Solved: Re: Authorisation Failed after Login to 3850 Switch

aavnet89 · ‎08-31-2023

Good morning,

After successfully logging into a 3850 switch, I am unable to view or configure above enable privilege, and in some instances, unable to view certain sh or run commands at the enable level. The console replies with "Authorzation failed.".

Switch login uses RADIUS, forward to ISE. The logs indicate a successful LDAP lookup, returns a RADIUS Access-Accept, as you would imagine given the successful login. Returned groups, authentication and authorisation policies are correct, and should be providing Read and Write access at privilege level 15.

Whilst I can't pull off the exact configuration from the switch device, as authorisation is failing, I have provided a similar example below:

aaa new-model
aaa group server radius authenticationgrouphere
server name iseserver1here
server name iserserver2here
aaa authentication login default group authenticationgrouphere local
aaa authentication enable default line
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group authenticationgrouphere
aaa accounting delay-start
aaa accounting update periodic 5
aaa session-id common

As the session is not failing, I am unable to revert to local login to progress further.

Many thanks in advance.

Greg Gibbs · ‎08-31-2023

From the configuration shown, it looks like you've enabled command authorization, but did not configure the 'aaa authorization commands <level> ...' configuration.

If you have not saved the switch configuration, you can reboot it to revert to the prior config, then correct your configuration. If you have already saved the configuration, you will likely need to either:

Block connectivity from the switch to the ISE PSN (using an ACL on a router/switch/firewall in the path) to allow fallback to local authentication/authorization
Disable the TACACS setting for the switch configured in ISE to allow fallback to local authC/authZ
Use the password recovery process to get back into the switch and make the necessary changes

When you are able to get back into the switch, you should compare your configuration against what is documented in the Cisco ISE Device Admin Prescriptive Deployment Guide.

View solution in original post

Greg Gibbs · ‎08-31-2023

From the configuration shown, it looks like you've enabled command authorization, but did not configure the 'aaa authorization commands <level> ...' configuration.

If you have not saved the switch configuration, you can reboot it to revert to the prior config, then correct your configuration. If you have already saved the configuration, you will likely need to either:

Block connectivity from the switch to the ISE PSN (using an ACL on a router/switch/firewall in the path) to allow fallback to local authentication/authorization
Disable the TACACS setting for the switch configured in ISE to allow fallback to local authC/authZ
Use the password recovery process to get back into the switch and make the necessary changes

When you are able to get back into the switch, you should compare your configuration against what is documented in the Cisco ISE Device Admin Prescriptive Deployment Guide.

aavnet89 · ‎09-04-2023

Thanks, Greg,

As this is a remote site, I blocked connectivity as close to the source as possible.

Local login is also failing, I subsequently reverted the outbound changes, to allow for authentication to resume. I enforce the same authentication and authorisation policy sets globally, for the majority of our Firewall and switching infrastructure. Privileged execution and elevated permissions using the same account are working else-where, just not this one switch, which leads me to believe this is a misconfiguration issue?

As a test, I created two additional logins, one Active Directory user with Read & Write permissions, and an internal ISE Network Access user, both able to successfully login, then subsequently receiving the same error 'Authorisation Failed', post login for this one switch. The switch was managed by a 3rd party, I would assume at this point a password recovery is my only option?

Kind regards,

Alex

Greg Gibbs · ‎09-04-2023

Yes, that's likely your only option left.

aavnet89 · ‎09-05-2023

For completeness, and those interested; I recovered the local password and found the command 'aaa authorization commands 15 default local' was in the running configuration, causing the seen error. Removed the configuration and access is working as intended.