Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4494
Views
0
Helpful
11
Replies

% Authorization failed on Routers for all commands (tacacs)

mehulnangru
Level 1
Level 1

‎05-22-2018 06:24 AM - edited ‎03-08-2019 03:06 PM

Few devices do not let us run any command after we log in we get an error stating

"% Authorization failed."

 

 

Note -

  1. We have resilient ACS server 5.8.
  2.  This is happening on only a few routers which is a mix of Cisco 891, 1941 and 3925. No pattern is seen on IOS version either.
  3. Tacacs worked perfectly on all devices when we had a single ACS server and since secondary was added we have seen this issue appearing on few devices.

 

ACS configuration applied on routers as per below - 

aaa new-model
!
!
aaa group server tacacs+ tacacsgrp
server name ACS2
server name ACS1
!
aaa authentication login default group tacacsgrp local
aaa authentication enable default group tacacsgrp enable
aaa authorization exec default group tacacsgrp local
aaa authorization commands 0 default group tacacsgrp local
aaa authorization commands 1 default group tacacsgrp local
aaa authorization commands 15 default group tacacsgrp local
aaa accounting exec default
action-type start-stop
group tacacs+
group tacacsgrp
!
aaa accounting commands 0 default
action-type start-stop
group tacacs+
group tacacsgrp
!
aaa accounting commands 1 default
action-type start-stop
group tacacs+
group tacacsgrp
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
group tacacsgrp
!
aaa accounting network default
action-type start-stop
group tacacs+
group tacacsgrp
!
aaa accounting system default start-stop group tacacsgrp
!
!
!
!
!
aaa session-id common


tacacs server ACS1
address ipv4 10.X.X.X

key 7 08094D571A340419130

tacacs server ACS2
address ipv4 10.Y.Y.Y
key 7 08094D571A340419130

 

 

Can anyone suggest what we have done wrong?

Labels:
0 Helpful
11 Replies 11

Fotiosmark
Level 1
Level 1

‎05-22-2018 06:27 AM

set the maximum privilege to 15 for the user
0 Helpful

mehulnangru
Level 1
Level 1
In response to Fotiosmark

‎05-22-2018 06:29 AM

Same users can access other devices fine but only 6 devices they can't and devices are added on ACS in a same way.
0 Helpful

Fotiosmark
Level 1
Level 1
In response to mehulnangru

‎05-22-2018 06:44 AM

log into Cisco Secure ACS which is running TACACS+. click on edit setting under the group you are in, then Scroll down to TACACS+ Settings and check the SHELL(exec) box.
0 Helpful

mehulnangru
Level 1
Level 1
In response to Fotiosmark

‎05-22-2018 06:54 AM

Sorry! Can you please explain this step in more detail.
0 Helpful

Fotiosmark
Level 1
Level 1
In response to mehulnangru

‎05-22-2018 07:02 AM

https://www.youtube.com/watch?v=BaiYuEBA248
This might be helpfull :)
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Fotiosmark

‎05-22-2018 08:40 AM

When you login to one of these routers which are having the issue can you tell whether it is authenticating with tacacs credentials or with local credentials? The symptoms suggest that these routers are not communicating with your tacacs server and are doing local authentication and local authorization. If that is the case is it possible that there are issues with the users local credentials?

 

Your configuration of authorization specifies tacacs as the primary method and local as the secondary method. I have found it helpful to specify if-authenticated as the last method.

 

HTH

 

Rick

HTH

Rick
0 Helpful

mehulnangru
Level 1
Level 1
In response to Richard Burts

‎05-22-2018 11:05 PM

It is indeed authenticating via tacacs credential only and does not accept local credentials.

 

Only way I can make them work is by removing their IP from ACS server, hence, enforcing access by local accounts then I need to remove dual ACS configuration and point only to primary ACS and it will start authenticating but I do not want to do this.

 

 

0 Helpful

mehulnangru
Level 1
Level 1
In response to Richard Burts

‎05-22-2018 11:18 PM

It is indeed authenticating via tacacs credential only and does not accept local credentials.



Only way I can make them work is by removing their IP from ACS server, hence, enforcing access by local accounts then I need to remove dual ACS configuration and point only to primary ACS and it will start authenticating but I do not want to do this.
0 Helpful

mehulnangru
Level 1
Level 1
In response to Fotiosmark

‎05-22-2018 11:24 PM

All shell profiles have a privilege level of 15. The command set is ruling who gets read-only access and who get read-write.

 

Also to emphasize other devices sitting in same rules and same shell profile works perfectly.

0 Helpful

brad.hector
Level 1
Level 1
In response to mehulnangru

‎11-14-2019 01:13 PM - edited ‎11-14-2019 01:17 PM

 
0 Helpful

paul driver
VIP
VIP

‎11-14-2019 02:03 PM

Hello

@mehulnangru wrote:

Tacacs worked perfectly on all devices when we had a single ACS server and since secondary was added we have seen this issue appearing on few devices.

To validate a possible ACS issue, can you suspend the seconday server and test

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents