Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1275
Views
4
Helpful
10
Replies

AAA Authorization fail in line console

itzikk
Level 1
Level 1

‎12-18-2023 07:17 AM

Hi,

I`m trying to understand what is missing.

I Configured in my switch to authenticate and authorize VTY connections via Radius servers.

The console connection I left to be authenticated and authorized using Local credentials.

the command are:

aaa new-model
aaa group server radius radius-verify
server-private 10.10.10.1 auth-port 1812 acct-port 1813 key *******
server-private 10.10.10.2 auth-port 1812 acct-port 1813 key *******
aaa authentication login aaa-login group radius-verify local
aaa authentication login default local
aaa authorization exec aaa-auth group radius-verify local
aaa authorization exec default local
aaa authorization console
 
line vty 0 15
login authentication aaa-login
authorization exec aaa-auth
 
line con 0
login authentication default
authorization exec default
 
When i connect via SSH - im authenticated directly into Config mode, as i wanted.
but when i try to connect via Console - im getting the error: Authorization Failed.
It seems like it authenticates me locally, but try to give me authorization via other thing.
when i ran debug aaa authorization, i saw zero logs.
 
I want to be able connecting via Console using local credentials and directly into Config mode.
 
Any advice?
Thanks
Labels:
0 Helpful
10 Replies 10

MHM Cisco World
VIP
VIP

‎12-18-2023 07:23 AM

I dont like config any AAA under console' console is your last hope if you can not access to SW via vty.

Config it with AAA and there is issue in connect to AAA can make you never access to SW via console.

But if you want go that way

Check 

aaa authorization console <- I think there is conflict between it and aaa authorization exec

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎12-18-2023 08:08 AM

First dont WR NEVER when you do any change to aaa' in case that something wrong you can reboot and return to old config.

Now use different method dont use defualt for console auth and authz

Try and check

MHM

0 Helpful

M02@rt37
VIP
VIP

‎12-18-2023 07:38 AM - edited ‎12-18-2023 07:39 AM

Hello @itzikk 

Add this

aaa authorization console local

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

paul driver
VIP
VIP

‎12-19-2023 02:36 AM

Hello
Append the following:
username xxx privilege 15 secret ccc
aaa authentication login default local
aaa authorization exec default local if-authenticated


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

itzikk
Level 1
Level 1

‎12-19-2023 07:57 AM

Thanks all,

Unfortunately, it`s not resolving the issue.

What i`m trying to make is that my VTY connections will be authenticated via Radius servers directly into Privileged exec mode.  On the same time, i want my Console connection to authenticate using local credentials.

I manage to login the VTY lines directly into Privileged exec mode by using the command: aaa authorization exec aaa-auth group radius-verify local

By default, line con 0 is not using authorization, so i assumed it will connect without authorization, but i did get "Authorization Failed". That`s why i configured aaa authentication login default local if-authenticated, But still got the same error of Authorization Failed.

I noticed that when I write under the VTY lines "no authorization exec aaa-auth", I login into User exec mode, and when i try with my console line i`m able to login with no error.

Conclusion: for some reason, as long as i use aaa named method of authorization under VTY lines, it is affecting the Console line also, although the the console by default shouldnt be affected by the aaa authorization.

Any thoughts?

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to itzikk

‎12-19-2023 08:04 AM

Same config you share in your original post 

Clear line vty all

Then try only access to console

Maybe us same username in to vty and console effect the authz

MHM

0 Helpful

itzikk
Level 1
Level 1

‎12-19-2023 08:12 AM

The only difference between line vty now and con 0 is that line vty uses named authentication list forwarding to Radius group, and the console uses the default one using local credentials.

The aaa authorization is:

aaa authorization exec default local if-authenticated

Im able to connect on both VTY and Console lines.

But, in VTY im connecting only to User mode, and i want to connect directly into Privileged mode.

The moment i configure named authorization forwarding to radius, and configure it under VTY, im getting Error in the console login "Authorization Failed"

MHM Cisco World
VIP
VIP
In response to itzikk

‎12-19-2023 09:37 AM

I will do some test to check. 

Update you soon 

MHM

itzikk
Level 1
Level 1

‎01-08-2024 06:50 AM

As i find out, there is a bug in my Switch and thats the reason it wasn`t working well.

Tried in another switch and worked fine. 

thanks

MHM Cisco World
VIP
VIP
In response to itzikk

‎01-08-2024 06:52 AM

Thanks alot  for update us

Can yoh share the bug id 

Thanks again 

MHM

0 Helpful
Customers Also Viewed These Support Documents