Troubleshooting Tacacs Authorization Command Issue on Cisco ASA 9.x

1. Objective


In this tutorial will explain you how to fix the issue when Cisco ASA firewall lock you out after applying Tacacs Plus authorization command.

2. Problem Description


After applying Tacacs Plus authorization command, Cisco ASA  locked out with the error message of “Command authorization failed” and it is not able to execute any command any more. We can login to the Cisco ASA firewall as normal both from SSH and direct console, but can not execute any command. This error happens at both via remote SSH and direct console login.

Direct Console to the Cisco ASA Firewall

Remote SSH to the Cisco ASA Firewall

When trying to disconnect the Cisco ASA firewall from Tacacs plus protocols for security server, we got another error message of “Fallback authorization. Username ‘enable_15’ not in LOCAL database Command authorization failed”.

Direct Console to the Cisco ASA Firewall

Remote SSH to the Cisco ASA Firewall

3. Problem Resolution


To fix this issue, we need to reboot the Cisco ASA firewall device. Since the configuration have not saved, the Tacacs Plus authorization command will be cleared and we will not have any problem in execute the command after reboot. To have Tacacs Plus authorization works, we need to create a privilege level and enable a default user account name “enable_15” first. Without doing these mandatory actions, You will have problem after applying Tacacs Plus security protocols authorization command.

# privilege show level 5 mode configure command filter
# username enable_15 password 3333 privilege 15

In Tacacs Plus authorization commands, we need to apply the option auto-enable to make authorization to work. So, when we login Cisco ASA firewall with SSH, we don’t need to type command enable from the global configuration mode and Cisco ASA firewall will follow the enable privilege from Tacacs Plus server. If we type command enable manually during login, we will gain local privilege from Cisco ASA firewall device. That is why Tacacs Plus centralized access server authorization does not work.

# aaa authorization exec authentication-server auto-enable
# aaa authorization command TS-AAA LOCAL