- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2020 09:27 AM
We are setting up TACACS with ISE. The issue we are having is that when it is setup on a switch, we get "Authorization failed" even though privilege is set to 15.
Here is part of the config:
aaa new-model
!
!
aaa group server tacacs+ ISE_Group
server name *****ISE
!
aaa authentication login default group ISE_Group local
aaa authentication login CONSOLE local
aaa authorization config-commands
aaa authorization exec default group ISE_Group local
aaa authorization commands 15 default group ISE_Group local
aaa accounting exec default start-stop group ISE_Group
aaa accounting commands 15 default start-stop group ISE_Group
ip tacacs source-interface Vlan1
tacacs-server directed-request
tacacs server ******ISE
address ipv4 10.XX.XX.150
key 7 08154D4D081A1643560E0F113822303172
line con 0
exec-timeout 0 0
privilege level 15
password 7 06070D2D49031D0C1613
login authentication CONSOLE
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
length 0
line vty 5 15
privilege level 15
logging synchronous
When we turn TACACS on, we get the following results
IDF_4#sh priv
Current privilege level is 15
IDF_4#sh run
% Authorization failed.
IDF_4#conf t
% Authorization failed.
Any ideas?
Solved! Go to Solution.
- Labels:
-
Network Management
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2020 08:53 AM
Finally figured it out with the help of a contractor. We needed to have the following line is our config:
aaa authorization commands 15 default group ISE_Group local if-authenticated
Once we added this to the other AAA commands, then we had full privileges to do everything. The full section of our AAA authorization is:
aaa authentication login default group ISE_Group local
aaa authentication login CONSOLE local
aaa authorization config-commands
aaa authorization exec default group ISE_Group local
aaa authorization commands 15 default group ISE_Group local if-authenticated
aaa accounting exec default start-stop group ISE_Group
aaa accounting commands 15 default start-stop group ISE_Group
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2020 12:03 AM
- Check the ISE logs for the particular authorization attempt.
M.
-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2020 08:53 AM
Finally figured it out with the help of a contractor. We needed to have the following line is our config:
aaa authorization commands 15 default group ISE_Group local if-authenticated
Once we added this to the other AAA commands, then we had full privileges to do everything. The full section of our AAA authorization is:
aaa authentication login default group ISE_Group local
aaa authentication login CONSOLE local
aaa authorization config-commands
aaa authorization exec default group ISE_Group local
aaa authorization commands 15 default group ISE_Group local if-authenticated
aaa accounting exec default start-stop group ISE_Group
aaa accounting commands 15 default start-stop group ISE_Group
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-28-2023 06:21 PM
It worked for me, thank a lot !
