topic aaa authorization commands levels in Network Access Control

aaa authorization commands levels

mactej6228 — Fri, 21 Feb 2020 18:27:35 GMT

I configured the ff. commands on my router:

R1(config)# aaa new-model

R1(config)# tacacs-server host 172.16.178.3 key xxxxxx

R1(config)# ip tacacs source-int fa0/1

R1(config)# aaa authentication login forCONSOLE group tacacs

R1(config)# aaa authorization console

R1(config)# aaa authorization config-commands

R1(config)# aaa authorization commands 15 forCONSOLE group tacacs

R1(config)# line con 0

R1(config-line)# login authentication forCONSOLE

R1(config-line)# authorization commands 15 forCONSOLE

What is the used of number "15"? Does it mean privilege level 15? if so, why is that when login through my router i got an error "command authorization failed" for "configure terminal" command?

Re:aaa authorization commands levels

Tariq Bader — Sat, 28 Jul 2012 15:42:03 GMT

You are configuring per command authorization with tacacs.

Have you specified command authorization set that make sure to permit the config terminal command for the login user?

Tariq

Sent from Cisco Technical Support Android App

Re: aaa authorization commands levels

mactej6228 — Sat, 28 Jul 2012 16:06:42 GMT

Thanks Tariq,

So you mean that per level say from 0 to 15 has different set of commands? example

level 0: has a command set > enable / call / exit

level 1: enable / conf

level 2:

because on each levels we can modify the commands using "privilege exec level" command. HOw to specify a command authorization set? Am i going to set it in the acs server? or in the local router using the "privilege exec level" command. Can you show me the step by step procedure on how to do this? becaue i'm new to this.

Re: aaa authorization commands levels

Tariq Bader — Tue, 31 Jul 2012 07:37:37 GMT

i think you can find your answers in this document:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Tariq