Showing results for 
Search instead for 
Did you mean: 

Here is a sample of AAA configuration for switches and routers:

1)   AAA Authentication

Here is a sample config for AAA authentication including banner and TACACS+ server.

enable secret CISCO


aaa new-model

aaa authentication password-prompt "Password:"

aaa authentication username-prompt "Username:"

aaa authentication login CONSOLE local

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable


username ADMIN password 0 CISCO

tacacs-server host

tacacs-server directed-request

tacacs-server key CISCO


line con 0

login authentication CONSOLE

line vty 0 4

password CISCO

login authentication VTY

2)   AAA authorization

Here is a aaa authorization to access exec using TACACS+

aaa new-model

aaa authorization console

aaa authorization exec default none

aaa authorization exec CONSOLE group tacacs+ local

aaa authorization exec VTY group tacacs+ if-authenticated

line con 0

authorization exec CONSOLE

line vty 0 4

authorization exec VTY

3)   AAA command authorization

Here is config sample so users with privillage 7 could access only following commnands:

privilege exec level 7 configure terminal

privilege exec level 7 debug ip rip

privilege exec level 7 undebug all

privilege exec level 7 show running-config

privilege configure level 7 interface

privilege interface level 7 shutdown

privilege interface level 7 no shutdown

privilege interface all level 7 ip

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links