From TAC:

This is what is needed for command authorization.

# exec authorization

aaa authorization exec default group tacacs+ none

# command authorization

aaa authorization commands 0 default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

# authorization for config level commands

aaa authorization config-commands

your lucky I used this config and it still doesnt work.. I authenticate fine, but authorization does not work.. I used your command, after doing a ton of research and unsuccessful trials... Anyway having none at the end made sense until I tried it and it did not work =/ Maybe its my server settings I dont know. IConfigured a group with one user, and I set everything on the user to group control, then I configured the group to exec and wrote in priv level '1'

How did you get it??

Marek

I believe that the commands listed by Heather are correct. If you have not gotten authorization to work successfully perhaps you can post all of the aaa section of your config. If we can see it we may be able to make suggestions.

HTH

Rick

aaa new-model

!

!

aaa authentication login default group tacacs+ enable

aaa authentication login level1 group tacacs+

aaa authorization exec default group tacacs+

aaa authorization commands 0 default group tacacs+

aaa authorization commands 0 level1 group tacacs+

aaa authorization commands 1 default group tacacs+

aaa authorization commands 1 level1 group tacacs+

aaa authorization commands 15 default group tacacs+

aaa authorization configuration default group tacacs+

aaa session-id common

ip subnet-zero

!

output cut

!

!

tacacs-server host 192.168.1.2

tacacs-server directed-request

tacacs-server key cisco

radius-server authorization permit missing Service-Type

call rsvp-sync

!

!

I have tried the exact config he posted but then I switched back. what do you think, Could it be that the acs server is where the wrong confoiguration is?

thank you

Marek

While I do have some suggestions to make about your config I do not see anything that should prevent authorization from working. Perhaps you can be a bit more specific about how you have configured the server to support this.

I see that you have aaa authentication for login but not for enable. I would suggest that you also configure:

aaa authentication enable default group tacacs+ enable

I see that your authentication and authorization refer to level1 but I do not see where you apply level1 to any lines or anything. Perhaps you could clarify whether it is actually defined somewhere and if so where and how.

I see that except for your first aaa authentication login default which has a backup method that all of the other authentication and authorization have only primary method with no backup. I would suggest including a backup method to cover situations where the server is not available. I believe that none is a workable backup, but I prefer if-authenticated as the backup for authorization.

Can you verify that authentication is working ok and the only issue is with authorization. If authentication is working then we know that the parts of the config that identify the server are correct.

HTH

Rick

1. Authentication is working ok, with failover to the enable pasword in case the server is offline.

2. level1 is a group I have created on the server, maybe I'm not supposed to specify on the client device but I was running out of ideas, and I'm having a hard time finding anything on autorization with the secure acs along with configs for both. I have gone through pages on this forum and I cant find specifically what I need. Obviously if I was more knoledgable I wouldnt have to bother you guys.

3. Unless I erased it, I'm pretty sure authentication has a backup enable password authentication. Authorization used to have the secondary set to none like in his config but I changed it back because it did not work either.

4. The server has two groups configured, each one has one user. Each user, one for each groupd, authenticates. But when I log in they privelage level is always 15, and I can run any commands. I have also configured an exec set of commands which I have limited to show and applied it within the group. I can take screen shots of the server config, if you specify which areas you need.

I really appreciate you taking the time to help me out.

Marek

1) it is good to know that authentication is working and does fail over to the enable password. This helps assure that the problem that we are dealing with is not an issue of failure to communicate.

2) it is not necessary that the router mirror the groups that are configured on the server. So unless you want to specify authentication or authorization processing different from default then you do not need level1 to be mentioned on the router.

I agree that there is not a lot of clear documentation about authorization. One of the purposes of this forum is to allow people to ask questions about things that they do not yet understand and hopefully to get some helpful answers. As you get more experience and understand more then you may be able to participate in the forum and providing answers in addition to asking questions.

3) As I read your config authentication does have a backup method and authorization does not. I am a proponent of having backup methods configured. As long as the server is available you do not need them. But if they are not configured and the server is not available you can manage to lock yourself out of the router.

I can understand removing them while you concentrate on why the authorization is not working (though I would not do it that way) but I strongly suggest that you plan to put the backups in before you put anything like this into production.

4) the fact that both users log in and are already at privilege level 15 may be a clue. Look in the config under the console and under the vty ports. Look for this configuration command privilege level 15. If it is there remove it and test over again.

HTH

Rick

I have checked and I do not see anything.

I think I should be able to use radius for authorization while keeping tacacs+ for authentication.

Would that be easier to do? thanks again

Marek

I do not think that it would be easier that way. Radius does not have a separate step for authorization the way that TACACS does. I think that you should keep the same protocol for both authentication and authorization.

It might help if you would post a current copy of the config of the router that you are working with.

HTH

Rick