02-17-2011 07:53 AM - edited 03-10-2019 05:50 PM
We are using command authorization on our ios devices with cisco secure acs 5.2 We have local accounts defined on our gear in the event that the ACS server is unavailable. However, when we test this, we are able to login to the device, but any command issued at that point with the local account is denied. I am sure there is an additional command required. Any ideas?
02-17-2011 09:15 AM
In your "aaa authorization command" configuration, did you add local as a fallback method?
When you define the local user account on IOS router, did you set privilege to 15?
02-17-2011 10:22 AM
Yes. Below is what the configuration looks like.
aaa authentication login default group tacacs+ local
aaa authentication login local_auth local
aaa authorization config-commands
aaa authorization exec default group Admin local if-authenticated
aaa authorization commands 0 default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
aaa accounting exec default start-stop group Admin
aaa accounting network default start-stop group Admin
This is the message I get when I attempt to go in enable mode.
switch>en
% Authorization failed.
switch>
02-17-2011 11:04 AM
You need change the following commands
aaa authorization commands 0 default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
to
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
when you define the user account on the router, you need add it like the following
user
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide