08-13-2013 07:49 AM - edited 03-10-2019 08:45 PM
Can anyone help me with understanding one thing about AAA authorization on Cisco IOS. Here is a config fragment:
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+ local
Do I understand correctly that authorization allows some commands (like "commands 15") for some users (like "group tacacs+")? So why there is no option "group" for the config-commands?
08-26-2013 03:49 AM
Hi Denis,
First of all we need to understand one thing, what is config-commands, Commands 1 and commands 15, This will help you understand these aaa commands.
Config-commands----Commands that we can run under configuration Mode, For example: when you login to the router, enter the priv mode and then enter the configuration mode> Type question mark> It will give you the list of the commands that can be run on Config mode.
Similarly , when you enter priv mode (# mode also known as level 15) > Type question mark, It will also display you list of commands that you can run on that mode.
You can always check the level, By following command:
#show privilege level.
and in the same way, You can check what command can be run on what level.
Now Moving on the aaa commands:
aaa authorization config-commands--- This command will check the authorization for the commands on the configuration Mode.
aaa authorization exec default group tacacs+ local--- This command will provide the user level 15 access directly, bypassing enable authentication
aaa authorization commands 1 default group tacacs+---This command will check the authorization of the commands that can be run on level 1.
aaa authorization commands 15 default group tacacs+ local-----
This command will check the authorization for the commands that can be run on level 15
I hope this helps:
BR
Minakshi (Rate the helpful posts)
08-26-2013 04:19 PM
The following links will provide you the detail insight in the working and understanding of the following commands
http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_tech_note09186a0080107cfd.shtml
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html
08-29-2013 01:15 AM
Hello,
I think the link below might help you out:-
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide