https://community.cisco.com/t5/network-access-control/command-confusion-aaa-authorization-config-commands/m-p/1874201#M300187 <HTML><HEAD></HEAD><BODY><P>You are right.&nbsp; For shell to authorise configuration commands, "aaa authorization config-commands" is a must.&nbsp; It provides you more granular control for configuration commands.</P><P></P><P>regards/bsn</P></BODY></HTML> Mon, 06 Feb 2012 06:57:14 GMT Bharat Negi 2012-02-06T06:57:14Z https://community.cisco.com/t5/network-access-control/command-confusion-aaa-authorization-config-commands/m-p/1874200#M300136 <P>I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.</P><P></P><P>&nbsp; &gt;&gt; Shell Command Authorization Sets</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Name: Restricted_Voice</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Description: Configure port voice vlan only.</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Unmatched Commands: Deny</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Add: enable</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Add: configure / permit terminal &lt;cr&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Add: interface / permit Gi*</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Add: interface / permit Fa*</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Add: switchport / permit voice vlan *</P><P></P><P>My switch configuration has the following aaa authorization related lines:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; aaa authorization commands 1 default group tacacs+ if-authenticated</P><P>&nbsp;&nbsp;&nbsp;&nbsp; aaa authorization commands 15 default group tacacs+ if-authenticated</P><P></P><P>When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.</P><P></P><P>I went and read up the command reference for "aaa authorization config-commands" in </P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587" target="_blank">http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587</A><SPAN>.</SPAN></P><P></P><P>My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.</P><P></P><P>It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me.&nbsp; I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?</P> Mon, 11 Mar 2019 01:47:45 GMT https://community.cisco.com/t5/network-access-control/command-confusion-aaa-authorization-config-commands/m-p/1874200#M300136 axa-wongjeff 2019-03-11T01:47:45Z https://community.cisco.com/t5/network-access-control/command-confusion-aaa-authorization-config-commands/m-p/1874201#M300187 <HTML><HEAD></HEAD><BODY><P>You are right.&nbsp; For shell to authorise configuration commands, "aaa authorization config-commands" is a must.&nbsp; It provides you more granular control for configuration commands.</P><P></P><P>regards/bsn</P></BODY></HTML> Mon, 06 Feb 2012 06:57:14 GMT https://community.cisco.com/t5/network-access-control/command-confusion-aaa-authorization-config-commands/m-p/1874201#M300187 Bharat Negi 2012-02-06T06:57:14Z https://community.cisco.com/t5/network-access-control/command-confusion-aaa-authorization-config-commands/m-p/1874202#M300236 <HTML><HEAD></HEAD><BODY><P>Command authorization on level 15 does not affect the global configuration mode and</P><P>its submodes unless "aaa authorization config-commands" is configured </P><P></P><P>HTH</P></BODY></HTML> Sun, 22 Jul 2012 15:45:34 GMT https://community.cisco.com/t5/network-access-control/command-confusion-aaa-authorization-config-commands/m-p/1874202#M300236 hkhrais 2012-07-22T15:45:34Z https://community.cisco.com/t5/network-access-control/command-confusion-aaa-authorization-config-commands/m-p/1874203#M300256 <HTML><HEAD></HEAD><BODY><P>Hi Axa,</P><P></P><P>I have a similar setup and have full Exec Level permissions using only <STRONG>aaa authorization commands</STRONG><EM> level method</EM></P><P><EM> </EM></P><P>The below is taken from cisco.com and explains that you should not require the<EM> </EM></P><P><A name="wp1017533"></A><STRONG>aaa authorization config-commands </STRONG>unless you have at some point used the <STRONG>no aaa authorization config-commands</STRONG> command to prevent configuration commands from the Exec User</P><P></P><P>This in essense is a hidden configured default i.e.you switch on auth for config-commands automatically when you use the <STRONG>aaa authorization commands</STRONG><EM> level method </EM>command!</P><P></P><P></P><P></P><P></P><P>From Cisco.com (I have underlined the key points)</P><H2>aaa authorization config-commands </H2><P><A name="wpmkr1017531"></A><A name="wp1017532"></A>To disable AAA configuration command authorization in the EXEC mode, use the <STRONG>no</STRONG> form of the <STRONG>aaa authorization config-commands </STRONG>global configuration command. <SPAN style="text-decoration: underline;">Use the standard form of this command to reestablish the default created when the aaa authorization commands<EM> level method1 </EM>command was issued</SPAN>. </P><P></P><P><A name="wp1017533"></A><STRONG>aaa authorization config-commands </STRONG></P><P><A name="wp1017534"></A><STRONG>no aaa authorization config-commands </STRONG></P><H3><A name="wp1017535"></A>Syntax Description </H3><P><A name="wp1017536"></A>This command has no arguments or keywords. </P><H3><A name="wp1017537"></A>Defaults </H3><P><A name="wp1017538"></A>After the <STRONG>aaa authorization commands</STRONG><EM> level method</EM> has been issued, this command is enabled by default—meaning that <SPAN style="text-decoration: underline;">all configuration commands in the EXEC mode will be authorized. </SPAN></P><H3>Usage Guidelines </H3><P><A name="wp1017552"></A><SPAN style="text-decoration: underline;">If <STRONG>aaa authorization commands </STRONG><EM>level method </EM>is enabled, all commands, including configuration commands, are authorized by AAA using the method specified</SPAN>. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using <STRONG>no aaa authorization config-commands</STRONG> stops the network access server from attempting configuration command authorization. </P><P><A name="wp1017553"></A>After the <STRONG>no</STRONG> form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the <STRONG>no</STRONG> form of this command because it potentially reduces the amount of administrative control on configuration commands. </P><P><A name="wp1017554"></A><SPAN style="text-decoration: underline;">Use the <STRONG>aaa authorization config-commands command</STRONG> if, after using the no form of this command, you need to reestablish the default set by the <STRONG>aaa authorization commands </STRONG><EM>level method</EM> command. </SPAN></P><H3><A name="wp1017555"></A>Examples </H3><P><A name="wp1017556"></A>The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled: </P><PRE><A name="wp1017557"></A>aaa new-model</PRE><PRE><A name="wp1017558"></A>aaa authorization command 15 tacacs+ none</PRE><PRE><A name="wp1017559"></A>no aaa authorization config-commands</PRE></BODY></HTML> Tue, 02 Oct 2012 09:26:05 GMT https://community.cisco.com/t5/network-access-control/command-confusion-aaa-authorization-config-commands/m-p/1874203#M300256 david.mitchell 2012-10-02T09:26:05Z