10-16-2007 07:33 AM - edited 03-10-2019 03:27 PM
Have a user that cannot get to en prompt. Here is my trace output:
AAA/AUTHEN: update_user user='lduncan' ruser='(null)' port='telnet146' rem_addr=
'10.128.20.110' authen_type=1 service=ENABLE priv=152007 Oct 16 10:57:07.360 EST
-04:00
AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=ENABLE
TAC+: send AUTHEN/START packet ver=192 id=626074205
TAC+: Opening TCP/IP connection to 10.129.12.196
TAC+: ver=192 id=626074205 received AUTHEN status = GETPASS2007 Oct 16 10:57:08.
440 EST -04:00
AAA/AUTHEN (626074205): status = GETPASSPassword: 2007 Oct 16 10:57:11.200 EST -
04:00 *62*2007 Oct 16 10:57:11.440 EST -04:00 *69*2007 Oct 16 10:57:11.800 EST -
04:00 *67*2007 Oct 16 10:57:12.050 EST -04:00 *74*2007 Oct 16 10:57:12.300 EST -
04:00 *6f*2007 Oct 16 10:57:12.530 EST -04:00 *65*
2007 Oct 16 10:57:12.950 EST -04:00
AAA/AUTHEN/CONT (626074205): continue_login2007 Oct 16 10:57:12.950 EST -04:00
AAA/AUTHEN (626074205): status = GETPASS
TAC+: send AUTHEN/CONT packet id=626074205
TAC+: ver=192 id=626074205 received AUTHEN status = PASS2007 Oct 16 10:57:13.460
EST -04:00
AAA/AUTHEN (626074205): status = PASS2007 Oct 16 10:57:13.460 EST -04:00 return
PASS
2007 Oct 16 10:57:13.460 EST -04:00
AAA/AUTHOR : ptr2=enable
2007 Oct 16 10:57:13.470 EST -04:00
AAA/AUTHOR : Add AV service=shell
2007 Oct 16 10:57:13.470 EST -04:00
AAA/AUTHOR : Add AV cmd=enable
2007 Oct 16 10:57:13.470 EST -04:00
AAA/AUTHOR/TACACS+ cmd author (413075467): Port='telnet146' list='(null)' servic
e=CMD2007 Oct 16 10:57:13.480 EST -04:00
AAA/AUTHOR/TACACS+ cmd author: (413075467) user='lduncan'2007 Oct 16 10:57:13.4
80 EST -04:00
AAA/AUTHOR/TACACS+ cmd author: (413075467) send AV service=shell2007 Oct 16 10:5
7:13.480 EST -04:00
AAA/AUTHOR/TACACS+ cmd author: (413075467) send AV cmd=enable
AAA/AUTHOR/TACACS+ cmd author: (413075467) Method=TAC_PLUS2007 Oct 16 10:57:13.4
90 EST -04:00
AAA/AUTHOR/TAC+: (413075467): user=lduncan2007 Oct 16 10:57:13.490 EST -04:00
AAA/AUTHOR/TAC+: (413075467): send AV service=shell2007 Oct 16 10:57:13.490 EST
-04:00
AAA/AUTHOR/TAC+: (413075467): send AV cmd=enable
TAC+: Opening TCP/IP connection to 10.129.12.196
TAC+: (413075467): received author response status = FAIL2007 Oct 16 10:57:14.50
0 EST -04:00
AAA/AUTHOR (413075467): Post authorization status = FAIL2007 Oct 16 10:57:14.500
EST -04:00
AAA/AUTHOR : do_author result=12007 Oct 16 10:57:14.500 EST -04:00 %AAA: author:
tacacs_plus_author ret=1.
Enable mode authorization faile
I have checked his user info and group info in tacacs.
Solved! Go to Solution.
10-16-2007 08:12 AM
10-16-2007 07:51 AM
It seems that you have command author configured that is why user in not able to issue it.
What kind of user is it ? Admin or normal user.
To make him login you need to make changes in the command author set.
Make one command autho set in acs --->shared profile componenets.
add-->give any name "Full access "---> Put radio button to permit and submit.
Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.
Now it should let you in.
Caution : This is let that uses to issue all commands
Also provide me more info if you want user to deny some commands. We need to set up command autho set accordingly.
Regards,
~JG
Please rate helpful posts
10-16-2007 08:10 AM
Thanks, that fixed it...............
10-16-2007 08:12 AM
Please mark it resolved so other can benefit from it.
Regards,
~JG
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide