Got it

local authorization failure Highlighted

Latest reply: Oct 12, 2018 08:00:07 1606 5 12 0 1
[Problem Description]Customer have issue with SSH user rights (privilege level).

Whenever any user connects to switch by SSH with certificate he gets his privilege level from VTY configuration – not from local AAA settings.

[Problem Analysis] 

Let user provide diagnose information

check SSH Configuration is fine

ssh user v_lutyi

ssh user v_lutyi authentication-type rsa

ssh user v_lutyi assign rsa-key v_lutyi_rsa_key

ssh user v_lutyi service-type all

ssh user vit_lutyi

ssh user vit_lutyi authentication-type rsa


Check RSA due to user Rsa certification is fine 

rsa peer-public-key v_lutyi_rsa_key

 public-key-code begin




Check the aaa authentication and find the following privilege configured as 0.


 authentication-scheme default

 authentication-scheme radius

  authentication-mode radius

 authorization-scheme default

 accounting-scheme default

 local-aaa-user password policy administrator

  password history record number 0

  password expire 0

 domain default

  authentication-scheme radius

  radius-server default

 domain default_admin

  authentication-scheme default

 local-user admin password irreversible-cipher $1a$^k~:)_a5D~$}LmtLIOF$=Zr1B!w,w3Qg"nzPrFim$hm9"DL6&H=$

 local-user admin privilege level 15

 local-user admin service-type terminal http

 local-user v_lutyi password irreversible-cipher $1a$$IoD%bQG;N$h-N>'X.7(DSta68<E@JGsR2"VC*O2GgWr|Q0kyC,$

 local-user v_lutyi privilege level 0

 local-user v_lutyi service-type terminal ssh http


Found the following privilege is 0, try to modify to 15


user-interface con 0

 authentication-mode aaa

user-interface vty 0 4

 authentication-mode aaa

 protocol inbound all

user-interface vty 16 20

 authentication-mode aaa

 protocol inbound all


if the account is RSA authentication, you can only obtain the user level from vty, so you need to add command user privilege level 3   under vty.

[Root Cause]
f the account is RSA authentication, only can obtain the user level from vty
local authorization failure-2764967-1

This article contains more resources

You need to log in to download or view. No account? Register

  • x
  • convention:

Created Sep 29, 2018 05:52:49

I am very interested for this post, which is very helpful to our daily troubleshooting. I always have similar problems in my daily work, but I do not know how to deal with them. Now I have a clear idea. Thank you very much for your sharing. Hope you can update continue like this
View more
  • x
  • convention:

Created Sep 29, 2018 06:19:58

I am very interested for this post, which is very helpful to our daily troubleshooting. Is there a number of commands for the user authorization method? If all or none of the configurations are configured, the commands in that view take precedence. Or what is the default user privilege level, can you help explain it.
View more
  • x
  • convention:

Created Sep 29, 2018 06:38:50

Routers support the multi-route mode, which allows you to configure multiple routes with the same destination and preference. If the destinations and costs of multiple routes discovered by the same routing protocol are the same, load balancing can be performed among the routes.

During load balancing, a router forwards packets based on the packets' 5-tuple (source IP address, destination IP address, source port, destination port, and transport protocol). When the 5-tuple information is the same, the router always chooses the next-hop address that is the same as the last one to send packets. When the 5-tuple information is different, the router forwards packets over idle paths.

This post was last edited by SupperRobin at 2018-10-31 07:08.
View more
  • x
  • convention:

MVE Created Sep 29, 2018 17:34:07

Helpful information, thanks
View more
  • x
  • convention:

Created Oct 12, 2018 08:00:07

I had a similar case but the user was from RADIUS. Helpful!:)
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.