08-31-2023 12:52 AM
Good morning,
After successfully logging into a 3850 switch, I am unable to view or configure above enable privilege, and in some instances, unable to view certain sh or run commands at the enable level. The console replies with "Authorzation failed.".
Switch login uses RADIUS, forward to ISE. The logs indicate a successful LDAP lookup, returns a RADIUS Access-Accept, as you would imagine given the successful login. Returned groups, authentication and authorisation policies are correct, and should be providing Read and Write access at privilege level 15.
Whilst I can't pull off the exact configuration from the switch device, as authorisation is failing, I have provided a similar example below:
aaa new-model
aaa group server radius authenticationgrouphere
server name iseserver1here
server name iserserver2here
aaa authentication login default group authenticationgrouphere local
aaa authentication enable default line
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group authenticationgrouphere
aaa accounting delay-start
aaa accounting update periodic 5
aaa session-id common
As the session is not failing, I am unable to revert to local login to progress further.
Many thanks in advance.
Solved! Go to Solution.
08-31-2023 06:56 PM
From the configuration shown, it looks like you've enabled command authorization, but did not configure the 'aaa authorization commands <level> ...' configuration.
If you have not saved the switch configuration, you can reboot it to revert to the prior config, then correct your configuration. If you have already saved the configuration, you will likely need to either:
When you are able to get back into the switch, you should compare your configuration against what is documented in the Cisco ISE Device Admin Prescriptive Deployment Guide.
08-31-2023 06:56 PM
From the configuration shown, it looks like you've enabled command authorization, but did not configure the 'aaa authorization commands <level> ...' configuration.
If you have not saved the switch configuration, you can reboot it to revert to the prior config, then correct your configuration. If you have already saved the configuration, you will likely need to either:
When you are able to get back into the switch, you should compare your configuration against what is documented in the Cisco ISE Device Admin Prescriptive Deployment Guide.
09-04-2023 02:42 AM
Thanks, Greg,
As this is a remote site, I blocked connectivity as close to the source as possible.
Local login is also failing, I subsequently reverted the outbound changes, to allow for authentication to resume. I enforce the same authentication and authorisation policy sets globally, for the majority of our Firewall and switching infrastructure. Privileged execution and elevated permissions using the same account are working else-where, just not this one switch, which leads me to believe this is a misconfiguration issue?
As a test, I created two additional logins, one Active Directory user with Read & Write permissions, and an internal ISE Network Access user, both able to successfully login, then subsequently receiving the same error 'Authorisation Failed', post login for this one switch. The switch was managed by a 3rd party, I would assume at this point a password recovery is my only option?
Kind regards,
Alex
09-04-2023 03:10 PM
Yes, that's likely your only option left.
09-05-2023 12:01 AM
For completeness, and those interested; I recovered the local password and found the command 'aaa authorization commands 15 default local' was in the running configuration, causing the seen error. Removed the configuration and access is working as intended.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide