[c-nsp] Tacacs and console oob access % Authorization failed.

Aaron dudepron at gmail.com
Wed Jun 5 13:16:06 EDT 2013


Did you logout and log back in after you applied the config?


On Tue, Jun 4, 2013 at 5:38 PM, George Hong <georgehong21 at gmail.com> wrote:

> Hi Cisco Gurus,
>
> Quick question my Cisco foo is a bit dusty.  I'm configuring a new switch
> and I'm setting it up with Tacacs.
> I'm configuring it using the console and the switch is not yet connected to
> the network. After applying the tacacs config it says
> % Authorization failed when I type "show run" or "conf t"
>
> My tacacs config should fall back to local authorization but that doesn't
> seem to work.
> Below the relevant config. Any ideas what might be going on (what am I
> doing wrong)?
>
> Remember that no network cables have been plugged in (all interfaces are
> down) and I'm configuring using console. I'm expecting to be able to
> configure the switch when it has no network connectivity (via out of band /
> console).
>
>
> This is the tacacs config I'm applying:
>
> aaa new-model
> !
> aaa authentication login default group tacacs+ local
> aaa authentication login CONSOLE group tacacs+ local
> aaa authentication enable default group tacacs+ enable
> aaa authorization exec default group tacacs+ local
> aaa authorization commands 0 default group tacacs+ local
> aaa authorization commands 4 default group tacacs+ local
> aaa authorization commands 15 default group tacacs+ local
> !
>
> aaa session-id common
>
>
> tacacs-server key key 7 <removed this >
> tacacs-server host x.x.x.x timeout 2
>
> tacacs-server directed-request
>
> line con 0
>  session-timeout 60
>  exec-timeout 60 0
>  login authentication CONSOLE
> line vty 0 4
>  session-timeout 60
>  access-class 22 in
>  exec-timeout 60 9
>  history size 256
>  transport input ssh
> line vty 5 15
>  session-timeout 60
>  access-class 22 in
>  exec-timeout 60 9
>  history size 256
>  transport input ssh
>
> After applying:
>
> sw1.chi#sh run
> % Authorization failed.
>
> sw1.chi#conf t
> % Authorization failed.
>
> sw1.chi#
>
>
> Below the complete relevant  config
>
> !
> hostname sw1.xxx
> !
> username xxxx secret 5xxxx
> aaa new-model
> !
> aaa authentication login default group tacacs+ local
> aaa authentication login CONSOLE group tacacs+ local
> aaa authentication enable default group tacacs+ enable
> aaa authorization exec default group tacacs+ local
> aaa authorization commands 0 default group tacacs+ local
> aaa authorization commands 4 default group tacacs+ local
> aaa authorization commands 15 default group tacacs+ local
> !
> aaa session-id common
> system mtu routing 1500
> ip subnet-zero
> !
> ip domain-name xxxx
> !
> !
> crypto key generate rsa
> ip ssh version 2
> !
> interface FastEthernet1/0/1
>
> !
> interface FastEthernet1/0/2
> !
> interface FastEthernet1/0/3
>  description span.xxx:ipmi
>  switchport access vlan 10
>  switchport mode access
>  spanning-tree portfast
> !
> !
> interface Gi1/0/3
>  description Trunk to rtr1.
>  switchport trunk allowed vlan 10
>  switchport mode trunk
>  switchport nonegotiate
> !
> !
> interface Vlan1
>  no ip address
>  no ip route-cache
> !
> interface Vlan10
>  ip address x.x.x.x 255.255.255.0
>  no ip route-cache
> !
> ip default-gateway y.y.y.y
> no ip http server
> no ip http secure-server
> logging trap notifications
> logging source-interface Vlan10
> logging x.x.x.x
> access-list 22 remark SSH access list
> access-list 22 permit x.x.x.x 0.0.0.255
> access-list 22 deny   any log
>
> snmp-server community xxxx RO
> snmp-server location xx
> snmp-server contact noxc at xxx.com
>
> tacacs-server host x.x.x.x
> tacacs-server timeout 2
> tacacs-server directed-request
> tacacs-server key key 7 <removed this >
> !
> control-plane
> !
> !
> line con 0
>  session-timeout 60
>  exec-timeout 60 0
>  login authentication CONSOLE
> line vty 0 4
>  session-timeout 60
>  access-class 22 in
>  exec-timeout 60 9
>  history size 256
>  transport input ssh
> line vty 5 15
>  session-timeout 60
>  access-class 22 in
>  exec-timeout 60 9
>  history size 256
>  transport input ssh
> !
> ntp server x.x.x.x
> end
>
>
> Any ideas?
>
> Thanks George!
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list