Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7381
Views
0
Helpful
16
Replies

Tacacs+ authorization not working

axeleratorcisco
Level 1
Level 1

‎04-23-2012 01:54 AM - last edited on ‎03-25-2019 04:19 PM by Community Manager

i have the following issue:

i can authenticate to my tacacs+ server, but authorization is not working

i have cross referenced the config with other routers but this one doesn't seem to work

i can login, so authentication works, then i do a "show run" or "whatever command" and it says "authorization failed" plus a long time wait

here the tacacs+ and aaa debugging

170325: Apr 23 09:52:12.907 Asd: TAC+: Opening TCP/IP to 10.60.12.88/49 timeout=5

170326: Apr 23 09:52:17.906 Asd: TAC+: TCP/IP open to 10.60.12.88/49 failed -- Connection timed out; remote host not responding

170327: Apr 23 09:52:17.906 Asd: AAA/AUTHOR (1505455504): Post authorization status = ERROR

170328: Apr 23 09:52:17.906 Asd: tty194 AAA/AUTHOR/CMD(1505455504): Method=LOCAL

170329: Apr 23 09:52:17.906 Asd: AAA/AUTHOR/LOCAL: no entry for username111

170330: Apr 23 09:52:17.906 Asd: AAA/AUTHOR (1505455504): Post authorization status = ERROR

170331: Apr 23 09:52:17.906 Asd: tty194 AAA/AUTHOR/CMD(1505455504): Method=NOT_SET

170332: Apr 23 09:52:17.906 Asd: tty194 AAA/AUTHOR/CMD(1505455504): no methods left to try

170333: Apr 23 09:52:17.906 Asd: AAA/AUTHOR (1505455504): Post authorization status = ERROR

170334: Apr 23 09:52:17.906 Asd: AAA/MEMORY: free_user (0x634E9E8C) user='user111' ruser='routername' port='tty194' rem_addr='1.1.1.1' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

170335: Apr 23 09:54:00.288 Asd: AAA: parse name=tty194 idb type=-1 tty=-1

170336: Apr 23 09:54:00.288 Asd: AAA: name=tty194 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=194 channel=0

170337: Apr 23 09:54:00.288 Asd: AAA/MEMORY: create_user (0x636AC9FC) user='username111' ruser='routername' ds0=0 port='tty194' rem_addr='1.1.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

170338: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): Port='tty194' list='' service=CMD

170339: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/CMD: tty194(3078002889) user='username111'

170340: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): send AV service=shell

170341: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): send AV cmd=show

170342: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): send AV cmd-arg=running-config

170343: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): send AV cmd-arg=<cr>

170344: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): found list "default"

170345: Apr 23 09:54:00.288 Asd: tty194 AAA/AUTHOR/CMD(3078002889): Method=ACS (tacacs+)

170346: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): user=username111

170347: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): send AV service=shell

170348: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): send AV cmd=show

170349: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): send AV cmd-arg=running-config

170350: Apr 23 09:54:00.288 Asd: AAA/AUTHOR/TAC+: (3078002889): send AV cmd-arg=<cr>

170351: Apr 23 09:54:00.288 Asd: TAC+: Using default tacacs server-group "ACS" list.

170352: Apr 23 09:54:00.288 Asd: TAC+: Opening TCP/IP to 10.60.12.88/49 timeout=5

170354: Apr 23 09:54:05.291 Asd: TAC+: TCP/IP open to 10.60.12.88/49 failed -- Connection timed out; remote host not responding

170355: Apr 23 09:54:05.291 Asd: TAC+: Opening TCP/IP to 10.60.12.88/49 timeout=5

170356: Apr 23 09:54:10.291 Asd: TAC+: TCP/IP open to 10.60.12.88/49 failed -- Connection timed out; remote host not responding

170357: Apr 23 09:54:10.291 Asd: AAA/AUTHOR (3078002889): Post authorization status = ERROR

170358: Apr 23 09:54:10.291 Asd: tty194 AAA/AUTHOR/CMD(3078002889): Method=LOCAL

170359: Apr 23 09:54:10.291 Asd: AAA/AUTHOR/LOCAL: no entry for username111

170360: Apr 23 09:54:10.291 Asd: AAA/AUTHOR (3078002889): Post authorization status = ERROR

170361: Apr 23 09:54:10.291 Asd: tty194 AAA/AUTHOR/CMD(3078002889): Method=NOT_SET

170362: Apr 23 09:54:10.291 Asd: tty194 AAA/AUTHOR/CMD(3078002889): no methods left to try

170363: Apr 23 09:54:10.291 Asd: AAA/AUTHOR (3078002889): Post authorization status = ERROR

i can ping both tacacs+ servers from within their vrf, using the source interface, so connectivity is good, no firewalls in between

authentication works, just authorization not, with a large timeout

any ideas?

sh ver

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.3(8)T8, RELEASE SOFTWARE (fc1)

key is also good as i can authenticate

tacacs+ server also is set to accept from the correct ip address, i.e. the source address of the interface on the router

Labels:
0 Helpful
16 Replies 16

axeleratorcisco
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎04-23-2012 09:32 AM

i know i clicked it and my version was also there

i might upgrade it and see how that works

0 Helpful

axeleratorcisco
Level 1
Level 1

‎04-24-2012 01:08 AM

i upgraded to 12.4(25f) adv ip services and reloaded

issue is GONE!

thanks for thinking along guys

0 Helpful
Customers Also Viewed These Support Documents