Is there a trick to getting tcl scripts (or even just the tclsh command) to work in a TACACS+ environment? I was trying to run a tcl script that I copied to the device, and got "command authoriziation failed". Running tclsh by itself and trying to exec a command yielded the same results, even after setting the event manager user to the currently logged in user.
I tried this on two different deviecs, a 6500 running 12.2.33SXI9 and a 4900M running 12.2.54SG1. The failed commands show up in tacacs with no username and as async...
Example:
ttnet-ch-rocore-1>en
Password:
ttnet-ch-rocore-1#tclsh
ttnet-ch-rocore-1(tcl)#exec "show ver"
Command authorization failed.
ch-rocore-1(tcl)#exit
ch-rocore-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ch-rocore-1(config)#event manager session cli user xXxXx
ch-rocore-1(config)#exit
ch-rocore-1#tclsh
ch-rocore-1(tcl)#exec "show ver"
Command authorization failed.
AAA config:
aa new-model
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 noauth none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 1 noauth none
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization commands 15 noauth none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
Thanks!
-Nick