Re: Cisco ACS and c3560

sadist001 · ‎11-09-2021

Hello,

I'm trying to configure on my network devices authentication\authorization(commands) trough Cisco ACS. Authentication works fine but there are some problems with authorization of commands. This problem is only with WS-C3560G-24TS switch, other devices do authorization fine. What can be a problem?

Mohammed al Baqari · ‎11-09-2021

You need to describe the problem first for people to suggest. Also, share
some debug such as debug aaa author and debug tacacs

***** please remember to rate useful posts

sadist001 · ‎11-09-2021

001444: Nov 9 09:50:44.121: AAA/BIND(00000029): Bind i/f
001445: Nov 9 09:50:44.121: TPLUS: Queuing AAA Authentication request 41 for processing
001446: Nov 9 09:50:44.121: TPLUS: processing authentication start request id 41
001447: Nov 9 09:50:44.121: TPLUS: Authentication start packet created for 41(*user)
001448: Nov 9 09:50:44.121: TPLUS: Using server 192.168.1.15
001449: Nov 9 09:50:44.121: TPLUS(00000029)/0/NB_WAIT/57FD2E4: Started 5 sec timeout
001450: Nov 9 09:50:44.121: TPLUS(00000029)/0/NB_WAIT: socket event 2
001451: Nov 9 09:50:44.121: TPLUS(00000029)/0/NB_WAIT: wrote entire 52 bytes request
DIST2_FLOOR_15#
001452: Nov 9 09:50:44.121: TPLUS(00000029)/0/READ: socket event 1
001453: Nov 9 09:50:44.121: TPLUS(00000029)/0/READ: Would block while reading
001454: Nov 9 09:50:44.130: TPLUS(00000029)/0/READ: socket event 1
001455: Nov 9 09:50:44.130: TPLUS(00000029)/0/READ: read entire 12 header bytes (expect 16 bytes data)
001456: Nov 9 09:50:44.130: TPLUS(00000029)/0/READ: socket event 1
001457: Nov 9 09:50:44.130: TPLUS(00000029)/0/READ: read entire 28 bytes response
001458: Nov 9 09:50:44.130: TPLUS(00000029)/0/57FD2E4: Processing the reply packet
001459: Nov 9 09:50:44.130: TPLUS: Received authen response status GET_PASSWORD (8)
DIST2_FLOOR_15#
001460: Nov 9 09:50:47.787: TPLUS: Queuing AAA Authentication request 41 for processing
001461: Nov 9 09:50:47.787: TPLUS: processing authentication continue request id 41
001462: Nov 9 09:50:47.787: TPLUS: Authentication continue packet generated for 41
001463: Nov 9 09:50:47.787: TPLUS(00000029)/0/WRITE/40B1F10: Started 5 sec timeout
001464: Nov 9 09:50:47.787: TPLUS(00000029)/0/WRITE: wrote entire 31 bytes request
001465: Nov 9 09:50:47.812: TPLUS(00000029)/0/READ: socket event 1
001466: Nov 9 09:50:47.812: TPLUS(00000029)/0/READ: read entire 12 header bytes (expect 6 bytes data)
001467: Nov 9 09:50:47.812: TPLUS(00000029)/0/READ: socket event 1
DIST2_FLOOR_15#
001468: Nov 9 09:50:47.812: TPLUS(00000029)/0/READ: read entire 18 bytes response
001469: Nov 9 09:50:47.812: TPLUS(00000029)/0/40B1F10: Processing the reply packet
001470: Nov 9 09:50:47.812: TPLUS: Received authen response status PASS (2)
DIST2_FLOOR_15#
001471: Nov 9 13:50:52 GMT+4: %SSH-5-SSH2_USERAUTH: User '*user' authentication for SSH2 Session from 192.168.1.10 (tty = 1) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
