cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
718
Views
2
Helpful
16
Replies

Authorization Issue

JAISONTHOMAS
Level 1
Level 1

I have a catalyst WS-C3850-48U-S that has some problem with getting it to enable mode. I am getting the below error,

XXX-XXX-XXX-X>en
% Authorization failed.

I tried to console the switch and it is the same. Is there a way I can get into the switch and check its config.?

Thank you in advance.

16 Replies 16

M02@rt37
VIP
VIP

Hello @JAISONTHOMAS 

The C3850 is in production environment ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Unfortunately, it is in prod. I am desperately trying to get to it.

 @JAISONTHOMAS 

Auth relies on RADIUS or TACACS server ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

TACACS server 

@JAISONTHOMAS 

"Authorization failed" message at the console is because in the config AAA authentication must be configured and no fallback option of enable or local username is there.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

@JAISONTHOMAS 

If you are unable to access enable mode due to authorization issues, you might need to perform a password recovery procedure. This involves restarting the switch and interrupting the boot sequence to access a recovery mode where you can add a AAA fallback with local credentials. 

Maintenance window...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

share 

show run | i aaa

MHM

xxxx-xxx-xxx>sh run | i aaa
^
% Invalid input detected at '^' marker.

xxxx-xxx-xxx>

OK, I forget you cant access by console also 
do 

enable 5 or enable 1

the try show 

hope it work 

MHM

It seems that the account you used to log into the switch doesn't have permissions to higher its privilege level. If you are using ISE as the TACACS server then I think you can workaround this by creating a new network access user in ISE with enable password configured, and then you create an authentication rule on ISE with TACACS service equals to enable, and finally you point that authentication rule to ISE internal users database.

When you log into the switch with these new user credentials, and you type "en" you should then use the new enable password you configured in ISE, that should work.

Alternatively, but depending on your TACACS configs on the switch, you simulate a link failure between the switch and ISE, maybe by placing a deny all firewall rule between the switch and ISE if the firewall happens to be in the path, and if your TACACS configs applied to the switch are configured to fall back to local or if "if-authenticated" keyword is configured, then authorizing the enable command would be skipped.

M02@rt37 @Aref Alsouqi 
the issue seem from AAA and he have two solution (depend on his config)
either password recovery (sorry @JAISONTHOMAS )
or make TACACS push priv 15 via authz <<- this done by ISE or AAA server and it make you directly enter priv 15 no need enable 

so let wait his reply can he access priv1 or priv5 or not 

MHM

Yes that's right, changing the TACACS profile privilege level would be another option.

thanks for confirm 
have a nice day 
MHM

JAISONTHOMAS
Level 1
Level 1

@MHM Cisco World enable 1 and 5 didn't work.

@Aref Alsouqi  yes we are using ISE as our tacacs server. I will try the ISE option you mentioned. if that fails, will put a FW rule to deny the connectivity to ISE and see if it failover to local authentication. Thank you guys, appreciated