cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13863
Views
14
Helpful
9
Replies

Authorization failed: Post authorization status = FAIL

Difan Zhao
Level 5
Level 5

I am struggling to configure a 2960 switch to use Radius server for authentication and authorization. Here is my config on the switch:

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local

!

radius-server host 1.1.1.1 auth-port 1812 acct-port 1813
radius-server source-ports 1645-1646
radius-server key 7 XXXXXX

However when I try telnet in, I got this:

Username: dzhao
Password:
% Authorization failed.

If I disable exec authorization (aaa authorization exec default none), I can log in fine so the Radius server should be ok. I also have a 3750 switch with EXACTLY same configuration and that one works great!!! The reason why I want to also authorize against the Radius server is because on my Radius server I give certain users privilege 15 and others 1. It works great on the 3750. When you login with a user with privilege 15, I am in "#" mode directly, while if I login with privilege 1, I only see ">" prompt.

Here is the aaa authorization debug output on the 2960:

*May 31 11:14:31.733 UTC: AAA: parse name=tty2 idb type=-1 tty=-1
*May 31 11:14:31.733 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
*May 31 11:14:31.733 UTC: AAA/MEMORY: create_user (0x1827838) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='10.2.92.128' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*May 31 11:14:34.409 UTC: tty2 AAA/AUTHOR/EXEC (4276254300): Port='tty2' list='' service=EXEC
*May 31 11:14:34.409 UTC: AAA/AUTHOR/EXEC: tty2 (4276254300) user='dzhao'
*May 31 11:14:34.409 UTC: tty2 AAA/AUTHOR/EXEC (4276254300): send AV service=shell
*May 31 11:14:34.409 UTC: tty2 AAA/AUTHOR/EXEC (4276254300): send AV cmd*
*May 31 11:14:34.409 UTC: tty2 AAA/AUTHOR/EXEC (4276254300): found list "default"
*May 31 11:14:34.409 UTC: tty2 AAA/AUTHOR/EXEC (4276254300): Method=radius (radius)
*May 31 11:14:34.409 UTC: AAA/AUTHOR (4276254300): Post authorization status = FAIL
*May 31 11:14:34.409 UTC: AAA/AUTHOR/EXEC: Authorization FAILED
*May 31 11:14:36.414 UTC: AAA/MEMORY: free_user (0x1827838) user='dzhao' ruser='NULL' port='tty2' rem_addr='10.2.92.128' authen_type=ASCII service=LOGIN priv=1

Here is the debug output on the 3750 (a lot less somehow!!!!)

*Mar 25 16:50:41.096: AAA/BIND(0000001D): Bind i/f
*Mar 25 16:50:43.730: AAA/AUTHOR/EXEC(0000001D): processing AV priv-lvl=15
*Mar 25 16:50:43.738: AAA/AUTHOR/EXEC(0000001D): Authorization successful

I am VERY frustrated here... Please help me out!! Thank you!!

9 Replies 9

minkumar
Level 1
Level 1

Hi

    which server are you using microsoft radius or ACS?

Hi,


This is actually the default behaviour. If you have exec authorization enabled on the NAD and configured user with privlege 1 on the radius server, the user won't able to jump directly to privlege exec mode, user has to go via enable password. Now as we are getting % authorization failed for user who has privlege 1 it indicates that we haven't specified enable password on the devices/router.


The Post Authorization Status = FAIL message means that the user has not met the criteria contained in the applicable authentication/authorization database to be successfully authenticated.


Please ensure that we have enable password created on the device.



HTH


JK

-Plz rate helpful posts-




~Jatin

Hey JK I have both "enable secret" and "enable password" created on the switch and still no go... Thanks for reply!

What you are looking for...that few users should have limited access and other should have full access can be only be achieved by command authorization. With exec authorization users having privlege less then 15 will not able to login.

If you remove exec authorization and enable password then also you will see similar error...that was what I thought last time.

"aaa authorization exec"

Runs authorization to determine if the user is allowed to run an EXEC shell.

ACS Shell Command Authorization Sets on IOS ( This is how it works with Cisco ACS/TACACS)

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario1

Command authorization only works with tacacs since you have free radius server we can't go for command authorization.

HTH

JK

~Jatin

However the authorization does work on switch with newer IOS. I tested it on another 2960 switch with different level of firmwares and I found that firmware level higher than 12.2(44) does support user to get in enable mode directly. The debug information for authorzation is a lot shorter on that switch as well.

Question about EXEC shell. What is it exactly? My understanding is that as long as you can login and it gives me a command window to put in commands, I have a EXEC shell open. If it's true, then "switch>" prompt is an EXEC shell as well? Or only the enable mode "switch#" is called an EXEC shell? Thanks!

When connecting to CLI we are authenticating the login to the EXEC session, if we want to connect to a higher Exec mode, then authorization must be configured.

Here are a couple of old documents that might help:

EXEC             - Command line session to the router (could be             console, modem, or telnet)

http://www.cisco.com/warp/cpropub/45/tutorial.htm

Understanding Cisco IOS Command Modes
http://www.ciscosystems.ch/en/US/docs/ios/12_0/configfun/configuration/guide/fcui.html#wp2355

ahhh... it's FreeRadius running on Linux. I also tried debug on the radius server and for both the not-working and the working ones, the messages are exactly the same. I also captured the packets. The request from the switches, the orders of the attributes are different. The reply messages are the same too.

ansalaza
Level 1
Level 1

Make sure your Radius Policy is configured to send the

cisco-avpair = "shell:priv-lvl=15"


Please also try:
Service-Type = Administrative

Is it a different policy for each Switch?


Hey you point me to the right direction! I finally got it figured out! I do have cisco-avpair = "shell:priv-lvl=15" for some users and cisco-avpair = "shell:priv-lvl=1" for the rest. I tried Service-Type = Administrative but the server doesn't take so I tried another attribute Service-Type = NAS-Prompt-User and now it worked beautifully! Thank you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: