topic aaa authorization in Network Access Control https://community.cisco.com/t5/network-access-control/aaa-authorization/m-p/3986432#M442204 <P>Hi,</P><P class="p1"><SPAN class="s1">aaa authorization config-commands</SPAN></P><P class="p1"><SPAN class="s1">aaa authorization exec default group tacacs+ local </SPAN></P><P class="p1"><SPAN class="s1">aaa authorization commands 0 default group tacacs+ local </SPAN></P><P class="p1"><SPAN class="s1">aaa authorization commands 10 default group tacacs+ local </SPAN></P><P class="p1"><SPAN class="s1">aaa authorization commands 15 default group tacacs+ local </SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">Am I missing any commands from the above. What if tacacs (ise failed ), All the commands will be authorized ? .</SPAN></P><P class="p1"><SPAN class="s1">I want users will be able to login and enter commands in case&nbsp; tacacs failed ?</SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">Thanks</SPAN></P><P class="p1">&nbsp;</P><P class="p1">&nbsp;</P><P class="p1">&nbsp;</P><P class="p1">&nbsp;</P> Fri, 21 Feb 2020 19:12:00 GMT elite2010 2020-02-21T19:12:00Z aaa authorization https://community.cisco.com/t5/network-access-control/aaa-authorization/m-p/3986432#M442204 <P>Hi,</P><P class="p1"><SPAN class="s1">aaa authorization config-commands</SPAN></P><P class="p1"><SPAN class="s1">aaa authorization exec default group tacacs+ local </SPAN></P><P class="p1"><SPAN class="s1">aaa authorization commands 0 default group tacacs+ local </SPAN></P><P class="p1"><SPAN class="s1">aaa authorization commands 10 default group tacacs+ local </SPAN></P><P class="p1"><SPAN class="s1">aaa authorization commands 15 default group tacacs+ local </SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">Am I missing any commands from the above. What if tacacs (ise failed ), All the commands will be authorized ? .</SPAN></P><P class="p1"><SPAN class="s1">I want users will be able to login and enter commands in case&nbsp; tacacs failed ?</SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">Thanks</SPAN></P><P class="p1">&nbsp;</P><P class="p1">&nbsp;</P><P class="p1">&nbsp;</P><P class="p1">&nbsp;</P> Fri, 21 Feb 2020 19:12:00 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization/m-p/3986432#M442204 elite2010 2020-02-21T19:12:00Z Re: aaa authorization https://community.cisco.com/t5/network-access-control/aaa-authorization/m-p/3986498#M442205 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/306677">@elite2010</a>&nbsp;,</P> <P>&nbsp;</P> <P>Assuming you already have the aaa authentication commands in place, I have a small suggestion:</P> <P>&nbsp;</P> <P><SPAN>aaa authorization commands <STRONG>10</STRONG> default group tacacs+ local&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Change it to:</SPAN></P> <P>&nbsp;</P> <P><SPAN>aaa authorization commands <STRONG>1</STRONG> default group tacacs+ local&nbsp;</SPAN></P> <P>&nbsp;</P> <P>Once you configure (one or more) privilege level 15 user, locally on the switch, it will work fine in case of TACACS server going unresponsive.</P> Wed, 20 Nov 2019 10:34:15 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization/m-p/3986498#M442205 Anurag Sharma 2019-11-20T10:34:15Z