https://community.cisco.com/t5/network-access-control/aaa-authorization-problem/m-p/988994#M401304 <HTML><HEAD></HEAD><BODY><P>Andrew,</P><P>What you are getting is not a expected behavior. By default Command authorization is disabled on console port, so from console session it should not check for any authorization.</P><P></P><P>To enable it we need to use a hidden command on IOS aaa authorization console</P><P></P><P>It seems that you have not issued that command but still it is checking for the authorization.</P><P></P><P>This seems that we are hitting a bug here. Please check these bug CSCeb08860 &amp; CSCsg74428.</P><P></P><P>Pls consider upgrade or apply a work around described in bug.</P><P></P><P>Regards,</P><P>~JG</P></BODY></HTML> Fri, 18 Jul 2008 07:00:55 GMT Jagdeep Gambhir 2008-07-18T07:00:55Z https://community.cisco.com/t5/network-access-control/aaa-authorization-problem/m-p/988990#M401300 <P>I have the following config on my switch...</P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication login CONSOLE line</P><P>aaa authorization config-commands</P><P>aaa authorization exec default group tacacs+ local</P><P>aaa authorization commands 1 default group tacacs+ if-authenticated</P><P>aaa authorization commands 10 default group tacacs+ if-authenticated</P><P>aaa authorization commands 15 default group tacacs+ if-authenticated</P><P></P><P>The problem is that when I log into the switch via console port, and I enter these commands in, I instantly get "Command Authorization Failed" on any commands there after. It's mind boggling because there is no possible way the switch is talking to my Cisco ACS. I didn't even put in the tacacs-server key. I'm being forced to reboot the box each time. What am I missing?</P><P></P><P>Thank you for your time. I'm using IOS Version 12.2(25)SEB4.</P><P></P><P>-Andrew</P> Sun, 10 Mar 2019 22:58:58 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-problem/m-p/988990#M401300 spanglenuts 2019-03-10T22:58:58Z https://community.cisco.com/t5/network-access-control/aaa-authorization-problem/m-p/988991#M401301 <HTML><HEAD></HEAD><BODY><P>Hi </P><P>Before doing the tacacs configuration create one local user.</P><P>add the following commands.</P><P></P><P>username cisco password cisco</P><P>aaa new-model</P><P></P><P>aaa authentication login default group tacacs+ local </P><P>aaa authorization commands 1 default group tacacs+ if-authenticated </P><P>aaa authorization commands 15 default group tacacs+ if-authenticated </P><P>aaa authorization config-commands </P><P>tacacs-server host x.x.x.x</P><P>tacacs-server key ........</P><P></P><P></P><P>please score me if it help to you</P><P></P><P></P><P></P></BODY></HTML> Thu, 17 Jul 2008 13:24:27 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-problem/m-p/988991#M401301 chaitu_kranthi 2008-07-17T13:24:27Z https://community.cisco.com/t5/network-access-control/aaa-authorization-problem/m-p/988992#M401302 <HTML><HEAD></HEAD><BODY><P>Just so I'm clear, After I create a user account, should I only do the commands that you listed, or can I do all of my commands?</P><P></P><P>I'll make sure to score ya.</P><P></P><P>Thanks,</P><P>Andrew</P></BODY></HTML> Thu, 17 Jul 2008 13:38:34 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-problem/m-p/988992#M401302 spanglenuts 2008-07-17T13:38:34Z https://community.cisco.com/t5/network-access-control/aaa-authorization-problem/m-p/988993#M401303 <HTML><HEAD></HEAD><BODY><P>As per my concern those commands are enough.</P></BODY></HTML> Thu, 17 Jul 2008 13:52:44 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-problem/m-p/988993#M401303 chaitu_kranthi 2008-07-17T13:52:44Z https://community.cisco.com/t5/network-access-control/aaa-authorization-problem/m-p/988994#M401304 <HTML><HEAD></HEAD><BODY><P>Andrew,</P><P>What you are getting is not a expected behavior. By default Command authorization is disabled on console port, so from console session it should not check for any authorization.</P><P></P><P>To enable it we need to use a hidden command on IOS aaa authorization console</P><P></P><P>It seems that you have not issued that command but still it is checking for the authorization.</P><P></P><P>This seems that we are hitting a bug here. Please check these bug CSCeb08860 &amp; CSCsg74428.</P><P></P><P>Pls consider upgrade or apply a work around described in bug.</P><P></P><P>Regards,</P><P>~JG</P></BODY></HTML> Fri, 18 Jul 2008 07:00:55 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-problem/m-p/988994#M401304 Jagdeep Gambhir 2008-07-18T07:00:55Z