https://community.cisco.com/t5/network-access-control/authorization-set-not-working-properly/m-p/1289044#M333522 <HTML><HEAD></HEAD><BODY><P>It seems that you are missing this command,</P><P></P><P>aaa authorization config-command</P><P></P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P></BODY></HTML> Tue, 10 Nov 2009 16:23:25 GMT Jagdeep Gambhir 2009-11-10T16:23:25Z https://community.cisco.com/t5/network-access-control/authorization-set-not-working-properly/m-p/1289043#M333510 <P>I'm trying to set up an authorization set to restrict users to certain commands. However, it seems like it works for some commands, but not for others.</P><P></P><P>In ENABLE mode, the auth set seems to work properly. However, once I get into CONFIG mode, it no longer works. I can run any command.</P><P></P><P>What am I missing that could be causing this?</P><P></P><P>Also, note that I have this auth set assigned to a group.</P><P></P><P>Thanks.</P><P></P><P>Jason</P> Sun, 10 Mar 2019 23:47:14 GMT https://community.cisco.com/t5/network-access-control/authorization-set-not-working-properly/m-p/1289043#M333510 jason.williams 2019-03-10T23:47:14Z https://community.cisco.com/t5/network-access-control/authorization-set-not-working-properly/m-p/1289044#M333522 <HTML><HEAD></HEAD><BODY><P>It seems that you are missing this command,</P><P></P><P>aaa authorization config-command</P><P></P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P></BODY></HTML> Tue, 10 Nov 2009 16:23:25 GMT https://community.cisco.com/t5/network-access-control/authorization-set-not-working-properly/m-p/1289044#M333522 Jagdeep Gambhir 2009-11-10T16:23:25Z https://community.cisco.com/t5/network-access-control/authorization-set-not-working-properly/m-p/1289045#M333552 <HTML><HEAD></HEAD><BODY><P>That might be it, the command isn't there.</P><P></P><P>I'll try it and let you know if that was it.</P><P></P><P>Thanks.</P><P></P><P>Jason</P></BODY></HTML> Tue, 10 Nov 2009 16:43:25 GMT https://community.cisco.com/t5/network-access-control/authorization-set-not-working-properly/m-p/1289045#M333552 jason.williams 2009-11-10T16:43:25Z https://community.cisco.com/t5/network-access-control/authorization-set-not-working-properly/m-p/1289046#M333626 <HTML><HEAD></HEAD><BODY><P>Adding </P><P></P><P>aaa authorization config-command </P><P></P><P>worked.</P><P></P><P>However, I've got another issue (I think).</P><P></P><P>Other groups have "none" selected for the auth sets. When I log in as a user in one of those groups, I get an access denied error when I enter ANY command.</P><P></P><P>The only way that I've been able to work around this is to set the group to use group based command sets and permit everything.</P><P></P><P>Is there something else that I missed or is this necessary?</P><P></P><P>Here are my current AAA settings:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication login no_tacacs local</P><P>aaa authentication enable default group tacacs+ enable</P><P>aaa authorization exec default group tacacs+ none</P><P>aaa authorization exec no_tacacs none</P><P>aaa authorization config-command</P><P>aaa authorization commands 0 default group tacacs+ if-authenticated</P><P>aaa authorization commands 1 default group tacacs+ if-authenticated</P><P>aaa authorization commands 15 default group tacacs+ if-authenticated</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>aaa accounting system default start-stop group tacacs+</P><P></P><P>Thanks.</P><P></P><P>Jason</P><P></P><P></P></BODY></HTML> Tue, 10 Nov 2009 18:37:36 GMT https://community.cisco.com/t5/network-access-control/authorization-set-not-working-properly/m-p/1289046#M333626 jason.williams 2009-11-10T18:37:36Z https://community.cisco.com/t5/network-access-control/authorization-set-not-working-properly/m-p/1289047#M333659 <HTML><HEAD></HEAD><BODY><P>Expected behavior, since we have seleted none in the authorization set...that is = no access.</P><P></P><P>You need to make a new set for limited group allowing certain commmands.</P><P></P><P>Check this link,</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml</A></P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts </P></BODY></HTML> Tue, 10 Nov 2009 18:45:57 GMT https://community.cisco.com/t5/network-access-control/authorization-set-not-working-properly/m-p/1289047#M333659 Jagdeep Gambhir 2009-11-10T18:45:57Z