Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
75
Views
0
Helpful
0
Replies

AAA Question - Able to Log in to Switch But Cannot Run Any Commands

RRatBB
Level 1
Level 1

‎03-27-2024 11:30 AM - edited ‎03-27-2024 01:39 PM

Hoping someone can shed some light.  I have a switch in a remote location that I can connect to via SSH, but once connected I am unable to run *any* commands. I cannot do "show run." I cannot do *any* "show" commands. I can't even "exit" my SSH session. All commands return "% Authorization failed." It's as if I am logging in as privilege LEVEL 0. But I can't even run LEVEL 0 commands. Here's an example:

login as: joeusername
Pre-authentication banner message from server:
|
| ***********************************************************
| ** Access to this device is restricted to authorized blah blah**
| ***********************************************************
End of banner message from server
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server

SWITCH001#sh run
% Authorization failed.

SWITCH001#exit
% Authorization failed.

SWITCH001#logout
% Authorization failed.

 

Here are some things I have found:

1. Default authentication method is using RADIUS, then TACACS+, then local
2. However, we have no local accounts configured. And we no longer have a TACACS+ server. So it appears I everything is via RADIUS.
3. We *do* have "aaa authorization exec ..." configured. I suspect this is where the problem is ... but I am not sure.

Relevant AAA settings are below (IPs and group names are fake):

!
aaa new-model
!
!
aaa group server radius RADIUSSERVER
server 192.168.6.21 auth-port 1812 acct-port 1026
!
aaa authentication fail-message ^C
***********************************************************
** Your authentication request has been rejected and blah blah**
***********************************************************
^C
aaa authentication login default group RADIUSSERVER group tacacs+ local
aaa authentication enable default group RADIUSSERVER group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group RADIUSSERVER group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting delay-start all
aaa accounting exec default start-stop group RADIUSSERVER group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting network default start-stop group RADIUSSERVER group tacacs+
!
!
!
aaa session-id common
!
...
...
...
tacacs-server host 192.168.5.7
tacacs-server host 192.168.5.8
tacacs-server directed-request
tacacs-server key 7 xxxxxx
radius-server attribute 8 include-in-access-req
radius-server host 192.168.6.21 auth-port 1812 acct-port 1026
radius-server key 7 xxxxxx
banner login ^C
***********************************************************
** Access to this device is restricted to authorized blah blah **
***********************************************************
^C
!
line con 0
password 7 xxxxxx
logging synchronous
line vty 0 4
exec-timeout 15 0
password 7 xxxxxxx
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 15 0
password 7 xxxxxx
transport input ssh
!

I think the first thing I need to do is create a local admin-level account.  Then I should probably remove anything having to do with tacacs+.  But I'm still not sure that explains why I don't seem to be getting any sort of authorization whatsoever. 

(BTW, all IPs, server names, key hashes, etc, have been modified. They are not actually in our environment.)

Thank you.

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card