Showing results for 
Search instead for 
Did you mean: 

AAA authorization not working



Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.

When connected to console it worked-  Authenticated and then supplied the enable password.

When telneted : it says "access approved" and  "authorization failed"

Relevant switch configuration is as follows  and also debug of aaa authorization.


no service single-slot-reload-enable

no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Switch
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group radius if-authenticated local
aaa authorization commands 15 default group radius if-authenticated local
enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/

username cisco privilege 15 password 7 05080F1C224233 
vlan 10
vlan 120
ip subnet-zero
vtp mode transparent
spanning-tree extend system-id
interface FastEthernet0/1
  switchport access vlan 10
  switchport mode access
  no ip address
  spanning-tree portfast
interface GigabitEthernet0/1
  no ip address
interface GigabitEthernet0/2
  no ip address
interface Vlan1
  no ip address
interface Vlan120
  ip address
ip default-gateway
ip classless
ip http server
radius-server host auth-port 1812 acct-port 1813
radius-server host auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key cisco
line con 0
line vty 0 4
  password 7 grrfcb7swe
  transport input telnet
line vty 5 15

Debug output :


21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:07: AAA/AUTHEN (2947331915): status = PASS
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------#  authorization failed #
21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='' authen_type=ASCII service=LOGIN priv=1

Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.

Please share the experience.

Thanks in advance,


1 Reply 1

Karthik Chandran

Hi Subodh,

I understand that you are trying to use command authorization using RADIUS.

aaa authorization commands 15 default group radius if-authenticated local

Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed       on a router and which cannot.

Please refer the following link:

You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.


Karthik Chandran

*kindly rate helpful post*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers