cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
550
Views
0
Helpful
2
Replies
Highlighted
Beginner

ISE - Authorization failed

We are setting up TACACS with ISE. The issue we are having is that when it is setup on a switch, we get "Authorization failed" even though privilege is set to 15.

 

Here is part of the config:

 

aaa new-model

!

!

aaa group server tacacs+ ISE_Group

server name *****ISE

!

aaa authentication login default group ISE_Group local

aaa authentication login CONSOLE local

aaa authorization config-commands

aaa authorization exec default group ISE_Group local

aaa authorization commands 15 default group ISE_Group local

aaa accounting exec default start-stop group ISE_Group

aaa accounting commands 15 default start-stop group ISE_Group

 

ip tacacs source-interface Vlan1

 

tacacs-server directed-request

tacacs server ******ISE

address ipv4 10.XX.XX.150

key 7 08154D4D081A1643560E0F113822303172

 

line con 0

exec-timeout 0 0

privilege level 15

password 7 06070D2D49031D0C1613

login authentication CONSOLE

stopbits 1

line vty 0 4

privilege level 15

logging synchronous

length 0

line vty 5 15

privilege level 15

logging synchronous

 

When we turn TACACS on, we get the following results

 

IDF_4#sh priv

Current privilege level is 15

IDF_4#sh run

% Authorization failed.

IDF_4#conf t

% Authorization failed.

 

Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Finally figured it out with the help of a contractor.  We needed to have the following line is our config:

 

aaa authorization commands 15 default group ISE_Group local if-authenticated

 

Once we added this to the other AAA commands, then we had full privileges to do everything.  The full section of our AAA authorization is:

 

aaa authentication login default group ISE_Group local

aaa authentication login CONSOLE local

aaa authorization config-commands

aaa authorization exec default group ISE_Group local 

aaa authorization commands 15 default group ISE_Group local if-authenticated 

aaa accounting exec default start-stop group ISE_Group

aaa accounting commands 15 default start-stop group ISE_Group

 

 

 

 

View solution in original post

2 REPLIES 2
Highlighted
VIP Advocate

 

 - Check the ISE logs for the particular authorization attempt.

 M.

Highlighted

Finally figured it out with the help of a contractor.  We needed to have the following line is our config:

 

aaa authorization commands 15 default group ISE_Group local if-authenticated

 

Once we added this to the other AAA commands, then we had full privileges to do everything.  The full section of our AAA authorization is:

 

aaa authentication login default group ISE_Group local

aaa authentication login CONSOLE local

aaa authorization config-commands

aaa authorization exec default group ISE_Group local 

aaa authorization commands 15 default group ISE_Group local if-authenticated 

aaa accounting exec default start-stop group ISE_Group

aaa accounting commands 15 default start-stop group ISE_Group

 

 

 

 

View solution in original post

Content for Community-Ad