning-tree extend system-id
!
!
interface FastEthernet0/1
  switchport access vlan 10
  switchport mode access
  no ip address
  spanning-tree portfast
interface GigabitEthernet0/1
  no ip address
!
interface GigabitEthernet0/2
  no ip address
!
interface Vlan1
  no ip address
  shutdown
!
interface Vlan120
  ip address 10.12.8.70 255.255.255.240
!
ip default-gateway 10.12.8.65
ip classless
ip http server
!
!
radius-server host 192.168.38.169 auth-port 1812 acct-port 1813
radius-server host 10.12.1.142 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key cisco
!
line con 0
line vty 0 4
  password 7 grrfcb7swe
  transport input telnet
line vty 5 15
!
end

Debug output :

Switch#

21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:07: AAA/AUTHEN (2947331915): status = PASS
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------#  authorization failed #
21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='10.12.7.71' authen_type=ASCII service=LOGIN priv=1
Switch#
Switch#

Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.

Please share the experience.

Thanks in advance,

Subodh

1 REPLY 1
Karthik Chandran
Beginner

Hi Subodh,

I understand that you are trying to use command authorization using RADIUS.

aaa authorization commands 15 default group radius if-authenticated local

Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed       on a router and which cannot.

Please refer the following link:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.

Regards,

Karthik Chandran

*kindly rate helpful post*

Content for Community-Ad