Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


AAA authorization not working


Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.

When connected to console it worked-  Authenticated and then supplied the enable password.

When telneted : it says "access approved" and  "authorization failed"

Relevant switch configuration is as follows  and also debug of aaa authorization.


no service single-slot-reload-enable

no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Switch
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group radius if-authenticated local
aaa authorization commands 15 default group radius if-authenticated local
enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/

username cisco privilege 15 password 7 05080F1C224233 
vlan 10
vlan 120
ip subnet-zero
vtp mode transparent
spanning-tree extend system-id
interface FastEthernet0/1
  switchport access vlan 10
  switchport mode access
  no ip address
  spanning-tree portfast
interface GigabitEthernet0/1
  no ip address
interface GigabitEthernet0/2
  no ip address
interface Vlan1
  no ip address
interface Vlan120
  ip address
ip default-gateway
ip classless
ip http server
radius-server host auth-port 1812 acct-port 1813
radius-server host auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key cisco
line con 0
line vty 0 4
  password 7 grrfcb7swe
  transport input telnet
line vty 5 15

Debug output :


21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:07: AAA/AUTHEN (2947331915): status = PASS
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------#  authorization failed #
21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='' authen_type=ASCII service=LOGIN priv=1

Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.

Please share the experience.

Thanks in advance,


Karthik Chandran

Hi Subodh,

I understand that you are trying to use command authorization using RADIUS.

aaa authorization commands 15 default group radius if-authenticated local

Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed       on a router and which cannot.

Please refer the following link:

You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.


Karthik Chandran

*kindly rate helpful post*

Content for Community-Ad