Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
781
Views
1
Helpful
7
Replies

tacacs+ console access "command authorization failed" to run commands

atsukane
Level 3
Level 3

‎12-12-2024 04:59 AM

HI all,

I'm having trouble issuing commands on a device when accessing console, receive "command authorization failed".

Catalyst 9300 IOS-XE version 17.9.5.

Below is the aaa and console configuration, the local account has privilege 15.

Where am I going wrong with this resulting in command authorization failure?

 

sh run aaa
!
aaa authentication login default local
aaa authentication login CON local
aaa authentication login ISE-TACACS group ISE-servers local
aaa authentication enable default group ISE-servers enable
aaa authorization exec CON local 
aaa authorization exec ISE-TACACS group ISE-servers local if-authenticated 
aaa authorization commands 1 ISE-TACACS group ISE-servers local if-authenticated 
aaa authorization commands 15 ISE-TACACS group ISE-servers local if-authenticated 
aaa authorization config-commands
aaa authorization console
aaa accounting exec default start-stop group ISE-servers
aaa accounting commands 1 default start-stop group ISE-servers
aaa accounting commands 15 default start-stop group ISE-servers
username netadmin privilege 15 secret 9 $8$wftnfuljhbrPKk$oOnEqwpJRrX5eLK/UBaMdp.VGnbLpCwimJJdel7.dNw

!
!
tacacs server UK-LON-ISE-01
 address ipv4 192.168.254.11
 key 7 *******************
tacacs server UK-LON-ISE-02
 address ipv4 192.168.254.12
 key 7 *******************
!
!
aaa group server tacacs+ ISE-servers
 server name UK-LON-ISE-01
 server name UK-LON-ISE-02
!
!
!
aaa new-model
aaa session-id common
!
!         
ip tacacs source-interface Vlan10 
!
line con 0
 authorization exec CON
 login authentication CON

thanks,

 

Labels:
0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎12-12-2024 05:09 AM

Use use local user did you config privilege with user

MHM

0 Helpful

atsukane
Level 3
Level 3
In response to MHM Cisco World

‎12-12-2024 05:12 AM

yup, it's privilege 15

 

username netadmin privilege 15 secret 9 ***************************************************
0 Helpful

MHM Cisco World
VIP
VIP
In response to atsukane

‎12-12-2024 05:15 AM

Then last think since you config command authz try add command authz under console.

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎12-12-2024 08:00 AM 

aaa authorization commands 1 ISE-TACACS group CON local if-authenticated 
aaa authorization commands 15 ISE-TACACS group CON local if-authenticated

under console 

authorization commands CON <<- this need the exec is OK if the user have privilege 15 but the command also need to authz try add these command and check

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎01-01-2025 06:25 AM

Any update 

MHM

0 Helpful

Flavio Miranda
VIP
VIP

‎12-12-2024 06:15 AM

@atsukane 

You defined a list called CON here

 

line con 0
 authorization exec CON
 login authentication CON

 

 here you point it to local

 

aaa authorization exec CON local

 

If you want to use TACACS for console, you need to use the list you defined on this command

 

aaa authorization exec ISE-TACACS group ISE-servers local if-authenticated

 

Or you can use default which will pickup the  list you define above

line con 0
authorization exec default
login authentication default

atsukane
Level 3
Level 3
In response to Flavio Miranda

‎12-12-2024 07:22 AM - edited ‎12-12-2024 08:41 AM

Thanks @Flavio Miranda 

for console access I’d like to use a local user and not too bothered about command authorisation as we only have priv 15 user.
When I’m in the office tomorrow I’ll try what you suggested.

thanks

0 Helpful
Customers Also Viewed These Support Documents
Top