Hi All ,
I have a doubt regarding aaa authorization command . I have logged in to the Device using my TACACS ID now I removed the aaa authorization command specifically
no aaa authorization commands 15 default group tacacs+ local
Now Initially I thought that I can't run any more commands as it will show authorization failure , but while testing I found that I can run all commands in config mode from that telnet session or from any other telnet session . Please any one explain me the function of this command in details and reason for this .
Solved! Go to Solution.
Hi there,
By removing aaa authorization commands 15 default group tacacs+ local you are removing the requirement for the device to check the comands of users with Level15 permissions.
Therefore providing you have successfully authenticated with priv15 level access you will be able to run any command.
Cheers,
Seb.
Hi,
Q: found that I can run all commands in config mode from that telnet session?
Ans: You can all permitted commands to your account after this because you are already logged in and switch or router will not check authentication again. After the session time or trying with another account will failed to login.
Please explain about your second question, how are you trying and did you tried from same system and same username? And also share the running configuration so we check that what was the reason.
Regards,
Deepak Kumar
yes After removing this command I have tried from same session and other session too . but everything was working fine . I was using My TACACS id each time . I can easily login and can get into config mode and then executed other commands but all worked well .
Hi,
I got your question. If you removing a command aaa authorization commands 15 default group tacacs+ local than there will no impact to session. You are removing the requirement to check the commands of users with Level 15 permissions.
Regards,
Deepak Kumar
Hi there,
By removing aaa authorization commands 15 default group tacacs+ local you are removing the requirement for the device to check the comands of users with Level15 permissions.
Therefore providing you have successfully authenticated with priv15 level access you will be able to run any command.
Cheers,
Seb.