Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
1
Helpful
5
Replies

lin con 0 authorization failed

Go to solution
Conucci
Level 1
Level 1

‎09-18-2023 11:55 PM

Hello,

I can't configure the line con 0 with the command login authentication CONSOLE. I get the following error:

sy-xxxx-ch-xxx-s-0xx(config-line)#login authentication CONSOLE
Command authorization failed.

The tacacs is up and running because I'm already connected to the device with ssh over tacacs+ and I have done several commends like on the console 0 too:
***
line con 0
authorization exec CONSOLE
***

What I'm doing wrong? Is it not possible to do this command on a running system? 
It's a new C9200CX

Thank you for your advice

Kind Regards

Marco

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP
In response to Conucci

‎09-19-2023 12:31 AM

Hello @Conucci,

add aaa authorization exec CONSOLE if-authenticated

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

5 Replies 5

Go to solution
Conucci
Level 1
Level 1

‎09-18-2023 11:55 PM

Sorry, that was missing in my post

aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization exec CONSOLE group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to Conucci

‎09-19-2023 12:31 AM

Hello @Conucci,

add aaa authorization exec CONSOLE if-authenticated

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
Conucci
Level 1
Level 1

‎09-19-2023 01:18 AM

Dear M02@rt37

Thank you, it's working. Strange is, that I didn't configure on C9200L and it's working. I have never seen before

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to Conucci

‎09-19-2023 01:24 AM

You're very welcome @Conucci.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎09-19-2023 01:47 AM

I think it should've worked with the commands you already applied. The only thing that comes to my mind that could potentially have caused this issue is that on the TACACS server you don't have the right authorization rules so potentially it was hitting a default deny rule. I think with the command suggested by M02@rt37 it wouldn't check against the TACACS policies configured on the TACACS server, and it would only look if the session has passed the authentication.

Usually we add the "if-authenticated" keyword at the end of the aaa authorization command, something like this "aaa authorization exec CONSOLE group tacacs+ local if-authenticated". The "if-authenticated" keyword would allow the authorization to be allowed when the TACACS server is not available at the time the network device relays the authorization requests, and in that case, the network device would only verify if the session has been successfully authenticated. This is a security measure that would avoid being locked-out in case right after the authetnication the communication with the TACACS server goes down for any reason.

0 Helpful
Customers Also Viewed These Support Documents