001472: Nov 9 09:50:52.820: AAA/AUTHOR (0x29): Pick method list 'VTY'
001473: Nov 9 09:50:52.820: TPLUS: Queuing AAA Authorization request 41 for processing
001474: Nov 9 09:50:52.820: TPLUS: processing authorization request id 41
001475: Nov 9 09:50:52.829: TPLUS: Protocol set to None .....Skipping
001476: Nov 9 09:50:52.829: TPLUS: Sending AV service=shell
001477: Nov 9 09:50:52.829: TPLUS: Sending AV cmd*
001478: Nov 9 09:50:52.829: TPLUS: Authorization request created for 41(*user)
001479: Nov 9 09:50:52.829: TPLUS: using previously set server 192.168.1.15 from group TACACS_GROUP
001480: Nov 9 09:50:52.829: TPLUS(00000029)/0/NB_WAIT/40B1D88: Started 5 sec timeout
001481: Nov 9 09:50:52.829: TPLUS(00000029)/0/NB_WAIT: socket event 2
001482: Nov 9 09:50:52.829: TPLUS(00000029)/0/NB_WAIT: wrote entire 71 bytes request
001483: Nov 9 09:50:52.829: TPLUS(00000029)/0/READ: socket event 1
001484: Nov 9 09:50:52.829: TPLUS(00000029)/0/READ: Would block while reading
001485: Nov 9 09:50:52.837: TPLUS(00000029)/0/READ: socket event 1
001486: Nov 9 09:50:52.837: TPLUS(00000029)/0/READ: read entire 12 header bytes (expect 18 bytes data)
001487: Nov 9 09:50:52.837: TPLUS(00000029)/0/READ: socket event 1
001488: Nov 9 09:50:52.837: TPLUS(00000029)/0/READ: read entire 30 bytes response
001489: Nov 9 09:50:52.837: TPLUS(00000029)/0/40B1D88: Processing the reply packet
001490: Nov 9 09:50:52.837: TPLUS: Processed AV priv-lvl=15
001491: Nov 9 09:50:52.837: TPLUS: received authorization response for 41: PASS
001492: Nov 9 09:50:52.837: AAA/AUTHOR/EXEC(00000029): processing AV cmd=
001493: Nov 9 09:50:52.837: AAA/AUTHOR/EXEC(00000029): processing AV priv-lvl=15
001494: Nov 9 09:50:52.837: AAA/AUTHOR/EXEC(00000029): Authorization successful
001495: Nov 9 09:50:52.837: TPLUS: Queuing AAA Accounting request 41 for processing
001496: Nov 9 09:50:52.845: TPLUS: processing accounting request id 41
001497: Nov 9 09:50:52.845: TPLUS: Sending AV task_id=50
001498: Nov 9 09:50:52.845: TPLUS: Sending AV timezone=GMT+4
001499: Nov 9 09:50:52.845: TPLUS: Sending AV service=shell
001500: Nov 9 09:50:52.845: TPLUS: Sending AV start_time=1636451452
001501: Nov 9 09:50:52.845: TPLUS: Accounting request created for 41(*user)
001502: Nov 9 09:50:52.845: TPLUS: using previously set server 192.168.1.15 from group TACACS_GROUP
001503: Nov 9 09:50:52.845: TPLUS(00000029)/0/NB_WAIT/4846B30: Started 5 sec timeout
001504: Nov 9 09:50:52.845: TPLUS(00000029)/0/NB_WAIT: socket event 2
001505: Nov 9 09:50:52.845: TPLUS(00000029)/0/NB_WAIT: wrote entire 115 bytes request
001506: Nov 9 09:50:52.845: TPLUS(00000029)/0/READ: socket event 1
001507: Nov 9 09:50:52.845: TPLUS(00000029)/0/READ: Would block while reading
001508: Nov 9 09:50:52.854: TPLUS(00000029)/0/READ: socket event 1
001509: Nov 9 09:50:52.854: TPLUS(00000029)/0/READ: read entire 12 header bytes (expect 5 bytes data)
