Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1268
Views
1
Helpful
5
Replies

Tacacs Authorization

Go to solution
jharper2
Level 1
Level 1

‎03-01-2018 01:56 PM

Below is my current tacacs configuration. I am trying to configure my ASR which is running Cisco IOS XR ver 5.3.3. I am trying to configure my device for when the tacacs server is unavailable I can still log in and make configurations. When I input the configuration I receive an error and I am not sure why.

Tacacs Config:

aaa accounting exec default start-stop group tacacs+

aaa accounting commands default stop-only group tacacs+

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 group tacacs+

aaa authorization commands 1 group tacacs+

aaa authorization commands 15 group tacacs+

aaa authorization commands default group tacacs+

aaa authorization eventmanager default local

aaa authorization eventmanager tcluser local

aaa authentication login default group tacacs+ local


Error:

#aaa authorization commands default group tacacs+ local

                                                                                  ^

% Invalid input detected at '^' marker.

1 Accepted Solution

Accepted Solutions

Go to solution
danielsai
Level 1
Level 1

‎03-01-2018 06:33 PM

Hi Justin,

I believe the syntax on ASR have to be

" aaa authorization commands 15 default group tacacs+ local " or

" aaa authorization commands 0 default group tacacs+ local "

Got to put enable level.

Regards,

Sai

View solution in original post

0 Helpful
5 Replies 5

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-01-2018 04:41 PM

If you've already validated that no syntax issue, then please consult with the support team for the ASR or Cisco IOS XR. It might be a bug in that platform.

0 Helpful

Go to solution
danielsai
Level 1
Level 1

‎03-01-2018 06:33 PM

Hi Justin,

I believe the syntax on ASR have to be

" aaa authorization commands 15 default group tacacs+ local " or

" aaa authorization commands 0 default group tacacs+ local "

Got to put enable level.

Regards,

Sai

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to danielsai

‎03-01-2018 08:24 PM

Sai is correct. On Cisco IOS or the like, the commands are associated with run levels. If you have customized commands to some specific levels, then just follow the same syntax to add the additional run levels.

0 Helpful

Go to solution
jharper2
Level 1
Level 1

‎03-02-2018 07:27 AM

I have validated the syntax issue. And I have tried adding the local group to the enable levels I still get an error. Below is the output from the syntax validation:

aaa authorization commands default group tacacs+ group local  

(config)#commit

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors

(config)#show configuration failed

!! SEMANTIC ERRORS: This configuration was rejected by

!! the system due to semantic errors. The individual

!! errors with each failed configuration command can be

!! found below.

aaa authorization commands default group tacacs+ group local

!!% An invalid method was specified in the message or required configuration is missing: %AAA-3-ILLEGALNAME: Illegal authorization server-group name "local" rejected

end

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jharper2

‎03-02-2018 09:15 AM

If it working without "local", then it seems in that particular IOS-XR release and ASR platform combination does not support local for "default". I do not think you need that anyway if all the run-levels are explicitly specified.

0 Helpful
Customers Also Viewed These Support Documents