- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2023 02:14 AM
Hi,
"aaa authorization commands 15 default group tacacs+ local if-authenticated"
1)Does above command authorize only level 15 users?
2)Or does it authorize all level users 0-15(inclusive)?
3)Or does it authorize only 2-15 levels (inclusive)?
Im a bit confused with this command becase on routerfreak website , above command is configured along with "aaa authorization commands 15 default group tacacs+ local if-authenticated" as a best practice.
This makes me think that may be command "aaa authorization commands 15 default group tacacs+ local if-authenticated" auhtorizes ONLY 2-15 level users and best practice also would be to authorize User Exec Mode as well which is level 1
Please shed a light on this.
AAA Best practice example: https://www.routerfreak.com/aaa-best-practices/comment-page-1/?unapproved=90953&moderation-hash=2342e87aa47d14b2dcf0af36ed7b3272#comment-90953
Thanks
Solved! Go to Solution.
- Labels:
-
AAA
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2023 03:19 AM - edited 04-29-2023 03:19 AM
2)Or does it authorize all level users 0-15(inclusive)? NO
3)Or does it authorize only 2-15 levels (inclusive)? Yes this correct
that why you see
aaa authz command 1 <<- protect when you go from user0 to level 1
aaa authz command 15 <<- protect when you go from user0 to level 2-15
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2023 03:19 AM - edited 04-29-2023 03:19 AM
2)Or does it authorize all level users 0-15(inclusive)? NO
3)Or does it authorize only 2-15 levels (inclusive)? Yes this correct
that why you see
aaa authz command 1 <<- protect when you go from user0 to level 1
aaa authz command 15 <<- protect when you go from user0 to level 2-15
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2023 03:28 AM - edited 04-29-2023 03:28 AM
Note :-
you can check the command effect by
enable 1 <<- try this
enable 2-15<<- try this
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2023 03:24 AM
Hello,
This is from Cisco site:
"
Privilege Levels
By default, there are three command levels on the router:
-
privilege level 0—Includes the disable, enable, exit, help, and logout commands
-
privilege level 1—Includes all user-level commands at the router> prompt
-
privilege level 15—Includes all enable-level commands at the router> prompt"
And my conclusion for your query is that, if you use 15, it means all the previous level included For example, if you give someone root privilege, and someone else admin privilege and to another person view-only privilege, the guy with root privilege have all the previous guy privilege included.
And an interesting explanation about if-authenticated can be found here in the blog in another thread:
https://community.cisco.com/t5/network-access-control/if-authenticated/td-p/1248124
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2023 08:08 AM
Thanks everyone for the response.
@Flavio Miranda Why here is > , should not it be # ??
"privilege level 15—Includes all enable-level commands at the router> prompt"

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2023 01:33 PM
If the customer has TACACS+, then I tend to give all users Priv15, and based on their Role (SuperAdmin, Change Admin, ReadOnly) perform command authorization. The reason I use priv 15, is because a simple task like "show running-config" is not possible at any other level. Unless I am doing something wrong. Seems that showing the running config is considered a highly privileged thing (which it might be) - but if you have a junior engineer who needs to see the config (and make no changes) then you have to give them priv15 and limit the commands they can access. TACACS+ saves the day for me!