001510: Nov 9 09:50:52.854: TPLUS(00000029)/0/READ: socket event 1
001511: Nov 9 09:50:52.854: TPLUS(00000029)/0/READ: read entire 17 bytes response
001512: Nov 9 09:50:52.854: TPLUS(00000029)/0/4846B30: Processing the reply packet
DIST2_FLOOR_15#
001513: Nov 9 09:50:52.854: TPLUS: Received accounting response with status PASS
DIST2_FLOOR_15#
001514: Nov 9 09:50:55.932: AAA: parse name=tty2 idb type=-1 tty=-1
001515: Nov 9 09:50:55.941: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
001516: Nov 9 09:50:55.941: AAA/MEMORY: create_user (0x40B1D88) user='*user' ruser='DIST2_FLOOR_15' ds0=0 port='tty2' rem_addr='192.168.1.10' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
001517: Nov 9 09:50:55.941: tty2 AAA/AUTHOR/CMD (2225448978): Port='tty2' list='' service=CMD
001518: Nov 9 09:50:55.941: AAA/AUTHOR/CMD: tty2 (2225448978) user='*user'
001519: Nov 9 09:50:55.941: tty2 AAA/AUTHOR/CMD (2225448978): send AV service=shell
001520: Nov 9 09:50:55.941: tty2 AAA/AUTHOR/CMD (2225448978): send AV cmd=configure
001521: Nov 9 09:50:55.941: tty2 AAA/AUTHOR/CMD (2225448978): send AV cmd-arg=terminal
001522: Nov 9 09:50:55.941: tty2 AAA/AUTHOR/CMD (2225448978): send AV cmd-arg=<cr>
001523: Nov 9 09:50:55.941: tty2 AAA/AUTHOR/CMD (2225448978): found list "default"
001524: Nov 9 09:50:55.941: tty2 AAA/AUTHOR/CMD (2225448978): Method=TACACS_GROUP (tacacs+)
001525: Nov 9 09:50:55.941: AAA/AUTHOR/TAC+: (2225448978): user=*user
001526: Nov 9 09:50:55.941: AAA/AUTHOR/TAC+: (2225448978): send AV service=shell
001527: Nov 9 09:50:55.941: AAA/AUTHOR/TAC+: (2225448978): send AV cmd=configure
001528: Nov 9 09:50:55.941: AAA/AUTHOR/TAC+: (2225448978): send AV cmd-arg=terminal
001529: Nov 9 09:50:55.941: AAA/AUTHOR/TAC+: (2225448978): send AV cmd-arg=<cr>
001530: Nov 9 09:50:55.941: TAC+: using previously set server 192.168.1.15 from group TACACS_GROUP
001531: Nov 9 09:50:55.941: TAC+: Opening TCP/IP to 192.168.1.15/49 timeout=5
001532: Nov 9 09:50:55.941: TAC+: Opened TCP/IP handle 0x57FEB1C to 192.168.1.15/49 using source 192.168.250.152
001533: Nov 9 09:50:55.941: TAC+: Opened 192.168.1.15 index=1
001534: Nov 9 09:50:55.941: TAC+: 192.168.1.15 -- request for nonexistent server
001535: Nov 9 09:50:55.941: TAC+: Closing TCP/IP 0x57FEB1C connection to 192.168.1.15/49
001536: Nov 9 09:50:55.949: TAC+: Using default tacacs server-group "TACACS_GROUP" list.
001537: Nov 9 09:50:55.949: AAA/AUTHOR (2225448978): Post authorization status = ERROR
001538: Nov 9 09:50:55.949: tty2 AAA/AUTHOR/CMD (2225448978): Method=IF_AUTHEN
001539: Nov 9 09:50:55.949: AAA/AUTHOR (2225448978): Post authorization status = PASS_ADD
001540: Nov 9 09:50:55.949: AAA/MEMORY: free_user (0x40B1D88) user='*user' ruser='DIST2_FLOOR_15' port='tty2' rem_addr='192.168.1.10' authen_type=ASCII service=NONE priv=15
001541: Nov 9 09:50:55.949: TPLUS: Queuing AAA Accounting request 41 for processing
