Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7142
Views
0
Helpful
1
Replies

2960x - Authorization Failed

Go to solution
Gregor Blaj
Level 1
Level 1

‎06-13-2019 01:48 PM - edited ‎06-13-2019 01:49 PM

Hi,

I've got a switch with the following AAA config, which let's me log in via SSH with local accounts as expected.

aaa new-model
!
aaa group server tacacs+ TACGRP
server name tac1
server name tac2
ip tacacs source-interface Vlan1
!
aaa authentication login AUTH-TAC group TACGRP local
! 
aaa authorization exec default local 
aaa accounting update newinfo
!
aaa session-id common
!
line vty 0 4
transport input ssh
!

The TACACS commands above are at this point not doing anything. I then enable TACACS authentication on the VTY lines.

line vty 0 4
login authentication AUTH-TAC 
!

At this point, authentication events start going to TACACS and succeeds, but authorization starts failing. The login is accepted but before any prompt is displayed (user or exec), I get the "% Authorization failed." error. Local account cannot log in at this point either, so essentially I'm locked out if I close the current session.

I'm not sure why authorization is failing, since it should still be local. I cannot see any authorization attempts on the TACACS server, which is correct. I've followed the same process on other switches (same IOS) and at this point TACACS users can log in, are placed into user mode and have to use the local enable password to get into exec mode. Below are the relevant debug logs.

: TPLUS: Invalid Client information received as input
: AAA/AUTHOR (0x870): Pick method list 'default' - FAIL
: AAA/AUTHOR/EXEC(00000870): Authorization FAILED

The switch also has some Radius config but only dot1x/network related, not authentication/authorization.

Image: C2960X-UNIVERSALK9-M, 15.2(2)E4, RELEASE SOFTWARE (fc2)

Any help appreciated.

Labels:
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gregor Blaj
Level 1
Level 1

‎06-16-2019 03:57 PM

The issue was with the 'aaa authorization exec default local' command already being present on this device.

I guess it makes sense, because by default VTY lines use the default authorization list for authorization, so when a user logs in via VTY it tries to authorize them locally, but it can't as the account doesn't exist. By removing this line, we tell the switch not to authorize people getting into priv mode, at which point it'll just prompt for the enable password. I think creating a local account with the same username/pwd would have also worked as a test.

no aaa authorization exec default local

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Gregor Blaj
Level 1
Level 1

‎06-16-2019 03:57 PM

The issue was with the 'aaa authorization exec default local' command already being present on this device.

I guess it makes sense, because by default VTY lines use the default authorization list for authorization, so when a user logs in via VTY it tries to authorize them locally, but it can't as the account doesn't exist. By removing this line, we tell the switch not to authorize people getting into priv mode, at which point it'll just prompt for the enable password. I think creating a local account with the same username/pwd would have also worked as a test.

no aaa authorization exec default local
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card