Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1186
Views
0
Helpful
3
Replies

AAA authorization with no user group

Denis Ponev
Level 1
Level 1

‎08-13-2013 07:49 AM - edited ‎03-10-2019 08:45 PM

Can anyone help me with understanding one thing about AAA authorization on Cisco IOS. Here is a config fragment:

aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+ local

Do I understand correctly that authorization allows some commands (like "commands 15") for some users (like "group tacacs+")? So why there is no option "group" for the config-commands?

Labels:
0 Helpful
3 Replies 3

minkumar
Level 1
Level 1

‎08-26-2013 03:49 AM

Hi Denis,

First of all we need to understand one thing, what is config-commands, Commands 1 and commands 15, This will help you understand these aaa commands.

Config-commands----Commands that we can run under configuration Mode, For example: when you login to the router, enter the priv mode and then enter the configuration mode> Type question mark> It will give you the list of the commands that can be run on Config mode.

Similarly , when you enter priv mode (# mode also known as level 15) > Type question mark, It will also display you list of commands that you can run on that mode.

You can always check the level, By following command:

#show privilege level.

and in the same way, You can check what command can be run on what level.

   Now Moving on the aaa commands:

aaa authorization config-commands--- This command will check the authorization for the commands on the configuration Mode.

aaa authorization exec default group tacacs+ local--- This command will provide the user level 15 access directly, bypassing enable authentication

aaa authorization commands 1 default group tacacs+---This command will check the authorization of the commands that can be run on level 1.

aaa authorization commands 15 default group tacacs+ local-----
This command will check the authorization for the commands that can be run on level 15

I hope this helps:

BR

Minakshi (Rate the helpful posts)

0 Helpful

kaaftab
Level 4
Level 4
In response to minkumar

‎08-26-2013 04:19 PM

The following links will provide you the detail insight in the working and understanding of the following commands

           http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_tech_note09186a0080107cfd.shtml

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html

0 Helpful

harvisin
Level 3
Level 3

‎08-29-2013 01:15 AM

Hello,

I think the link below might help you out:-

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html

0 Helpful
Customers Also Viewed These Support Documents