Solved: The "aaa authorization exec"

robbo79871 · ‎06-18-2017

Hi, i think i'm confusing myself with the difference between some of these commands

I have setup a method list for both authentication and authorization as seen below:

aaa authentication login logmein local enable
aaa authorization console
aaa authorization exec admins local
aaa authorization commands 15 acceptme local
aaa session-id common

and on the console port i have applied as follows:

authorization commands 15 acceptme
authorization exec admins
login authentication logmein

My user is:

username admin1 privilege 15 secret 5 $1$tDtt$n.dDDV0CbKnf4AK2EEFHn1

My question is, just so i'm clear. The "aaa authorization exec" command will check the local user logging in and see what their privilege level is? Also the "aaa authorization console" is necessary because console ports do not check for authorization by default.
Also, what does the config-commands command do exactly i am unclear on that one.
I'm looking for clarity and confirmation as to what i'm saying here is either correct or partly correct.

Thanks everyone :)

dperezoquendo · ‎06-20-2017

The "aaa authorization exec" command will check the local user logging in and see what their privilege level is?

Somewhat.. The command will check to see if the user is authorized to start an exec shell. I think this makes the user automatically log into priv-exec mode.

"aaa authorization console" is necessary because console ports do not check for authorization by default.

Correct.

What does the config-commands command do exactly i am unclear on that one.

From my understanding, this command pretty much tells the device to check with the TACACS server to authorize a user to enter global config mode. Edit: Though I've also read it also checks with the TACACS server to identify which commands a user can do in global config mode. So you have to make sure your TACACS server is setup properly for that.

View solution in original post

dperezoquendo · ‎06-20-2017