Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9455
Views
0
Helpful
6
Replies

[ACS 5.2] switch Command authorization failed

Vendy Wijaya
Level 1
Level 1

‎05-30-2011 04:57 AM - edited ‎03-10-2019 06:07 PM

Hi all,

i've problem, switch "authorization failed" on every command that i type.

Switch#sho run
Command authorization failed.

Switch#conf t
Command authorization failed.

i only use basic configuration. *attached below

Switch config :

aaa new-model
!
aaa authentication login default group tacacs+ none
aaa authentication enable default group tacacs+ none
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated none
aaa authorization commands 15 default group tacacs+ if-authenticated none
!
aaa session-id common

!

ip tacacs source-interface Vlan888
tacacs-server host 10.255.253.25
tacacs-server key cisco

!

ACS config :

# Network resources - network devices and AAA clients

     * name switch , ip 10.255.253.65 , authen option : tacacs+ , shared secret cisco

# User and identity store - internal identity store - users

     * name tester , pass : passw0rd , enable pass : enable

# Policy elements - authorization and permissions - device administration - shell profile

     * name : testProfile , command task - maximum privilege 15 , (default privilege not in use / default)

# Policy elements - authorization and permissions - device administration - command sets

     * name : PermitAll , mark "Permit any command that is not in the table below"

# Access policies - access service - default device admin - authorization
     * rule-8 , identity group in all groups , shell profile : testProfile

has anyone seen this type of issue and perhaps offer some advice on what I am missing.

Many Thanks in advanced.

Labels:
0 Helpful
6 Replies 6

zujalal
Cisco Employee
Cisco Employee

‎05-30-2011 12:58 PM

Hi.

What do you have under line vty 0 4

regards

0 Helpful

ki.song
Level 1
Level 1
In response to zujalal

‎09-06-2011 05:23 AM

mine says

line vty 0 4

access-class ACL....

exec-timeout 9 0

password 7 ....

transport input ssh

0 Helpful

ki.song
Level 1
Level 1

‎09-06-2011 05:19 AM

Did you find an answer for this? I have the same problem.

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to ki.song

‎09-06-2011 11:47 AM

The whole question is :

if the switch says command authorization failed, what does ACS say in the authorization logs ???

0 Helpful

ki.song
Level 1
Level 1
In response to Nicolas Darchis

‎09-06-2011 11:52 AM

Classification: UNCLASSIFIED

Caveats: FOUO

It works now. The authorization logs does not say anything.

0 Helpful

randy.klassen
Level 1
Level 1
In response to ki.song

‎09-08-2011 11:32 AM

I had the same problem and marked the default priv lvl 15 and the max 15 (this was only for the admin account) the guest account i set up uses default 1 max (none) and it works perfectly.

you can #sho priv inside your cisco devie and it should say 15, if it doesnt then you know its a problem with your shell profile priv lvl.

0 Helpful
Customers Also Viewed These Support Documents