Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7543
Views
5
Helpful
4
Replies

Command authorization failed

Go to solution
ohareka70
Level 3
Level 3

‎06-27-2019 09:02 AM

Hello,

 

I have software tokens in the Gemalto Cloud for 2Factor Authentication and its working ok for Cisco Any Connect remotely
I can also login to routers and switches successfully but once they login they get ...

 

conf t
Command authorization failed

 

With a clear text password from the ACS server its fine but not using the 2FA

Cisco ACS server - aaa status says - Authentication succeeded
When the user authenticates their is a record of the request in the Gemalto Cloud snapshot.  As it is registering success in the portal then the authentication from a STA (auth) perspective is closed.

Is the issue on the ACS or even the switch itself?

 

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to ohareka70

‎06-28-2019 09:28 AM

Look at the Logs in TACACS Server it will give clue based on the profile

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-27-2019 09:59 AM

There are 2 issues we see here.

 

1. check first with out any 2facto authentication. is that working with TACACS

2. Safenet have issue with some special charcter in the Password it will not take it.(make sure user password not have any $ or £ kind of symbols).

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
ohareka70
Level 3
Level 3
In response to balaji.bandi

‎06-27-2019 11:27 AM

BB

The password generated by Safenet is a 6 digit random number.  It works ok when i authenticate to a router or switch using tacacs.  Its only when i go to do a sh run etc that the authorization is failing.  I am not sure what its looking for.  The router or switch is fine if i use the same tacacs account with a clear text password

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to ohareka70

‎06-28-2019 09:28 AM

Look at the Logs in TACACS Server it will give clue based on the profile

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
ohareka70
Level 3
Level 3
In response to balaji.bandi

‎08-02-2019 07:39 AM

I found the logs under monitoring and reporting

Authentication was ok but not authorization

Once i added in the new group for 2FA it was ok

 

Thanks

Kevin

0 Helpful
Customers Also Viewed These Support Documents