3640 - AAA/AUTHOR: config command authorization not enabled

Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
I attach you the files with config and logs.
Thanks you in advance.

Yep! I'm really running 12.1!
I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
sh run | i aaa
aaa new-model
aaa authentication attempts login 5
aaa authentication banner ^C
aaa authentication fail-message ^C
aaa authentication login My-RADIUS group radius local
aaa accounting exec My-RADIUS start-stop group radius
aaa session-id common
Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
Let me know what other thoughts you may have.
Thanks
Nik

Similar Messages

Config command authorization not enabled

Can someone tell me why I'm getting this message. I'm beginning to think this has something to do with my device failing authorization.
Show version
Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.1(19)EW1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Yep! I'm really running 12.1!
I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
sh run | i aaa
aaa new-model
aaa authentication attempts login 5
aaa authentication banner ^C
aaa authentication fail-message ^C
aaa authentication login My-RADIUS group radius local
aaa accounting exec My-RADIUS start-stop group radius
aaa session-id common
Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
Let me know what other thoughts you may have.
Thanks
Nik

ACS 3.3 Config Command Authorization

Hi,
I want to allow an user only to add/remove routes on a router. The shell command authorization works fine. But when the user is in config mode, he can start any command!
The debug says:
1w2d: AAA/AUTHOR: config command authorization not enabled
How can I enable this and how/where can I configure it on the ACS?
Thanks in advance

On ACs just allow the user to enter the "route" command like you have any other shell command they're allowed to do.
On the router/NAS, you have to tell it specifically that you want authorization for config commands with the following:
aaa authorization config-commands
Note that the format of this command changes slightly on different IOS versions, but if you do "aaa authorization ?" you'll be able to figure it out.

AUTH command is not enabled.

I have just fresh installed a new MTA, everything is fine but when telnet <own-ip> 25 and when I try to do auth login, I have got this error:
*AUTH command is not enabled.
I supposed the auth login is by default being enabled, may I know how to enable it?
Regards,
gthian

haw_9368 wrote:
I have just fresh installed a new MTA, everything is fine but when telnet <own-ip> 25 and when I try to do auth login, I have got this error:
*AUTH command is not enabled.
I supposed the auth login is by default being enabled, may I know how to enable it?SMTP authentication is only enabled if you have mustsaslserver or maysaslserver keyword on the channel which you are connecting to.
By default the tcp_intranet channel doesn't have this keyword. Try adding maysaslserver to the tcp_intranet channel, then run ./imsimta cnbuild;./imsimta restart.
When you telnet <own-ip> 25, type in, EHLO blah.com, you should see the following:
250-AUTH PLAIN LOGIN
250-AUTH=LOGIN
This means SMTP Auth is enabled.
Regards,
Shane.

AUTH Command is not enabled, when try to enable webmail with smtp auth

Hi,
I'm trying to force all the webmail users to authenticate (smtp auth) when they send an email.
I already configure this:
local.service.http.smtpauthpassword = xxxxx
local.service.http.smtpauthuser = admin
and reload the http service. (the password is correct)
Then, enter to the webmail interface and tried to sent an email but when pressed "sent" the following message appears:
SMTP: Error 5.7.1 AUTH Command is not enabled.
Do I have to do something else? Any lead?
Regards

Thanks Jay,
I know about the little use of the webmail authentication but it is something I need to do because in my configuration I have to differentiate between users who can send emails to internet and users who can not, and in order to do that, I need to authenticate all the users. So far is working if the user uses an email client.
For webmail I did not know that I have to add in the tcp_intranet channel definition the attribute: mustsaslserver.

Config commands authorization on ASA

Hi, is there a way to control the config commands with tacacs+ authorization ?
When I enable the configure command, in ACS shell coomand authorization set, all other config commands are enabled.
In IOS there's the "aaa authorization config-commands", how to with ASA ?

Please check this link that explains about command authorization on ASA.
these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
aaa-server authserver protocol tacacs+
aaa-server authserver host 10.1.1.1
aaa authorization command authserver
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts

Restrict aaa access using command authorization windows acs3.6

i need to enable aaa users to shut and unshut interfaces but nothing else. i already have all the users and groups setup but when i modify the command auth set to include "configure" "permit term" they are given unrestricted access.
any help appreciated

On the router there's a:
aaa authorization config-commands
command, make sure you have that in. You then have to set up command authorization on the TACACS server to allow "interface permit any", "shutdown" and "no shutdown" commands.

AAA Radius accounting command is not taking in 3750 switch

Hi Cisco Support community,
I am facing a issue with radius accounting in Cisco 3750 switch with version 12.2. I am unable to start accounting for radius server.
This is the config that is on the switch for Radius.
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec my-authradius group radius if-authenticated.
radius-server attribute 6 on-for-login-auth
radius-server dead-criteria time 20 tries 5
radius-server host 10.100.1.225 auth-port 1645 acct-port 1646 key 7 14341A5801103F3904266021
radius-server host 10.100.1.226 auth-port 1645 acct-port 1646 key 7 05280E5C2C585B1B390B4406
When i try to add the following command for accounting, this is not saving.
(aaa accounting commands 0 default start-stop group radius
aaa accounting commands 1 default start-stop group radius
aaa accounting commands 15 default start-stop group radius)
If i do paste this command one by one after start-stop group it is showing only two options either tacacs+ or server, no radius option is there as well.
I tried to create a server group and add the radius server in the group. Even then when i am trying to implement the aaa accounting command with the server command it is not showing in show run.
Can anyone please help me with this issue.

