Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


aaa authentication enable/authorization exec


I've a doubt about the behaviour of the following commands:

aaa new-model


aaa authentication enable default group tacacs+ enable


aaa authorization exec default group tacacs+ local

the first (authentication enable) defines the authentication method list the router has to use when the (logged in) user type 'enable' at CLI (here group radius and the local configured enable password)

the second one specify the authorization method required to 'spawn' an exec CLI (to bring the logged in user into privileged exec mode)

If that is correct....what is the different (from a user point of view) between them ?

Regards, Carlo


Re: aaa authentication enable/authorization exec

If you had AAA configured on a device using a TACACS server. In the TACACS your user account was configured with an default privilege of "15". Having the "aaa authorization exec default group tacacs+ local" command should put you automatically in "enable" mode, as the device would get your authorization privilege from tacacs.

I think it could be put this way: aaa authorization exe configures you for your "default" privilege when logging into the device. aaa authentication enable will allow you to authenticate to a higher privilege (Your Maximum Privilege).


Hall of Fame Master

aaa authentication enable/authorization exec


From a user perspective the difference between authentication and authorization is that authentication has to do with determining who the person is and frequently requires entry of a password or some other credential as part of proving that you are who you claim to be. Authorization has to do with what you can do (and possibly what privilege level). To a user the most obvious difference is that Authorization does not use a password while Authentication does use a password.



If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders

Re: aaa authentication enable/authorization exec

Thanks for answers....

About this configuration:

aaa new-model


username carlo privilege 2 password 0 cisco


aaa authorization exec default none

Here I believe there is NO authorization requirement to allow the user to access (exec) shell....but what about the (initial) privilege level assigned to this user when shell is spawned ?

I've done a simple test for it and when the user log in this is the outcome


Trying ... Open

User Access Verification

Username: carlo


R3>sh privilege

Current privilege level is 1 <-------------------

Here the current user privilege is 1 while the privilege level configured at username level (

username carlo privilege 2 password 0 cisco) is 2

Is that the expected behaviour ?


Re: aaa authentication enable/authorization exec

I believe that is correct.

If you added aaa authorization exec default local

Then you should see the privilege goto "2" when logged in.

CreatePlease to create content
Content for Community-Ad