03-13-2008 02:30 AM - edited 03-10-2019 03:43 PM
Hi I configured my firewall for authenticaitona and authorization. I could login via telent/console with AD username & password but I could not do any command exces. (ie.sh run, conf t etc) and I get following error
allback authorization. Username 'xxx' not in LOCAL database
Command authorization failed
Following are the configuration in firewall
aaa-server VPN protocol radius
accounting-mode simultaneous
aaa-server VPN host 172.20.20.11
key xxx
aaa-server VPN host 172.20.20.12
key xxx
aaa-server my-group protocol tacacs+
accounting-mode simultaneous
aaa-server my-group host 172.20.20.11
key xxx
aaa-server my-group host 172.20.20.12
key xxx
aaa authentication telnet console VPN LOCAL
aaa authentication enable console VPN LOCAL
aaa authorization command VPN LOCAL
aaa accounting command privilege 15 my-group
I used Radius for my VPN user authentication. Fitst time i tried using tacacs+ for aaa authenticaiton/authorization for console/telnet but it didnt work. then I change to Radius then it authenticated.
In ACS I cretated Shared Profile to allow_all in add the same in ACS group under Shell command Authorization Set.
But still I only can login to firewall but can't execute any commands and get the following erro.
Fallback authorization. Username 'mannai' not in LOCAL database
Command authorization failed
Can anyone give me a solution for this please.
thanks
03-14-2008 05:47 AM
Pls see this example,something must be worng in shell author set.
Regards,
~JG
Do rate helpful posts
03-16-2008 02:02 AM
Hi JG,
thanks for the reply. I followed the same procedure but this time I got the following error:
XXX-PIX515# sh run
Fallback authorization. Username 'enable_15' not in LOCAL database
Command authorization failed
Here is my configuration in Firewall:
aaa-server my-group protocol tacacs+
accounting-mode simultaneous
aaa-server my-group host 172.20.20.11
key cisco123
aaa-server my-group host 172.20.20.12
key cisco123
privilege cmd level 15 mode enable command configure
aaa authorization command my-group LOCAL
And ACS configuration is also attached.
I followed the steps in Firewall 7.2(2) guide for configuring AAA Authentication and Authorization and it said its is required to configure local aaa authorization. I configured local username & passowrd with privilege 15 but even its not ask for this username & password it accepts only default password.
Please help me to solve this issue.
thanks in advance
07-31-2012 10:37 AM
Hi everybody.
I have the same ptoblem. I've got ASA 8.2(5) and ACS 5.2. But i can login ASA by username wich is located in
ASA LOCAL database . And i can not login by username wich is located in ACS 5.2, at the same time i can login Router 2951 by that username. After login by username which is located in ASA LOCAL database i can not execute any command. I ve got the following error:
FW-ASA-DPC-02-5520-1# sh run
Command authorization failed
FW-ASA-DPC-02-5520-1#
And if i will restart ACS, and during restarting i will execute the same command i will have the following error:
Fallback authorization. Username 'enable_15' not in LOCAL database
Command authorization failed
FW-ASA-DPC-02-5520-1#
FW-ASA-DPC-02-5520-1# sh run
Fallback authorization. Username 'enable_15' not in LOCAL database
Command authorization failed
FW-ASA-DPC-02-5520-1#
&?
08-01-2012 02:13 AM
I've svolved my problem by using following commands:
aaa-server AAA_ID protocol tacacs+
aaa-server AAA_ID (VLAN_19) host 10.2.19.21
key ***
aaa authentication ssh console AAA_ID LOCAL
aaa authorization command AAA_ID LOCAL
aaa authorization exec authentication-server
username aaaaa password AAAAAAAAA encrypted privilege 15
username aaaaa attributes
service-type admin
11-14-2015 12:14 AM
Hello shakirovshm,
I am also facing the same problem ....ACS (5.6) credentials are not getting authenticate on ASA 5525 But we are able to login on ASA using local password and getting same output what u experienced. i.e COMMAND AUTHORIZATION FAILED on executing any CLI command.
This will be great help to us If you share "how you got the entry permission with all access on ASA and corrected the commands".
Rgds
****
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide