1. Home
  2. Cisco Systems
  3. Weird privilege problem

Weird privilege problem

Ok, I'm new to this so bear with me.

When I connect to one of our switches running ios vs 12.0 via the console, I am able to type commands normally.

However, when I log in on a VTY via telnet, the login is successful but almost any command I type results in a "Command authorization failed." I can check my privilege level, however, and it says I am level 15.

Can anyone point me in the right direction?

Our lines are configured thusly:

! line con 0 exec-timeout 99 0 privilege level 15 password transport input none stopbits 1 line vty 0 2 access-class 112 in exec-timeout 4 30 password line vty 3 4 access-class 101 in password line vty 5 15 access-class 10 in !

Reply to
GregG
Loading thread data ...

GregG wrote in news:cc7030c6-22a1-4ce7-b604- snipped-for-privacy@x41g2000hsb.googlegroups.com:

Hi Greg

What does your aaa section say about authorization of commands?

Regards, Lars C. CCIE #20292

Reply to
Lars Christensen

Thanks, Lars.

aaa new-model aaa authentication login default group tacacs+ local enable aaa authorization config-commands aaa authorization exec default group tacacs+ local aaa authorization commands 15 default group tacacs+ if-authenticated

So, it's a tacacs problem, right?

Reply to
GregG

Yes... At least it looks like it at this point. You should check your TACACS server to be sure the username you login with is authorized to perform the commands you are trying.

-JC

Reply to
J.Cottingim

Per your AAA config, TACACs is used for authorization. The privilege level you have specified on the VTY's is only used if TACACs is not working. I also see from your config that you have different access-class's applied to each of the VTY groups. This is not good practice and very poor security. The lowest available VTY is always used for new telnet connections. VTY 0 is always used, unless someone else is already logged in. The second logged in person will use VTY 1. Now if the user on VTY 0 logs out, the third person to log in will again use VTY 0.

Yes... At least it looks like it at this point. You should check your TACACS server to be sure the username you login with is authorized to perform the commands you are trying.

-JC

Reply to
Thrill5

Thanks for your help, everyone. We've got it working now.

Question: We're using ACS on a windows box and configuring it via a web browser interface, which is really really clunky. Is there a plain config file on the server itself that we can modify directly? Seems like that would be easier. If so, where would it be located?

Thanks aga> Per your AAA config, TACACs is used for authorization. =A0The privilege l= evel

4-
Reply to
GregG

I know of no CLI interface to ACS, other than CSUTIL, whose functionality is very limited. The user interface on ACS, while not perfect, is not clunky by any means. The biggest failing of ACS is that users can belong to only a single group. In large deployments, this makes user setup very difficult.

Question: We're using ACS on a windows box and configuring it via a web browser interface, which is really really clunky. Is there a plain config file on the server itself that we can modify directly? Seems like that would be easier. If so, where would it be located?

Thanks aga> Per your AAA config, TACACs is used for authorization. The privilege level

Reply to
Thrill5

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.