% Authorization failed. error

Shadow_200 · ‎06-08-2023

I have 9600 core switch on which I am getting "% Authorization failed." error.

Only sh run and sh logging output i am receiving.

Please find the AAA configuration below.

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login userauthen local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default local
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization network groupauthor local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

Please suggets the solution

MHM Cisco World · ‎06-08-2023

are you auth via tacacs username/password or via local ?

Shadow_200 · ‎06-08-2023

Via Tacacs

MHM Cisco World · ‎06-08-2023

Router# show tacacs  <<- share this

Richard Burts · ‎06-09-2023

Is this a problem for all users, or is it a problem for some users but other users work ok?

HTH

Rick

Shadow_200 · ‎06-09-2023

for all users

Shadow_200 · ‎06-09-2023

#sh tacacs
% Authorization failed.

MHM Cisco World · ‎06-09-2023

debug aaa authorization

debug tacacs

please share these two debug when issue appear

Richard Burts · ‎06-10-2023

As I read through the discussion again I have a few questions and suggestions:

- am I understanding the original post correctly that you can successfully do show run and show logging but that all other commands get the authorization error?

- assuming that this is true for your ID what do other user IDs experience? Are they able to show run and show log? Are there any other commands that they can execute?

- the posted partial config indicates that accounting is enabled. Are any accounting records being generated?

- If you can do show log on the switch are there any log records generated that shed light on this issue?

- are there any log entries on the tacacs server that shed light on this issue?

- if you are successful in some commands but fail on other commands I suggest that it is less likely an issue on the switch and more likely an issue in the tacacs server. Can you verify the parameters for your user ID in the tacacs server?

- has this ever worked on this switch? Or is this a new switch install? If it is a new install you might want to verify all the parameters in tacacs about this device.

HTH

Rick