001542: Nov 9 09:50:55.949: TPLUS: processing accounting request id 41
001543: Nov 9 09:50:55.949: TPLUS: Sending AV task_id=50
001544: Nov 9 09:50:55.949: TPLUS: Sending AV timezone=GMT+4
001545: Nov 9 09:50:55.949: TPLUS: Sending AV service=shell
001546: Nov 9 09:50:55.949: TPLUS: Sending AV start_time=1636451455
001547: Nov 9 09:50:55.949: TPLUS: Sending AV priv-lvl=15
001548: Nov 9 09:50:55.949: TPLUS: Sending AV cmd=configure terminal <cr>
001549: Nov 9 09:50:55.949: TPLUS: Accounting request created for 41(*user)
001550: Nov 9 09:50:55.949: TPLUS: using previously set server 192.168.1.15 from group TACACS_GROUP
001551: Nov 9 09:50:55.958: TPLUS(00000029)/0/NB_WAIT/5660F24: Started 5 sec timeout
001552: Nov 9 09:50:55.958: TPLUS(00000029)/0/NB_WAIT: socket event 2
001553: Nov 9 09:50:55.958: TPLUS(00000029)/0/NB_WAIT: wrote entire 155 bytes request
001554: Nov 9 09:50:55.958: TPLUS(00000029)/0/READ: socket event 1
001555: Nov 9 09:50:55.958: TPLUS(00000029)/0/READ: Would block while reading
001556: Nov 9 09:50:55.958: TPLUS(00000029)/0/READ: socket event 1
001557: Nov 9 09:50:55.958: TPLUS(00000029)/0/READ: read entire 12 header bytes (expect 5 bytes data)
DIST2_FLOOR_15#
001558: Nov 9 09:50:55.958: TPLUS(00000029)/0/READ: socket event 1
001559: Nov 9 09:50:55.958: TPLUS(00000029)/0/READ: read entire 17 bytes response
001560: Nov 9 09:50:55.958: TPLUS(00000029)/0/5660F24: Processing the reply packet
001561: Nov 9 09:50:55.958: TPLUS: Received accounting response with status PASS
DIST2_FLOOR_15#
001562: Nov 9 09:50:57.744: AAA: parse name=tty2 idb type=-1 tty=-1
001563: Nov 9 09:50:57.744: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
001564: Nov 9 09:50:57.744: AAA/MEMORY: create_user (0x5660F78) user='*user' ruser='DIST2_FLOOR_15' ds0=0 port='tty2' rem_addr='192.168.1.10' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
001565: Nov 9 09:50:57.744: tty2 AAA/AUTHOR/CMD (2762009832): Port='tty2' list='' service=CMD
001566: Nov 9 09:50:57.744: AAA/AUTHOR/CMD: tty2 (2762009832) user='*user'
001567: Nov 9 09:50:57.744: tty2 AAA/AUTHOR/CMD (2762009832): send AV service=shell
001568: Nov 9 09:50:57.744: tty2 AAA/AUTHOR/CMD (2762009832): send AV cmd=interface
001569: Nov 9 09:50:57.744: tty2 AAA/AUTHOR/CMD (2762009832): send AV cmd-arg=GigabitEthernet
001570: Nov 9 09:50:57.744: tty2 AAA/AUTHOR/CMD (2762009832): send AV cmd-arg=0/1
001571: Nov 9 09:50:57.744: tty2 AAA/AUTHOR/CMD (2762009832): send AV cmd-arg=<cr>
001572: Nov 9 09:50:57.744: tty2 AAA/AUTHOR/CMD (2762009832): found list "default"
001573: Nov 9 09:50:57.744: tty2 AAA/AUTHOR/CMD (2762009832): Method=TACACS_GROUP (tacacs+)
001574: Nov 9 09:50:57.744: AAA/AUTHOR/TAC+: (2762009832): user=*user
001575: Nov 9 09:50:57.744: AAA/AUTHOR/TAC+: (2762009832): send AV service=shell
001576: Nov 9 09:50:57.744: AAA/AUTHOR/TAC+: (2762009832): send AV cmd=interface
