cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11063
Views
10
Helpful
8
Replies

Console authorization issue

James Horne
Level 1
Level 1

Hi, all.

I'm getting “% Authorization Failed.” on the console when logging in despite the config below - have I missed something here?


!
aaa new-model
!
aaa authentication login default local
aaa authentication login VTY_AUTH group radius local
aaa authorization exec default none
aaa authorization exec VTY_AUTH group radius local
aaa accounting exec default start-stop group radius
!

!
line con 0
 password 7 XXXXXXXXXXXXXX
line vty 0 4
 access-class VTY_ACL in
 password 7 XXXXXXXXXXXXXX
 authorization exec VTY_AUTH
 login authentication VTY_AUTH
 transport input ssh
 transport output ssh
line vty 5 15
 transport input none
!

 

Debug output when I login:

AAA/AUTHEN/LOGIN (000004B6): Pick method list 'default'
AAA/AUTHOR (0x4B6): Pick method list 'VTY_AUTH'
AAA/AUTHOR/EXEC(000004B6): Authorization FAILED


I can’t for the life of me figure out why it’s trying the “VTY_AUTH” list - any ideas?

 

This is on a 3750-X stack running 12.2(55)SE3 at ipbase license level.

8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Yeah does not seems good,

 

Quick question, did you add the command:

aaa authorization console 

This is required to enable authorization on the console line,

 

Regards

 

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

The aaa authorization console command is not in use - this idea is to have the console only ever use the local database. As you can see in my original post, the default method is set to local for login (and is selected correctly) and "none" is set for the default exec authorization (and is skipped?).

I'm sure it would work if I define a new list but one would assume that if the default is set it should use that (if at all)?

I have also tried setting the default to "if-authenticated" etc. but it goes to use the 'VTY_AUTH' in all cases. Though interestingly, when the RADIUS servers are unreachable the local login does work - I assume this is because  the fallback authorization mode is local?

Seems like it could be a bug?

I will be back on site to test tomorrow morning.

nspasov
Cisco Employee
Cisco Employee

I would get ride of this line as I have the feeling that it is causing issues for you. 

aaa authentication login default local

If that does not fix it you can also add:

aaa authentication login console line

line con 0

login authentication console

 

Hope this helps!

 

Thank you for rating helpful posts!

 

kaaftab
Level 4
Level 4

well check the syntax and if you are using the groups make sure they are avaiable in the radius and raduis server is clearly defined and reachable.

aaa authentication login default {group group-list [none]| local

group-list—Space-separated list of server groups that can include any configured RADIUS or TACACS+ server group name.

local—Specifies the local database of the
Cisco CG-OS router for authentication.

none—Uses no authentication.

 

 

Jatin Katyal
Cisco Employee
Cisco Employee

debugs indicates that while you were trying to connect from console, it picked the right authentication method and wrong authorization method. I guess you might have globally enabled console authorization but then also it should not pick VTY_AUTH method list.

Can you try this if possible:

 

username <username> privilege 15 password <password>

aaa authentication login CON default local

aaa authorization exec CON default local

aaa authorization console

!

line console 0

login authentication CON

authorization exec CON

exit

 

Please try again and let me know if that works.

 

Regards,

Jatin Katyal

**Do rate helpful posts**

 

~Jatin

James Horne
Level 1
Level 1

Following up on this, I have tried most suggestions with the config currently as follows:

!
aaa new-model
!
aaa authentication login default local
aaa authentication login CON0 local
aaa authentication login VTY_AUTH group radius local
aaa authorization console
aaa authorization exec default none
aaa authorization exec CON0 if-authenticated
aaa authorization exec VTY_AUTH group radius local
aaa accounting exec default start-stop group radius
!

!
line con 0
 password 7 XXXXXXXXXXXXXX
 authorization exec CON0
 login authentication CON0
line vty 0 4
 access-class VTY_ACL in
 password 7 XXXXXXXXXXXXXX
 authorization exec VTY_AUTH
 login authentication VTY_AUTH
 transport input ssh
 transport output ssh
line vty 5 15
 transport input none
!


Debug output on login - you’ll notice that this is still picking the wrong list:

AAA/BIND(000004DE): Bind i/f  
AAA/AUTHEN/LOGIN (000004DE): Pick method list 'CON0'
AAA/AUTHOR (0x4DE): Pick method list 'VTY_AUTH'
AAA/AUTHOR/EXEC(000004DE): Authorization FAILED

 

Any further ideas?

James Horne
Level 1
Level 1

CONCLUSION

Came on to post about something else and saw this, remembering that I had never returned to update it with the final working config:

aaa new-model
aaa authentication login default local
aaa authentication login CON0 local
aaa authorization console
aaa authorization exec default none
aaa authorization exec CON0 if-authenticated
aaa session-id common


line con 0
 password 7 XXXXXXXXXXXXXX
 authorization exec CON0
 login authentication CON0

Version is now 15.2(1)E2 and none of this worked until I moved off the version mentioned in the initial post.

James, glad you were able to solve your issue! Also, thank you for taking the time to come back here and provide the solution (+5 from me). 

Now, since the issue is resolved, you should mark the thread as "answered" :)

Thank you for rating helpful posts!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: