Help with tacacs+ Nexus 9k Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)

awsalazar90 · ‎11-29-2017

hello, someone could help me was setting tacacs + to a cisco Nexus9000 C93120TX, when I run the command:

aaa authorization commands console group GROUP-ACS

and it left me without reading and writing privileges.
before that command I had configured the following:

tacacs-server host xxxxx
tacacs-server host xxxxx
tacacs-server timeout 3
tacacs-server directed-request
aaa group server tacacs+ GROUP-ACS
server xxxx
server xxxx
aaa authentication login default group GROUP-ACS
aaa authentication login console group GROUP-ACS
aaa authorization config-commands default group GROUP-ACS
aaa authorization commands default group GROUP-ACS
aaa accounting default group GROUP-ACS

I already try to connect by console, however it does not let me perform any action, is there any way to return the command authorization?

awsalazar90 · ‎11-29-2017

What I think is missing is the "tacacs-server key", however since I can not execute any command I can not place any configuration. Any idea that can help me ?, That does not involve the reset of the switch, I would appreciate it very much.

Francesco Molino · ‎11-29-2017

Hi

To revert back the config and get access to the console for applying the config, the only way would be that this switch can't communicate with your tacacs server. This can be achieved in 2 ways:
- Remove the switch as NAD from your Tacacs server
- Or remove the ethernet cable to avoid the switch to communicate with the sever.

Then, the authentication will be done locally with your privilege 15 user and you will be able to change the config.
Hope that helps

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

awsalazar90 · ‎11-29-2017

Thank you very much Francesco for the answer, could you tell me what NAD means? to be able to request it from the administrator of the Tacacs server.
Additionally according to the configuration I understand that there must be communication with the tacacs servers, but not having the command tacacs-server key means that there is no communication with the tacacs server or does it mean that there is communication but it is not providing privileges?

Francesco Molino · ‎11-29-2017

NAD = Network Access Device
This is the term used in Tacacs server to add/remove a device that's allowed to authenticate with your server.
Not having the tacacs-key doesn't mean that the server is unreachable.
To be sure you get access, the best way is to remove the network cable to make sure the tacacs server isn't reachable and then nexus will fallback using your local user role.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

awsalazar90 · ‎11-30-2017

Hi, I blocked the traffic to the tacacs servers with an ACL in the router where the switch is connected, however despite cutting off the communication with the tacacs servers, the same problem still occurs. Some other idea or security hole that allows me to execute commands without having to restart the switch.
I do not know if it will be a bug, because when I connect locally with the user with the network-admin role, I still can not execute any command.

username admin password 5 xxxxxxxxxx role network-admin

Francesco Molino · ‎11-30-2017

Ok weird.
When you're in console and you get authorization failed, what are the logs you see in your tacacs server?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

awsalazar90 · ‎12-01-2017

hello Francesco, I think the problem is local, because when I cut the communication with the tacacs server, I still could not get read or write privileges with the local user. With respect to the server tacacs it is administered by another person and it is a bit difficult to contact him.
Additionally, the "server-tacacs key" command is missing from the nexus, I wanted to ask if it is technically possible to remove the key from the tacacs server and see if the switch can authenticate itself. Francesco will know if this is possible, thank you for your response.

Francesco Molino · ‎12-01-2017

Hi
If you remove the key in tacacs side it won't help as you told you've already isolated the Nexus to reach the tacacs server.

Does the Nexus access the tacacs through an interface from global routing or management vrf ?

Usually if tacacs isn't anymore reachable then you have a local fallback. In your case it's not the case. I recommend to check with the tacacs guy admin to validate if he sees requests coming in for command authorization.

Otherwise no choices to reload the box of you've not saved the config

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

agp_04 · ‎12-19-2017

Hi, I'm having the same issue at the moment, has this been solved, I change the IP on the ACS appliance as well as the key for the device, but even using local creds, it is still thinking that it's communicating.

Weird thing, it will fail AAA AUTHOR a few times, then suddenly it works, but no matter what I do, I do constantly get permission denied once in config mode:

RTRRTR-RnD# sh run | sec tacacs
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)
RTRRTR-RnD# sh run | sec tacacs
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)
RTRRTR-RnD# sh run | sec tacacs
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)
RTRRTR-RnD# sh run | sec tacacs
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)
RTRRTR-RnD# sh run | sec tacacs
feature tacacs+
tacacs-server key 7 "ixxxxxxx0"
ip tacacs source-interface loopback0
tacacs-server timeout 1
tacacs-server host 172.1x.x.x0
tacacs-server host 172.1x.x.1x
aaa group server tacacs+ TACACS
    server 172.1x.x.x0
    server 172.1x.x.1x
    source-interface loopback0
tacacs-server directed-request
RTRRTR-RnD# conf t
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)
RTRRTR-RnD# conf t
Enter configuration commands, one per line. End with CNTL/Z.
RTRRTR-RnD(config)# tacacs-server timeout 2
% Permission denied for the role
RTRRTR-RnD(config)# tacacs-server timeout 2
% Permission denied for the role
RTRRTR-RnD(config)# tacacs-server timeout 2
% Permission denied for the role

Software
BIOS: version 07.51 [last: 07.17]
NXOS: version 7.0(3)I1(3b)
BIOS compile time: 02/15/2016 [last: 09/10/2014]
NXOS image file is: bootflash:///n9000-dk9.7.0.3.I1.3b.bin
NXOS compile time: 10/17/2015 17:00:00 [10/18/2015 00:35:53]

Hardware
cisco Nexus9000 C9396PX Chassis
Intel(R) Core(TM) i3-3227U C with 16402540 kB of memory.

agp_04 · ‎12-19-2017

I know it is silly to reply to my own post, but after trying different ways to get into the device and be able to make changes, finally logged in as my username, then started a new ssh session to itself, using a local account and was able to, somehow, enter config mode and make changes, I increased the tacacs timeout to 2 seconds from 1 and that seems to had fixed the AAA authorization failures and permissions denied once in config mode.

Better lucky than pretty.

Ruhtra · ‎01-26-2023

I know this is old thread, but in case anyone comes along, at the end of the two 'aaa authorization ..." commands add LOCAL so that it would fail over to local user if TACACS is unavailable.