cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5635
Views
0
Helpful
20
Replies

ACS 5.0 geting error "authorization command failed"

Pranav Gade
Level 1
Level 1

Hi All,

Its a Cisco Acs 1120 device having version 5.0.

I have cerated three basic user group which having privillage leve 15,10 and 1 on ACS Tacacs+.

My configuration for AAA on Switch is as follows

aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ loca

!

!

ip tacacs source-interface Vlan1
!
!
tacacs-server host **** single-connection
tacacs-server directed-request

but I am getting error while login from that spacific user which I have created but getting errror as

"commond authorization failed "

Plz let me know if any one have solution on this or any more information required for this..

20 Replies 20

Nate Austin
Cisco Employee
Cisco Employee

Hi Pranav,

Based on your config below you have command authorization configured on your IOS device, but you only mentioned privilege levels on the ACS configuration. If you enable command authorization on the device then you need to ensure that a command set is referenced in your access policy rules.

Under the Authorization section of your Network Access Policy there should be two "results" columns - one for "Authorization Profiles" and a second for "Command Sets". If the latter does not show, hit the Customize button on that page and select it. Now edit your rule and select a value for the Command Set. I believe by default there is an Allow ALL and Deny ALL set that you can reference. If you would like to get mor granular you can create your own under Policy Elements > Authorization and Permissions > Device Administration > Command Sets.


Thanks,

Nate

Hi Nate,

Thanks for your reply, I tried doing what you have mentioned in your post. It is still not working for me.

The problrm what I see is all users are going under admin profile with privilege level 15. As I also defined command sets for admin just for testing purpose, so that is getting applied. Thus eventhough all users representing privilege level 15 they don't have full access. This case occurs when I define authorization under line vty.

When I remove those commands from line vty the operation is same only thing is as all are under privilege level 15 so they are granted full access.

So basically what is happening is the shell profiles and command sets created by me in reality are not getting called.

All users are somehow getting privilege level 15 and thus no further checks occuring, this is what my understanding says.

I tried doing all different sets and all but nothing working.

Please assist, thanking you all in advance.

Regards,

Pranav Gade.

Hi Pranav,

You shouldn't have to enable any authorization specifically on the VTY lines since you are using the default method lists for all of them. What does your vty line config look like?

Are there any failed authorization attempt logs on the ACS box when you receive the command authorization failure? It should say what rules were matched on the ACS.

Thanks,

Nate

Hi Nate,

Following is the error message received by me:-

Description:-

The request command failed to match permit rule in any of the command sets.

When I click on "tacacs Auhorization" for monitoring please find the below table order:-

1. status

2. details

3. Failure reason

4. user name

5. command sets

6. shell profile

7. network device

8. header privilege level

9. access service

10. selected authorization policy

11. selected authorization exception policy

12. selected command set

13. acs

Please assist what can be done.

Waiting for reply.

Thanks and regards,

Pranav.

Hi Pranav,

Can you post the value of those fields instead of just the fields themselves? Or a screenshot of the entire report for a failure (just click on the report icon next to the failure)?

Realistically we are interested in the following fields values:

Access service

Selected authorization policy

Selected command set

Thanks,

Nate

Deat Nate,

Please find the attached....snapshots, hope this helps to server my issue....

Regards,

Pranav.

Pranav,

What does the "admin" command set contain, can you send a screenshot of that?

In terms of the config for your rules, why do you have Privilege-Level as a condition? The privilege level that you want to send to the clients is sent from the ACS to the NAS in the authorization profile.

Thanks,

Nate

Hi nate,

As of now as we were doing testing, so we have just allowed enable, show*, configure terminal commands for admin, then for netmon enable, show* and for ssst denyall.

Our actual requirement is we want to give full access to admin users, ssst will have access to only show commands and netmon will have interface level command access and few show commands.

But our problem is for all users enable, show*, configure terminal getting applied.

Thanks and Regards,

Pranav.

I am still waiting for this issue to get resolved........

Please assist....

Regards,

Pranav.

Hi Pranav,

Its hard to tell from the limited view in the screenshots why all of your users are hitting the same profile. One thing I mentioned before was removing the Tacacs-Privilege-Level as a condition for hitting a rule as I can't see why you would want to do that since you are passing the privilege level back in your shell profile set. It seems like all attempts from the NAS are coming in with a header priv-lvl of 15 and so all are hitting your first rule. So I would remove that "Compound Condition" from your rules and just do it by user group and let the result sets define the privilege levels.

If you send a full screenshot (not just part of the page) from the details section of the authorization then I can tell you exactly why it is hitting those rules, but theres just not enough information in the half page that was sent.

If the above doesn't help then at this point I would open up a case as it is becoming difficult to go back and forth on this forum and I believe if you opened a case and someone saw this live it would go much faster.

Thanks,

Nate

Thanks nate for your reply, I will try today doing it without privilege-level.... and will update, I am also trying to open a case but as its not inside warranty things not moving in my favor...

let me work on it again fresh.. will get back to you ASAP....

regards,

Pranav.

Hello all,

Please find below attached slides of my entire ACS configuration...

Please assist... attaching more in next posts...

Regards,

Pranav.

fyi..

fyi...