11-16-2011 09:36 AM - edited 03-07-2019 03:25 AM
I currently use local accounts with this format:
username test password testpwd role network-admin
and this puts you straight into 'enable' mode
I am trying to get this to work with tacacs and having a few problems. I am able to get the authentication to work like a champ, but onece logged in I cannot do any commands. In my other equipment I do not use command autorization so I did not on this at tfirst, it did not work so I tries using it and still didnt work, just got a different error. Here is what I put in:
tacacs-server key XXXXX
tacacs-server host 1.1.1.1
tacacs-server host 2.2.2.2
aaa group server tacacs+ acsgroup
server 1.1.1.1
server 2.2.2.2
source-interface vlan2
!
aaa authentication login default group acsgroup
aaa authentication login console group acsgroup
aaa authorization commands default group acsgroup
aaa accounting default group acsgroup
aaa authentication login error-enable
With this config I get the following error.
HOU-14MDF-NEXUS-CORE02# sh run
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)
When I remove the "aaa authorization command......." I get this:
HOU-14MDF-NEXUS-CORE02# sh run
% Permission denied
Any help will be greatly appreciated.
Thanks,
Aubrey Burt
11-16-2011 10:27 AM
have you read the below urls
http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter6.html#con_1473592
http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_TACACS+,_RADIUS,_and_AAA_Comparison
Sent from Cisco Technical Support iPad App
11-16-2011 10:37 AM
yeah I later found the command:
aaa authorization config-commands default group AAA-Servers
but was unsure if it would make the difference I was needing and I did not find it untill after I had already removed the config.
09-28-2015 02:46 AM
can you connect to console and then remove this command?
02-04-2013 04:04 AM
Hi Andrew,
would you be able tell me what's the
AAA_AUTHOR_STATUS_METHOD=17(0x11) means below is the correct error log
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)
I am after the meaning of the =17(0x11)
if you could shed some light on this that will be great, unfortunately I was not able to find anything on the Internet nor on the Cisco web
thanks a lot
Lancellot
09-25-2015 01:25 AM
would you be able tell me what's the
AAA_AUTHOR_STATUS_METHOD=17(0x11) means below is the correct error log
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)
I am after the meaning of the =17(0x11)
do you have some mehtod to slove this problem
07-24-2013 11:09 AM
We have the same problem, but we use RSA Radius.
RSA had us create a profile and then associate a user account to that profile. In that profile there is a Attribute drop-down menu, and we were told to use Class [M]. The trouble is RSA could not tell us what the Value should be. We have been trying variations on shell:roles="\"network-admin vdc-admin\"", all to no avail.
We can get logged in against the account we have created in RSA, but we lack privileges to do things like save changes to memory.
When we do a sh user-account we never get more than network-operator.
07-29-2013 08:42 AM
We finally found what we were looking for:
The following works as attributes to be sent from RSA:
Under the profile, in the drop down list, select Cisco-AVPair and use the following string
shell:roles=”network-admin vdc-admin”
01-30-2015 01:52 PM
I seem to be having the same issue. I don't see Cisco-AVPair in the drop down list. Is this something that RSA has to configure for me, or can I create that attribute myself?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide