cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

899
Views
0
Helpful
3
Replies
Denis Ponev
Beginner

AAA authorization with no user group

Can anyone help me with understanding one thing about AAA authorization on Cisco IOS. Here is a config fragment:

aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+ local

Do I understand correctly that authorization allows some commands (like "commands 15") for some users (like "group tacacs+")? So why there is no option "group" for the config-commands?

3 REPLIES 3
minkumar
Beginner

Hi Denis,

First of all we need to understand one thing, what is config-commands, Commands 1 and commands 15, This will help you understand these aaa commands.

Config-commands----Commands that we can run under configuration Mode, For example: when you login to the router, enter the priv mode and then enter the configuration mode> Type question mark> It will give you the list of the commands that can be run on Config mode.

Similarly , when you enter priv mode (# mode also known as level 15) > Type question mark, It will also display you list of commands that you can run on that mode.

You can always check the level, By following command:

#show privilege level.

and in the same way, You can check what command can be run on what level.

   Now Moving on the aaa commands:

aaa authorization config-commands--- This command will check the authorization for the commands on the configuration Mode.

aaa authorization exec default group tacacs+ local--- This command will provide the user level 15 access directly, bypassing enable authentication

aaa authorization commands 1 default group tacacs+---This command will check the authorization of the commands that can be run on level 1.

aaa authorization commands 15 default group tacacs+ local-----
This command will check the authorization for the commands that can be run on level 15

I hope this helps:

BR

Minakshi (Rate the helpful posts)

The following links will provide you the detail insight in the working and understanding of the following commands

           http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_tech_note09186a0080107cfd.shtml

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html

harvisin
Participant

Content for Community-Ad