No Command Authorization for show run

Dave93 — Fri, 15 Feb 2019 05:47:28 GMT

Although Username has Privilege 15, show run command does not have authorization

All other commands works.

Below are AAA commands configured on switch.

========

username admin privilege 15 secret 5 xxx
username netadmin privilege 15 secret 5 xxx

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable default none
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec always if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

=================

Re: No Command Authorization for show run

hslai — Sat, 16 Feb 2019 02:44:28 GMT

You seem missing

aaa authorization commands 1 default group tacacs+ if-authenticated

and,

aaa accounting commands 1 default start-stop group tacacs+

Also check the AAA logs. If using ISE as the T+ server, check ISE T+ Live Logs and verify the command sets assigned to the user.

topic Re: No Command Authorization for show run in Network Access Control

No Command Authorization for show run

Re: No Command Authorization for show run