Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


What does mean 'aaa authorization network', what does limit 'network' keyword?


I am studying CCNP Switch course and stuck in AAA authorization topic. I do not understand what actually is purpose of the following command chain 'aaa authorization network ....'.

Cisco books and web-pages define this like sonething:

network: The server must return permission to use network-related services.

However, do does it means 'network-related services'? Is the telnet network related service? I have been serching info about details what this command does and no success. Some network pages mean authorization for PPP, PPPoE, SLIP.... I am confused.

Let's say I entered following command on the switch:

 switch(config)#aaa authorization network default group SRV-ISE 

What can I do on this switch and what cannot? What is limited and what is not? What will be authorized and what won't be?


Hello Jan,

Hello Jan,

aaa authorization network can be used to allow users access to the network if dot1x authentication have been configured on the cisco switch. 

In the case that you use aaa authorization network default group SRV-ISE : this command can be used to to allow the SRV-ISE (which is an ACS or ISE server) to dynamically assign vlan to user ports and this is based on their identities (username or MAC address).

if you need more details, try to read this article



On switches "aaa

On switches "aaa authorization network" refers to authorization of devices connected to the switch, so you would point "aaa authorization network" to a group of ISE/ACS servers, like in your example.

If you do not configure the authorization command and have only the "aaa authentication dot1x", you would run into strange dot1x issues. (basically switch would authenticate dot1x session, but would not apply the RADIUS session attributes sent by ISE)

For telnet or ssh you would use the "aaa authorization exec/commands", attach that to the vty lines, and that would then control telnet/ssh access to the switch.

Please rate if helpful