
TACAC AAA Authorization Failure
Hello deers,
I'm trying to achieve AAA remotely using ACS (TACACS+) and I already created named authentication and authorization method lists and applied them to the VTY line and also did all needed configuration in ACS. When testing, I can telnet to the router just fine but I can not type ANY command, I just keep getting this message "Command authorization failed." even though this user is assigned a Command Set profile that permits all commands and Shel Profile level of 15.
When I go to ACS Monitoring and Reports viewer, I see that Authentication is done successfully but the problem is with Authorization in which I just keep hitting the Default Device Admin with DenyAllCommands Command Set! attached is a screenshot of this error.
I checked again my Authorization Policy and everyting looks right. I attached a screen shoot of my Authorization Policy.
I think I'm missing something, could you please help....
Thanks...
Comments
If you believe that your ACS config is good and it does not match on the proper rule, just reload ACS. I cannot see the screenshots for whatever reason, maybe repost them?
Hi Ceristian and wish you a happy new year...
These are the screen shoots:
https://www.dropbox.com/s/b11ccp35t2x1g50/AuthorizationPolicy.png?dl=0
https://www.dropbox.com/s/jok2dkv1tid5y1x/Error.png?dl=0
I have faced the exact issue. Send me the commands you put on router. Also try this...remove the router as your AAA client . then put back the AAA commands, first authorization , then authentication commands.Then add back the AAA client. But to help you better, please send your AAA authorization commands you are putting on the router.
Vikram Parmar
CCIEx2(R&S,DC)#22735
Reload the ACS and see if it's fixed. The print-screen with the policy does not look right, what briwser have you used to configure the policy? Use Internet Explorer or Mozilla, delete the policy, save the configuration and recreate it.
Yes, the problem is because of the browser as you guessed Cristian. I was using Chrome and this time I used IE and also you are correct regarding the policy in which it doesn't look right since the condition (System:UserName) syntax in Chrome seems not to be right unlike how IE shows this condition.
- These two images show how each browser is showing System:UserName Condition:
https://www.dropbox.com/s/b11ccp35t2x1g50/AuthorizationPolicy.png?dl=0
https://www.dropbox.com/s/9lnfvwnjqggatpf/authz-policy.png?dl=0
- This is Log showing that the problem is solved:
https://www.dropbox.com/s/mw9cv45shcbj1g2/Log.png?dl=0
Thanks to you all for the help...