001577: Nov 9 09:50:57.744: AAA/AUTHOR/TAC+: (2762009832): send AV cmd-arg=GigabitEthernet
001578: Nov 9 09:50:57.744: AAA/AUTHOR/TAC+: (2762009832): send AV cmd-arg=0/1
001579: Nov 9 09:50:57.744: AAA/AUTHOR/TAC+: (2762009832): send AV cmd-arg=<cr>
001580: Nov 9 09:50:57.744: TAC+: using previously set server 192.168.1.15 from group TACACS_GROUP
001581: Nov 9 09:50:57.744: TAC+: Opening TCP/IP to 192.168.1.15/49 timeout=5
001582: Nov 9 09:50:57.753: TAC+: Opened TCP/IP handle 0x57FEFD8 to 192.168.1.15/49 using source 192.168.250.152
001583: Nov 9 09:50:57.753: TAC+: Opened 192.168.1.15 index=1
001584: Nov 9 09:50:57.753: TAC+: 192.168.1.15 -- request for nonexistent server
001585: Nov 9 09:50:57.753: TAC+: Closing TCP/IP 0x57FEFD8 connection to 192.168.1.15/49
001586: Nov 9 09:50:57.753: TAC+: Using default tacacs server-group "TACACS_GROUP" list.
001587: Nov 9 09:50:57.753: AAA/AUTHOR (2762009832): Post authorization status = ERROR
001588: Nov 9 09:50:57.753: tty2 AAA/AUTHOR/CMD (2762009832): Method=IF_AUTHEN
001589: Nov 9 09:50:57.753: AAA/AUTHOR (2762009832): Post authorization status = PASS_ADD
001590: Nov 9 09:50:57.753: AAA/MEMORY: free_user (0x5660F78) user='*user' ruser='DIST2_FLOOR_15' port='tty2' rem_addr='192.168.1.10' authen_type=ASCII service=NONE priv=15
001591: Nov 9 09:50:57.753: TPLUS: Queuing AAA Accounting request 41 for processing
001592: Nov 9 09:50:57.761: TPLUS: processing accounting request id 41
001593: Nov 9 09:50:57.761: TPLUS: Sending AV task_id=51
001594: Nov 9 09:50:57.761: TPLUS: Sending AV timezone=GMT+4
001595: Nov 9 09:50:57.761: TPLUS: Sending AV service=shell
001596: Nov 9 09:50:57.761: TPLUS: Sending AV start_time=1636451457
001597: Nov 9 09:50:57.761: TPLUS: Sending AV priv-lvl=15
001598: Nov 9 09:50:57.761: TPLUS: Sending AV cmd=interface GigabitEthernet 0/1 <cr>
001599: Nov 9 09:50:57.761: TPLUS: Accounting request created for 41(*user)
001600: Nov 9 09:50:57.761: TPLUS: using previously set server 192.168.1.15 from group TACACS_GROUP
001601: Nov 9 09:50:57.761: TPLUS(00000029)/0/NB_WAIT/40B1E6C: Started 5 sec timeout
001602: Nov 9 09:50:57.761: TPLUS(00000029)/0/NB_WAIT: socket event 2
001603: Nov 9 09:50:57.761: TPLUS(00000029)/0/NB_WAIT: wrote entire 166 bytes request
001604: Nov 9 09:50:57.761: TPLUS(00000029)/0/READ: socket event 1
DIST2_FLOOR_15#
001605: Nov 9 09:50:57.761: TPLUS(00000029)/0/READ: Would block while reading
001606: Nov 9 09:50:57.761: TPLUS(00000029)/0/READ: socket event 1
001607: Nov 9 09:50:57.761: TPLUS(00000029)/0/READ: read entire 12 header bytes (expect 5 bytes data)
001608: Nov 9 09:50:57.761: TPLUS(00000029)/0/READ: socket event 1
001609: Nov 9 09:50:57.761: TPLUS(00000029)/0/READ: read entire 17 bytes response
001610: Nov 9 09:50:57.761: TPLUS(00000029)/0/40B1E6C: Processing the reply packet
001611: Nov 9 09:50:57.761: TPLUS: Received accounting response with status PASS

