[c-nsp] Tacacs and console oob access % Authorization failed.

George Hong georgehong21 at gmail.com
Tue Jun 4 17:38:52 EDT 2013 

Hi Cisco Gurus,

Quick question my Cisco foo is a bit dusty.  I'm configuring a new switch
and I'm setting it up with Tacacs.
I'm configuring it using the console and the switch is not yet connected to
the network. After applying the tacacs config it says
% Authorization failed when I type "show run" or "conf t"

My tacacs config should fall back to local authorization but that doesn't
seem to work.
Below the relevant config. Any ideas what might be going on (what am I
doing wrong)?

Remember that no network cables have been plugged in (all interfaces are
down) and I'm configuring using console. I'm expecting to be able to
configure the switch when it has no network connectivity (via out of band /
console).


This is the tacacs config I'm applying:

aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 4 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!

aaa session-id common


tacacs-server key key 7 <removed this >
tacacs-server host x.x.x.x timeout 2

tacacs-server directed-request

line con 0
 session-timeout 60
 exec-timeout 60 0
 login authentication CONSOLE
line vty 0 4
 session-timeout 60
 access-class 22 in
 exec-timeout 60 9
 history size 256
 transport input ssh
line vty 5 15
 session-timeout 60
 access-class 22 in
 exec-timeout 60 9
 history size 256
 transport input ssh

After applying:

sw1.chi#sh run
% Authorization failed.

sw1.chi#conf t
% Authorization failed.

sw1.chi#


Below the complete relevant  config

!
hostname sw1.xxx
!
username xxxx secret 5xxxx
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 4 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!
aaa session-id common
system mtu routing 1500
ip subnet-zero
!
ip domain-name xxxx
!
!
crypto key generate rsa
ip ssh version 2
!
interface FastEthernet1/0/1

!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
 description span.xxx:ipmi
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
!
interface Gi1/0/3
 description Trunk to rtr1.
 switchport trunk allowed vlan 10
 switchport mode trunk
 switchport nonegotiate
!
!
interface Vlan1
 no ip address
 no ip route-cache
!
interface Vlan10
 ip address x.x.x.x 255.255.255.0
 no ip route-cache
!
ip default-gateway y.y.y.y
no ip http server
no ip http secure-server
logging trap notifications
logging source-interface Vlan10
logging x.x.x.x
access-list 22 remark SSH access list
access-list 22 permit x.x.x.x 0.0.0.255
access-list 22 deny   any log

snmp-server community xxxx RO
snmp-server location xx
snmp-server contact noxc at xxx.com

tacacs-server host x.x.x.x
tacacs-server timeout 2
tacacs-server directed-request
tacacs-server key key 7 <removed this >
!
control-plane
!
!
line con 0
 session-timeout 60
 exec-timeout 60 0
 login authentication CONSOLE
line vty 0 4
 session-timeout 60
 access-class 22 in
 exec-timeout 60 9
 history size 256
 transport input ssh
line vty 5 15
 session-timeout 60
 access-class 22 in
 exec-timeout 60 9
 history size 256
 transport input ssh
!
ntp server x.x.x.x
end


Any ideas?

Thanks George!

More information about the cisco-nsp mailing list