Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12349
Views
1
Helpful
4
Replies

Command Authorization Failed on certain show commands

Terence Lockette
Level 1
Level 1

‎12-28-2015 09:29 AM - edited ‎03-10-2019 11:21 PM

Hello,

Here is my current AAA configuration on our switches:

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authentication enable default enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+
aaa authorization exec console local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 0 console local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization commands 15 console local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

line con 0
 authorization commands 0 console
 authorization commands 15 console
 authorization exec console
 logging synchronous
 login authentication console

The issue I'm having is that I'm getting 'command authorization failed' while logged in with the local account rather than a TACACS+ account when attempting to run certain show commands.  Some of the commands are 'show etherchannel summ', 'show interface status', and 'show version'.  I can, however, perform a show run and get into global config mode.  If I disconnect the uplink from the network, then I can run any and all show commands.  It's only when I'm connected to the network and our ACS server is reachable that I get these errors.  Any ideas why I can do a show run but not other show commands?

Regards,

Terence

Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎12-28-2015 11:53 AM

Hi Terence, 

The way AAA works is that the "groups" of databases/devices are checked in the order that they are configured. If the first database/device is available any subsequent ones will only be checked if that database/device is not available. So in your configuration, the TACACS+ server is the first one on the list while the local database is second. Thus, the local database is only considered/checked if the TACACS+ server becomes unavailable. 

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!

Terence Lockette
Level 1
Level 1
In response to nspasov

‎12-29-2015 10:06 AM

Neno,

But why would some show commands work and not others?  My console line is configured to use the local database only; not TACACS+

0 Helpful

Javier Henderson
Level 4
Level 4
In response to Terence Lockette

‎12-30-2015 06:03 AM

Terence,

Please see my comment above. You're trying to authorize commands as if they run at privilege level 0, but they run at privilege level 1.

0 Helpful

Javier Henderson
Level 4
Level 4

‎12-28-2015 11:58 AM

Terence,

You have "commands 0", but the show commands above are executed at level 1.

0 Helpful
Customers Also Viewed These Support Documents