Authorization Issue

JAISONTHOMAS · ‎01-30-2024

I have a catalyst WS-C3850-48U-S that has some problem with getting it to enable mode. I am getting the below error,

XXX-XXX-XXX-X>en
% Authorization failed.

I tried to console the switch and it is the same. Is there a way I can get into the switch and check its config.?

Thank you in advance.

M02@rt37 · ‎01-30-2024

Hello @JAISONTHOMAS

The C3850 is in production environment ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

JAISONTHOMAS · ‎01-30-2024

Unfortunately, it is in prod. I am desperately trying to get to it.

M02@rt37 · ‎01-30-2024

@JAISONTHOMAS

Auth relies on RADIUS or TACACS server ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

JAISONTHOMAS · ‎01-30-2024

TACACS server

M02@rt37 · ‎01-30-2024

@JAISONTHOMAS

"Authorization failed" message at the console is because in the config AAA authentication must be configured and no fallback option of enable or local username is there.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

M02@rt37 · ‎01-30-2024

@JAISONTHOMAS

If you are unable to access enable mode due to authorization issues, you might need to perform a password recovery procedure. This involves restarting the switch and interrupting the boot sequence to access a recovery mode where you can add a AAA fallback with local credentials.

Maintenance window...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎01-30-2024

share

show run | i aaa

MHM

JAISONTHOMAS · ‎01-30-2024

xxxx-xxx-xxx>sh run | i aaa
^
% Invalid input detected at '^' marker.

xxxx-xxx-xxx>

MHM Cisco World · ‎01-30-2024

OK, I forget you cant access by console also
do

enable 5 or enable 1

the try show

hope it work

MHM

Aref Alsouqi · ‎01-30-2024

It seems that the account you used to log into the switch doesn't have permissions to higher its privilege level. If you are using ISE as the TACACS server then I think you can workaround this by creating a new network access user in ISE with enable password configured, and then you create an authentication rule on ISE with TACACS service equals to enable, and finally you point that authentication rule to ISE internal users database.

When you log into the switch with these new user credentials, and you type "en" you should then use the new enable password you configured in ISE, that should work.

Alternatively, but depending on your TACACS configs on the switch, you simulate a link failure between the switch and ISE, maybe by placing a deny all firewall rule between the switch and ISE if the firewall happens to be in the path, and if your TACACS configs applied to the switch are configured to fall back to local or if "if-authenticated" keyword is configured, then authorizing the enable command would be skipped.

MHM Cisco World · ‎01-30-2024

M02@rt37 @Aref Alsouqi
the issue seem from AAA and he have two solution (depend on his config)
either password recovery (sorry @JAISONTHOMAS )
or make TACACS push priv 15 via authz <<- this done by ISE or AAA server and it make you directly enter priv 15 no need enable

so let wait his reply can he access priv1 or priv5 or not

MHM

Aref Alsouqi · ‎01-30-2024

Yes that's right, changing the TACACS profile privilege level would be another option.

MHM Cisco World · ‎01-30-2024

thanks for confirm
have a nice day
MHM

JAISONTHOMAS · ‎01-30-2024

@MHM Cisco World enable 1 and 5 didn't work.

@Aref Alsouqi yes we are using ISE as our tacacs server. I will try the ISE option you mentioned. if that fails, will put a FW rule to deny the connectivity to ISE and see if it failover to local authentication. Thank you guys, appreciated