cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9455
Views
0
Helpful
6
Replies

[ACS 5.2] switch Command authorization failed

Vendy Wijaya
Level 1
Level 1

Hi all,

i've problem, switch "authorization failed" on every command that i type.

Switch#sho run
Command authorization failed.

Switch#conf t
Command authorization failed.

i only use basic configuration. *attached below

Switch config :

aaa new-model
!
aaa authentication login default group tacacs+ none
aaa authentication enable default group tacacs+ none
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated none
aaa authorization commands 15 default group tacacs+ if-authenticated none
!
aaa session-id common

!

ip tacacs source-interface Vlan888
tacacs-server host 10.255.253.25
tacacs-server key cisco

!

ACS config :

# Network resources - network devices and AAA clients

     * name switch , ip 10.255.253.65 , authen option : tacacs+ , shared secret cisco

# User and identity store - internal identity store - users

     * name tester , pass : passw0rd , enable pass : enable

# Policy elements - authorization and permissions - device administration - shell profile

     * name : testProfile , command task - maximum privilege 15 , (default privilege not in use / default)

# Policy elements - authorization and permissions - device administration - command sets

     * name : PermitAll , mark "Permit any command that is not in the table below"

# Access policies - access service - default device admin - authorization
     * rule-8 , identity group in all groups , shell profile : testProfile

has anyone seen this type of issue and perhaps offer some advice on what I am missing.

Many Thanks in advanced.

6 Replies 6

zujalal
Cisco Employee
Cisco Employee

Hi.

What do you have under line vty 0 4

regards

mine says

line vty 0 4

access-class ACL....

exec-timeout 9 0

password 7 ....

transport input ssh

ki.song
Level 1
Level 1

Did you find an answer for this? I have the same problem.

The whole question is :

if the switch says command authorization failed, what does ACS say in the authorization logs ???

Classification: UNCLASSIFIED

Caveats: FOUO

It works now. The authorization logs does not say anything.

I had the same problem and marked the default priv lvl 15 and the max 15 (this was only for the admin account) the guest account i set up uses default 1 max (none) and it works perfectly.

you can #sho priv inside your cisco devie and it should say 15, if it doesnt then you know its a problem with your shell profile priv lvl.