ASA: Command authorization failed-ACS4.2

raza555 · ‎02-19-2015

Hi,

I have configure the ASA with AAA. It was doing the AAA authentication but as soon I have enter the command “aaa authorization command TACACS+ LOCAL”, I am able to login, but unable to run “show run, conf t, ping” commands. When I enter these commands I am getting below error messages. Attached are the ACS 4.2 configurations screen shoots.

Error Message:

ciscoasa(config)# ping 192.168.56.1

Command authorization failed

ciscoasa(config)#

ciscoasa(config)# conf t

Command authorization failed

ciscoasa(config)# sh run

Command authorization failed

ciscoasa(config)#

Below is the AAA configuration on the ASA.

username user1 password user123 privilege 15

enable secret password2

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 192.168.56.10

timeout 6

key Abc123#

aaa authentication http console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

!

aaa authorization command TACACS+ LOCAL when I have configure this command, I start getting error message that “Command Authorization Failed”

!

aaa accounting enable console TACACS+

aaa accounting ssh console TACACS+

Please advise that how I can now resolve this issue.

Thanks

netbeginner · ‎11-13-2015

Hello Rizwan,

We are also facing the exact issue on ASA (configured with Active Passive mode).

AAA commands on our ASA is (as per backup configuration), as of now we are able to logged into ASA but unable to run any command.

aaa authentication enable console ACS LOCAL

aaa authentication http console ACS LOCAL

aaa authentication ssh console ACS LOCAL

aaa authorization command ACS

aaa accounting enable console ACS

aaa accounting ssh console ACS

aaa accounting command ACS

Requesting to pls share , what you have did to overcome the problem.

Rgds

****