balaji.bandi · ‎11-09-2021

01586: Nov 9 09:50:57.753: TAC+: Using default tacacs server-group "TACACS_GROUP" list.
001587: Nov 9 09:50:57.753: AAA/AUTHOR (2762009832): Post authorization status = ERROR
001588: Nov 9 09:50:57.753: tty2 AAA/AUTHOR/CMD (2762009832): Method=IF_AUTHEN

how is your config on switch side, what kind of Authorisaton profile you have configured on ACS ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

sadist001 · ‎11-09-2021

There are configured profile which gets 15lvl of privilege and command set (deny some commands, permit another all)

Mohammed al Baqari · ‎11-09-2021

Hi,

Seems you have mis-configured aaa list for command authorization. Your
command authorization is using default list which is not working. Your exec
authorization is using VTY list which is working fine. Point your command
authorization to VTY list well.

See the logs

*Using VTY list -----*

*001472: Nov 9 09:50:52.820: AAA/AUTHOR (0x29): Pick method list 'VTY'*001473:
Nov 9 09:50:52.820: TPLUS: Queuing AAA Authorization request 41 for
processing
001474: Nov 9 09:50:52.820: TPLUS: processing authorization request id 41
001475: Nov 9 09:50:52.829: TPLUS: Protocol set to None .....Skipping
001476: Nov 9 09:50:52.829: TPLUS: Sending AV service=shell
001477: Nov 9 09:50:52.829: TPLUS: Sending AV cmd*
001478: Nov 9 09:50:52.829: TPLUS: Authorization request created for
41(*user)
001479: Nov 9 09:50:52.829: TPLUS: using previously set server 192.168.1.15
from group TACACS_GROUP
001480: Nov 9 09:50:52.829: TPLUS(00000029)/0/NB_WAIT/40B1D88: Started 5
sec timeout
001481: Nov 9 09:50:52.829: TPLUS(00000029)/0/NB_WAIT: socket event 2
001482: Nov 9 09:50:52.829: TPLUS(00000029)/0/NB_WAIT: wrote entire 71
bytes request
001483: Nov 9 09:50:52.829: TPLUS(00000029)/0/READ: socket event 1
001484: Nov 9 09:50:52.829: TPLUS(00000029)/0/READ: Would block while
reading
001485: Nov 9 09:50:52.837: TPLUS(00000029)/0/READ: socket event 1
001486: Nov 9 09:50:52.837: TPLUS(00000029)/0/READ: read entire 12 header
bytes (expect 18 bytes data)
001487: Nov 9 09:50:52.837: TPLUS(00000029)/0/READ: socket event 1
001488: Nov 9 09:50:52.837: TPLUS(00000029)/0/READ: read entire 30 bytes
response
001489: Nov 9 09:50:52.837: TPLUS(00000029)/0/40B1D88: Processing the reply
packet
001490: Nov 9 09:50:52.837: TPLUS: Processed AV priv-lvl=15
001491: Nov 9 09:50:52.837: TPLUS: received authorization response for 41:
PASS

*Using default list -----*

*001523: Nov 9 09:50:55.941: tty2 AAA/AUTHOR/CMD (2225448978): found list
"default"*001524: Nov 9 09:50:55.941: tty2 AAA/AUTHOR/CMD (2225448978):
Method=TACACS_GROUP (tacacs+)
001525: Nov 9 09:50:55.941: AAA/AUTHOR/TAC+: (2225448978): user=*user
001526: Nov 9 09:50:55.941: AAA/AUTHOR/TAC+: (2225448978): send AV
service=shell
001527: Nov 9 09:50:55.941: AAA/AUTHOR/TAC+: (2225448978): send AV
cmd=configure
001528: Nov 9 09:50:55.941: AAA/AUTHOR/TAC+: (2225448978): send AV
cmd-arg=terminal
001529: Nov 9 09:50:55.941: AAA/AUTHOR/TAC+: (2225448978): send AV
cmd-arg=
001530: Nov 9 09:50:55.941: TAC+: using previously set server 192.168.1.15
from group TACACS_GROUP
001531: Nov 9 09:50:55.941: TAC+: Opening TCP/IP to 192.168.1.15/49
timeout=5
001532: Nov 9 09:50:55.941: TAC+: Opened TCP/IP handle 0x57FEB1C to
192.168.1.15/49 using source 192.168.250.152
001533: Nov 9 09:50:55.941: TAC+: Opened 192.168.1.15 index=1
001534: Nov 9 09:50:55.941: TAC+: 192.168.1.15 -- request for nonexistent
server
001535: Nov 9 09:50:55.941: TAC+: Closing TCP/IP 0x57FEB1C connection to
192.168.1.15/49

**** please remember to rate useful posts

sadist001 · ‎11-09-2021

Configuration on the switch:

aaa group server tacacs+ TACACS_GROUP
server-private 192.168.1.15 key Password
ip tacacs source-interface Vlan250
!
aaa authentication login VTY group TACACS_GROUP local
aaa authentication login CONSOLE local
aaa authentication enable default group TACACS_GROUP enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec VTY group TACACS_GROUP local
aaa authorization exec CONSOLE local
aaa authorization commands 1 default group TACACS_GROUP if-authenticated
aaa authorization commands 15 default group TACACS_GROUP if-authenticated
aaa accounting update newinfo
aaa accounting exec VTY start-stop group TACACS_GROUP
aaa accounting commands 1 TACACS_PRIV_1 start-stop group TACACS_GROUP
aaa accounting commands 15 TACACS_PRIV_15 start-stop group TACACS_GROUP

line vty 0 4
access-class SSH in
exec-timeout 15 0
authorization exec VTY
accounting commands 1 TACACS_PRIV_1
accounting commands 15 TACACS_PRIV_15
accounting exec VTY
logging synchronous
login authentication VTY
transport input ssh

Mohammed al Baqari · ‎11-09-2021

Change default in these two lines to VTY

aaa authorization commands 1 VTY group TACACS_GROUP if-authenticated
aaa authorization commands 15 VTY group TACACS_GROUP if-authenticated

**** please remember to rate useful posts

sadist001 · ‎11-09-2021

I have changed config, but the same situation