Solved: Re: aaa authorization commands levels

mactej6228 · ‎07-28-2012

I configured the ff. commands on my router:

R1(config)# aaa new-model

R1(config)# tacacs-server host 172.16.178.3 key xxxxxx

R1(config)# ip tacacs source-int fa0/1

R1(config)# aaa authentication login forCONSOLE group tacacs

R1(config)# aaa authorization console

R1(config)# aaa authorization config-commands

R1(config)# aaa authorization commands 15 forCONSOLE group tacacs

R1(config)# line con 0

R1(config-line)# login authentication forCONSOLE

R1(config-line)# authorization commands 15 forCONSOLE

What is the used of number "15"? Does it mean privilege level 15? if so, why is that when login through my router i got an error "command authorization failed" for "configure terminal" command?

Tariq Bader · ‎07-31-2012

i think you can find your answers in this document:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Tariq

View solution in original post

Tariq Bader · ‎07-28-2012

You are configuring per command authorization with tacacs.

Have you specified command authorization set that make sure to permit the config terminal command for the login user?

Tariq

Sent from Cisco Technical Support Android App

mactej6228 · ‎07-28-2012

Thanks Tariq,

So you mean that per level say from 0 to 15 has different set of commands? example

level 0: has a command set > enable / call / exit

level 1: enable / conf

level 2:

because on each levels we can modify the commands using "privilege exec level" command. HOw to specify a command authorization set? Am i going to set it in the acs server? or in the local router using the "privilege exec level" command. Can you show me the step by step procedure on how to do this? becaue i'm new to this.

Tariq Bader · ‎07-31-2012

i think you can find your answers in this document:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Tariq