cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

22998
Views
15
Helpful
3
Replies
axa-wongjeff
Beginner

Command confusion - aaa authorization config-commands

I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.

  >> Shell Command Authorization Sets

      Name: Restricted_Voice

      Description: Configure port voice vlan only.

      Unmatched Commands: Deny

      Add: enable

      Add: configure / permit terminal <cr>

      Add: interface / permit Gi*

      Add: interface / permit Fa*

      Add: switchport / permit voice vlan *

My switch configuration has the following aaa authorization related lines:

     aaa authorization commands 1 default group tacacs+ if-authenticated

     aaa authorization commands 15 default group tacacs+ if-authenticated

When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.

I went and read up the command reference for "aaa authorization config-commands" in

http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587.

My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.

It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me.  I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?

3 REPLIES 3
Bharat Negi
Beginner

You are right.  For shell to authorise configuration commands, "aaa authorization config-commands" is a must.  It provides you more granular control for configuration commands.

regards/bsn

hkhrais