Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
60102
Views
10
Helpful
10
Replies

command authorization failed

Go to solution
csco11029214
Level 1
Level 1

‎10-17-2007 12:17 PM - edited ‎03-10-2019 03:27 PM

I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :

============================

EUKFW2# show running-config

^

ERROR: % Invalid input detected at '^' marker.

ERROR: Command authorization failed

============================

I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?

10 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
10 Replies 10

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎10-17-2007 12:30 PM

No there is no default user. To make him login you need to make changes in the command author set.

Make one command autho set in acs --->shared profile components.

add-->give any name "Full access "---> Put radio button to permit and submit.

Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.

Now it should let you in.

Caution : This is let that uses to issue all commands

Find attached the way to set up command authorization.

Trick here is to give all user prov lvl 15 and then apply command autho set.

Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.

Regards,

~JG

Please rate if helps

21279-Command authorization on PIX (and pdm).7z

Go to solution
csco11029214
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-17-2007 12:47 PM

Thanks for the attachments, I have had a look at them but the problem is that the changes you specified are made through HTTP browser and my firewall was not fully configured hence it can not be connected through HTTP nor SSH nor Telnet, so the only option I have is the console on which it is connected :(

Regards,

Murtaza

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to csco11029214

‎10-17-2007 12:49 PM

You need to make these changes in tacacs server and not in ASA.

0 Helpful

Go to solution
csco11029214
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-17-2007 12:54 PM

Ok, but I did not configure the aaa authorization to use TACACS server, I set it to use LOCAL. Can I disable the authorization from ROMMON ? Actually I just want to disable the aaa command authorization on the ASA so that I can login to the user mode directly and then the EXEC mode with the password I set during the setup.

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to csco11029214

‎10-18-2007 08:08 AM

This is how you need to recover it,

Lockout Scenarios

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1044015

Regards,

~JG

Please rate helpful posts

0 Helpful

Go to solution
csco11029214
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-18-2007 11:51 AM

JG, thanks for that, I though so that might be the only solution. One question though, the last column of that table has my problem and the solution it suggests it "Log in and reset the passwords and aaa commands." but the problem is when I login, I am only able to login by the locked out user so I can not fire any commands, not even the password change so should I enter the setup of the firewall (ROMMON) to reset the password and does the ROMMON accept all the configure commands ?

Regards,

Murtaza

0 Helpful

Go to solution
csco11029214
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-18-2007 02:00 PM

Thank you, I think that URL has guided me to the corrective solution.

Regards,

Murtaza

0 Helpful

Go to solution
sanjay.j.iyengar
Level 1
Level 1
In response to Jagdeep Gambhir

‎04-22-2020 10:04 PM

Hello All, 

 

I am facing the same issue and unfortunately, am not able to open the link which provided in the above ticket, it says 

Policy Error.

 

Can some1 please let me know the steps or solution given over there...

 

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K10386224

0 Helpful
Customers Also Viewed These Support Documents