cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

28936
Views
5
Helpful
10
Replies
csco11029214
Beginner

command authorization failed

I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :

============================

EUKFW2# show running-config

^

ERROR: % Invalid input detected at '^' marker.

ERROR: Command authorization failed

============================

I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?

1 ACCEPTED SOLUTION

Accepted Solutions

10 REPLIES 10
Jagdeep Gambhir
Advocate

No there is no default user. To make him login you need to make changes in the command author set.

Make one command autho set in acs --->shared profile components.

add-->give any name "Full access "---> Put radio button to permit and submit.

Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.

Now it should let you in.

Caution : This is let that uses to issue all commands

Find attached the way to set up command authorization.

Trick here is to give all user prov lvl 15 and then apply command autho set.

Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.

Regards,

~JG

Please rate if helps

Thanks for the attachments, I have had a look at them but the problem is that the changes you specified are made through HTTP browser and my firewall was not fully configured hence it can not be connected through HTTP nor SSH nor Telnet, so the only option I have is the console on which it is connected :(

Regards,

Murtaza

You need to make these changes in tacacs server and not in ASA.

Ok, but I did not configure the aaa authorization to use TACACS server, I set it to use LOCAL. Can I disable the authorization from ROMMON ? Actually I just want to disable the aaa command authorization on the ASA so that I can login to the user mode directly and then the EXEC mode with the password I set during the setup.

This is how you need to recover it,

Lockout Scenarios

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1044015

Regards,

~JG

Please rate helpful posts

JG, thanks for that, I though so that might be the only solution. One question though, the last column of that table has my problem and the solution it suggests it "Log in and reset the passwords and aaa commands." but the problem is when I login, I am only able to login by the locked out user so I can not fire any commands, not even the password change so should I enter the setup of the firewall (ROMMON) to reset the password and does the ROMMON accept all the configure commands ?

Regards,

Murtaza

Thank you, I think that URL has guided me to the corrective solution.

Regards,

Murtaza

Hello All, 

 

I am facing the same issue and unfortunately, am not able to open the link which provided in the above ticket, it says 

Policy Error.

 

Can some1 please let me know the steps or solution given over there...

 

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K10386224

Content for Community-Ad