Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1541
Views
0
Helpful
8
Replies

ACS 4.1 Command Authorization Failing Intermitently

Go to solution
CSCO10675262_2
Level 1
Level 1

‎11-30-2010 08:01 PM - edited ‎03-10-2019 05:37 PM

Hi,

I have setup aaa using tacacs+ on the network switches, however I seems to be getting occassional command authoization error. This is seen when i try to input the command on several ports at once (example interface range giga 1/1-48). If I was to do it on a single port instead, I dont seems to encounter the error. Would this be due to the ACS unable to handle the load? It is only for a single switch executing the command for port ranges.

I have attached a sample of the error for reference:

switch(config-if-range)#description level 3
% Authorization failed.

% Command failed on interface range. Aborting

I have checked the interface connecting to the ACS and I do not see any error. I am not too sure what may be causing the error. Would it be due to the ACS unable to work nicely with interface range?

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to CSCO10675262_2

‎12-01-2010 03:28 PM

There is a bug open for this issue that was found in 12.2(46)SE, and at the moment there is no plans on resolving the issue since it involves some design work in the code to address this issue. The only work around is to remove command authorization, or to see what your limit is on the inteface range command before it starts dropping the requests.

View solution in original post

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to CSCO10675262_2

‎12-10-2010 07:14 PM

Sure here is the link:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=cscti02944

Here is the detail of the bug:

CSCti02944
command authorization using a range of interfaces can cause issues with
Symptom: when you issue a command for a range of ports as per example router(config) interface g1 g14 then issue a group of commands router(config-if) set ip router(config-if) set speed 100 router(config-if) set duplex full router(config-if) set dhcp snoop limit rate router(config-if) no shut router(config-if) bandwidth 1000 router(config-if) default flowcontrol receive  then you will see some of the commands as failed authorization the ACS does not show that the command hits it or is refused by it  Conditions: have the following enabled on a stack and do commands for a range of interfaces.  aaa authentication login default group tacacs+ local enable aaa authentication login tacacs+ local enable aaa authentication login console line aaa authentication enable default group tacacs+ enable aaa authorization config-commands aaa authorization exec default group tacacs+ if-authenticated local  aaa authorization exec console none  aaa authorization commands 0 default group tacacs+ local  aaa authorization commands 1 default group tacacs+ local  aaa authorization commands 15 default group tacacs+ local  aaa authorization commands 15 console none  aaa authorization network default group tacacs+  aaa accounting update periodic 5 aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+   Workaround: disable accounting and authorization config-commands

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎11-30-2010 09:00 PM

Hi,

Are you trying to perform this command on a stack of 3750's? If so what version of code are you running? If this isnt the case you might want to increase the timeout value for your tacacs-server and then give the same command a shot.

Let me know how that works!

Thanks,

0 Helpful

Go to solution
CSCO10675262_2
Level 1
Level 1
In response to Tarik Admani

‎11-30-2010 10:12 PM

Hi Tarik,

Yes, you are correct that it is a stack of 3750G. The code that is running on the switch is  12.2(53)SE2. Would there be an issue with the code on aaa authorization with acs 4.1?

I will also try to increase the tacacs+ timeout to see if it helps.

Thanks.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to CSCO10675262_2

‎12-01-2010 03:28 PM

There is a bug open for this issue that was found in 12.2(46)SE, and at the moment there is no plans on resolving the issue since it involves some design work in the code to address this issue. The only work around is to remove command authorization, or to see what your limit is on the inteface range command before it starts dropping the requests.

0 Helpful

Go to solution
CSCO10675262_2
Level 1
Level 1
In response to Tarik Admani

‎12-10-2010 01:55 AM

Hi Tarik,

Thanks for the information. May I ask  what is the bug id for reference?

Thanks

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to CSCO10675262_2

‎12-10-2010 07:14 PM

Sure here is the link:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=cscti02944

Here is the detail of the bug:

CSCti02944
command authorization using a range of interfaces can cause issues with
Symptom: when you issue a command for a range of ports as per example router(config) interface g1 g14 then issue a group of commands router(config-if) set ip router(config-if) set speed 100 router(config-if) set duplex full router(config-if) set dhcp snoop limit rate router(config-if) no shut router(config-if) bandwidth 1000 router(config-if) default flowcontrol receive  then you will see some of the commands as failed authorization the ACS does not show that the command hits it or is refused by it  Conditions: have the following enabled on a stack and do commands for a range of interfaces.  aaa authentication login default group tacacs+ local enable aaa authentication login tacacs+ local enable aaa authentication login console line aaa authentication enable default group tacacs+ enable aaa authorization config-commands aaa authorization exec default group tacacs+ if-authenticated local  aaa authorization exec console none  aaa authorization commands 0 default group tacacs+ local  aaa authorization commands 1 default group tacacs+ local  aaa authorization commands 15 default group tacacs+ local  aaa authorization commands 15 console none  aaa authorization network default group tacacs+  aaa accounting update periodic 5 aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+   Workaround: disable accounting and authorization config-commands
0 Helpful

Go to solution
CSCO10675262_2
Level 1
Level 1
In response to Tarik Admani

‎12-12-2010 06:34 PM

Thanks for the bug id.

0 Helpful

Go to solution
stevehorsleyNXG
Level 1
Level 1
In response to CSCO10675262_2

‎12-14-2010 04:10 AM

Is this fixed in a later version of ACS?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to stevehorsleyNXG

‎12-14-2010 09:19 AM

No this is not an ACS issue, its a limitation on the software that divides up the AAA requests.

0 Helpful
Customers Also Viewed These Support Documents