Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2236
Views
0
Helpful
4
Replies

tclsh authorization failed

william.deloraine
Level 1
Level 1

‎12-10-2010 07:29 AM

Hello,

I've got an issue in executing a tclsh script.

router(tcl)#exec "ping 192.168.0.1 repeat 1 time 1"
Command authorization failed.

router(tcl)#show privilege
Current privilege level is 15
router(tcl)#exec "ping 192.168.0.1 repeat 1 time 1"
Command authorization failed.router(tcl)#

Here is my aaa config:

aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated

My image version is s72033-advipservicesk9_wan-mz.122-33.SXI3.bin.

Could you help me on this subject?

Regards,

Labels:
0 Helpful
4 Replies 4

Joe Clarke
Cisco Employee
Cisco Employee

‎12-10-2010 08:04 AM

What version of IOS is this?  This is most likely CSCsu65401.

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to Joe Clarke

‎12-10-2010 08:12 AM

Ugh, I just saw your image.  Sorry.  Yeah, this is the bug I mentioned, but I don't see it fixed in the SXI train.  I'll see about getting this fix integrated.

0 Helpful

william.deloraine
Level 1
Level 1
In response to Joe Clarke

‎12-15-2010 01:03 AM

Hi Joseph,

Thanks for your answer.

Actually, I found some elements regarding bugs but I was thinking it's regarding authorization in AAA configuration.

Regards,

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to william.deloraine

‎12-15-2010 06:55 AM

No, the problem is the bug.  Another customer is reporting the same thing on SXI.  A workaround would be to use the Embedded Event Manager's Tcl interface, and configure "event manager session cli username USER" (where USER is a username authorized to run all of the commands).  It's a bit trickier to execute CLI commands using EEM Tcl, but it will work for you.  For example:

::cisco::eem::event_register_none
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if { [catch {cli_open} result] } {
    error $result $errorInfo
}
array set cli $result
cli_exec $cli(fd) "enable"
set output [cli_exec $cli(fd) "ping 192.168.1.1 repeat 1"]
puts $output
catch {cli_close $cli(fd) $cli(tty_id)}
0 Helpful
Customers Also Viewed These Support Documents