what is difference on aaa authorization exec and command

wfqk · ‎06-22-2018

Hi we have below two commands. I am not sure the difference. Anyone can tell what is difference between the two command? Thank you

aaa authorization exec login group tacacs+ none

aaa authorization commands 15 login group tacacs+ none

Richard Burts · ‎06-22-2018

According to the Cisco documentation the aaa authorization exec is for:

Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information.

And according to that documentation the aaa authorization command is for:

Runs authorization for all commands at the specified privilege level.

Here is a link if you want more detailed information

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfauth.html

HTH

Rick

HTH

Rick

wfqk · ‎06-22-2018

Thank you so much for your reply. Can we understand the first one is for general command authorization and second one is for command at specific privilege level?

Richard Burts · ‎06-22-2018

Perhaps I am not understanding correctly what you are asking or perhaps you are not understanding my explanation. So let me try again from a slightly different perspective. aaa authorization exec has to do with if the user is allowed to run an EXEC shell - or in other words whether the user is allowed to login to the device. It has nothing to do with any commands. aaa authorization command has to do with authorization for commands at some privilege level.

HTH

Rick

HTH

Rick