Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5659
Views
0
Helpful
1
Replies

command authorization failed when logging Cisco Switch 9300 only via ssh

jquispe01
Level 1
Level 1

‎09-07-2020 12:40 AM

Hi Cisco Community, hope you can help me, i have this issue driving me crazy i just replaced 3650 dual stack switches with 9300 copied and pasted as i did for other switches but since then i am able to remote switch via SSH with local credentials but got below error with all CLI commands, also TACACS logon doesn't work but 2960 switches all working fine local/TACACS

login as: admin
Using keyboard-interactive authentication.
Password:


SWCORE>en
Password:
SWCORE#sh run
Command authorization failed.

SWCORE#

 

no problem when logging via console with local admin, see below aaa/TACACs settings

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login async none
aaa authentication ppp default local
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!

 

 

!
line con 0
session-timeout 5
exec-timeout 5 0
stopbits 1
line vty 0 4
session-timeout 5
access-class 95 in
exec-timeout 5 0
length 0
transport preferred none
transport input ssh
transport output ssh
line vty 5 15
no exec
transport input none
!

 

Thanks for the Help

John

4 people had this problem
Labels:
0 Helpful
1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

‎09-07-2020 12:56 AM

here is the working template :

 

 

aaa new-model
aaa group server tacacs+ tacacsgroup
aaa authentication login default group tacacsgroup local
aaa authentication enable default group tacacsgroup enable
aaa authorization exec default group tacacsgroup local if-authenticated
aaa accounting commands 1 default start-stop group tacacsgroup
aaa accounting commands 15 default start-stop group tacacsgroup


tacacs server tacacs1
address ipv4 10.10.10.10 <<- replace with your Sever
key 7 xxxx <-- your

aaa group server tacacs+ tacacsgroup
server name tacacs1

 

For testing remove the below  line :

 

line vty 0 4
session-timeout 5
no access-class 95 in
exec-timeout 5 0
length 0
no transport preferred none
transport input ssh
transport output ssh

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents