Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Tacacs+ Authorization


how to tell the Cisco Tacacs to only authorize users that have been authenticated by it and not by any other method? e.g. switchs are authenticating users locally and authorizing them against the tacacs server, how to prevent this?


jenny conlan

You can specify this by adding:

aaa authorization commands default group “ACS Server group name” local

That tells it to authorize by querying a specified ACS server group first; if no reply then it will use the local database


Hi there Maik,

This can be accomplish using "named list", for example let's say that your VTY users will use the ACS for authentication and authorization but the users who access the Console port should use authentication only against local switch database with no authorization, so we do the following:

aaa new-model

tacacs-server X.X.X.X key cisco123

aaa authentication login myacs group tacacs+

aaa authentication login mylocal local

aaa authorization commands 15 mylocalautho group tacacs+

aaa authorization config-command

line console 0

login authentication mylocal

line vty 0 14

login authentication myacs

  authorization command 15 mylocalautho

You can play with this and use different combinations for this feature depending on your requirements, let me know if you have any question about it.

Hi together,

so here my config:

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default local group tacacs+ local

aaa authorization commands 15 default local group tacacs+ local

I have some local users with no password but with rsa-key:

username user1 privilege 15 nopassword

ip ssh pubkey-chain

  username user1

   key-hash ssh-rsa 9C4B0195499D69FED5B01C8DC70CED19


user1 exists also on the ACS. When user1 tries to login, the switch authenticates it locally based on the ssh-rsa key, but authorizes it against the ACS. Strangely the ACS assumes that the user was authenticated by it. Is it possible to prevent this?

According with your configuration "aaa authentication login default group tacacs+ line" you are saying that all the authentication types (ssh, telnet, console) are going to use the TACACS+ server for authentication as the primary authentication method, if the TACACS+ server is down the next method is the line password, no local. I don't see any AAA command pointing the authentication to the Local switch database.

So I don't think the switch is authenticating the user, seems like the authentication request is going to the ACS server, can you verify if after the user is authenticated you have a successful passed authentication in the ACS?

I don't find any authentication entry but an authorization one!

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube