Solved: Getting error Authorization Failed when trying to login via console

Ganesh Devarshetty · ‎02-27-2024

aaa new-model
aaa local authentication attempts max-fail 6
aaa group server tacacs+ ISE_GROUP
server name TACACS_ISE_SP
server name TACACS_ISE_PD
server name TACACS_ISE_PR
server name TACACS_ISE_PUNE
aaa authentication fail-message ^CCCCCCCCCCCLogin attempt failed^C
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication login AAA group ISE_GROUP local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization exec AAA group ISE_GROUP local
aaa authorization commands 0 AAA group ISE_GROUP local
aaa authorization commands 1 AAA group ISE_GROUP local
aaa authorization commands 15 default group tacacs+ local
aaa authorization commands 15 AAA group ISE_GROUP local
aaa accounting exec default start-stop group ISE_GROUP
aaa accounting commands 0 AAA start-stop group ISE_GROUP
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 1 AAA start-stop group ISE_GROUP
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting commands 15 AAA start-stop group ISE_GROUP
aaa accounting connection default start-stop group ISE_GROUP
aaa accounting system default start-stop group tacacs+
aaa common-criteria policy POLICY
min-length 12
max-length 25
numeric-count 1
upper-case 1
lower-case 1
special-case 1
char-changes 3
lifetime month 3
aaa session-id common

line con 0
session-timeout 15
exec-timeout 5 0
timeout login response 300
login authentication no_tacacs
stopbits 1

Kindly help

Ganesh Devarshetty · ‎03-01-2024

Human Error

Console cable was connected to standby switch in stack.when i moved the cable to active it worked..No configuration changes were made.Thanks all for your support.

View solution in original post

MHM Cisco World · ‎02-27-2024

You need also to add exec local for console under console

authorization exec <method>

and as

aaa authz exec <method>local

MHM

Ganesh Devarshetty · ‎02-28-2024

Named list when applied to line console should override the default list..but it is not working.

MHM Cisco World · ‎02-28-2024

no_tacacs <- this method list you use for authc use same for authz of exec

MHM

Ganesh Devarshetty · ‎02-29-2024

We did a debug today on switch & observed that the remote add was 192.168.1.5..Anybody has any idea why it is using.instead it should the command configured below

ip source-interface tacas vlan 199

vlan 199 ip addr is 172.27.0.102

MHM Cisco World · ‎02-29-2024

for IP it must use VLAN199 not other IP
for authz failed

aaa authorization exec default group tacacs+ local

this authz must now use for console if you dont modify the method list, the console use default list,
this make device check tacacs for privilege for user and if the tacacs down then it will fallback to LOCAL, LOCAL here you need to specify privilege in user save in local db.

NOTE:- if the tacacs dont have user access to cosole then it will not reply to authz request, so are you add same username and password in both local and tacacs?

https://lostintransit.se/2021/01/16/aaa-deep-dive-on-cisco-devices/

MHM

Ganesh Devarshetty · ‎03-01-2024

Human Error

Console cable was connected to standby switch in stack.when i moved the cable to active it worked..No configuration changes were made.Thanks all for your support.