Hi,
thanks for your reply but the thing is that i want to see the command that are being run by a user on this particular device. If i use the network command it will only show me the network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
I have read the document from this link and it is stating that we can use command accounting. Below is the link
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html.
Can anyone please tell me if this a version issue because even in version 15.4 i was not seeing the radius option in the end
aaa accounting commands 15 default start-stop group (radius)- in radius place it was showing only Tacacs+ or group.

TACACS+ command authorization and ACS "Quirk"(?)

Hi All,
I've created a limited access command set for a few of my engineers. They can shut/no shut ports, change VLANs on access-ports etc, but they can't access critical ports like uplinks. That's working fine. I'd like to take it a step further and ensure that they can't accidently assign a server vlan to a user access port. Using ACS 4.2
For the example, i'll use Vlan 101, which is one of my server networks.
My Command set says:
Command: switchport
Arguements: permit access, permit vlan, deny 101
Permit Unmatched Args is UNCHECKED.
When I debug the aaa authorization, i see this:
146425: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): user=<my Testuser>
146426: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV service=shell
146427: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd=switchport
146428: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=access
146429: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=vlan
146430: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=101
146431: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=<cr>
146432: Mar 8 09:39:19.362: AAA/AUTHOR (3413047404): Post authorization status = PASS_ADD
I know I have the correct command set applied, because it blocks me appropriately for other commands.
146451: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): user=<my Testuser>
146452: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV service=shell
146453: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd=interface
146454: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=GigabitEthernet
146455: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=1/1
146456: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=<cr>
146457: Mar 8 09:39:22.730: AAA/AUTHOR (838742026): Post authorization status = FAIL
Any thoughts why it's not working as expected?

Don’t mean to be ignorant about this, but is there a way to export the config from ACS? Router config section is below…I’ve used this successfully with 4.2 several times…
ip tacacs source-interface gi 0/0
tacacs-server directed-request
tacacs-server key
tacacs-server host x.x.x.x
aaa new-model
aaa authentic login default group tacacs+ local
aaa authentic login no-tacacs none
aaa authentic enable default group tacacs+ enable
aaa author config-commands
aaa author exec default if-authenticated
aaa author commands 1 default if-authenticated
aaa author commands 15 default group tacacs+ local
aaa author console
aaa account exec default start-stop group tacacs+
aaa account commands 0 default start-stop group tacacs+
aaa account commands 1 default start-stop group tacacs+
aaa account commands 15 default start-stop group tacacs+
aaa account connection default start-stop group tacacs+
aaa account system default start-stop group tacacs+
aaa session-id common

Command authorization error when using aaa cache

Hi,
I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
% tty2 Unknown authorization method 6 set for list command
The command is then always authorized against the tacacs server.
The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
Deleting the cache entry and using only the tacacs group the error message disappears.
Any suggestions?
Thanks.
Frank
======
config
======
aaa new-model
aaa group server tacacs+ group_tacacs
server 10.10.10.10
server 10.10.10.11
cache expiry 12
cache authorization profile admin_user
cache authentication profile admin_user
aaa authentication login default cache group_tacacs group group_tacacs local
aaa authentication enable default cache group_tacacs group group_tacacs enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default cache group_tacacs group group_tacacs local
aaa authorization commands 15 default cache group_tacacs group group_tacacs local
aaa accounting exec default start-stop group group_tacacs
aaa cache profile admin_user
profile admin no-auth
aaa session-id common
tacacs-server host 10.10.10.10 single-connection
tacacs-server host 10.10.10.11 single-connection
tacacs-server directed-request
tacacs-server key 7 <removed>
============
debug output
============
ap#
Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
ap#
Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
priv=15 vrf= (id=0)

Hi,
I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
Regards,
Vivek

AAA authorization not working

Hi,
Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.
When connected to console it worked- Authenticated and then supplied the enable password.
When telneted : it says "access approved" and "authorization failed"
Relevant switch configuration is as follows and also debug of aaa authorization.
+++++++++++++++++++++++++++++
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Switch
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group radius if-authenticated local
aaa authorization commands 15 default group radius if-authenticated local
enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/
username cisco privilege 15 password 7 05080F1C224233
vlan 10
vlan 120
ip subnet-zero
vtp mode transparent
spanning-tree extend system-id
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
no ip address
spanning-tree portfast
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/2
no ip address
interface Vlan1
no ip address
shutdown
interface Vlan120
ip address 10.12.8.70 255.255.255.240
ip default-gateway 10.12.8.65
ip classless
ip http server
radius-server host 192.168.38.169 auth-port 1812 acct-port 1813
radius-server host 10.12.1.142 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key cisco
line con 0
line vty 0 4
password 7 grrfcb7swe
transport input telnet
line vty 5 15
end
Debug output :
Switch#
21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
21:45:07: AAA/AUTHEN (2947331915): status = PASS
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------# authorization failed #
21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='10.12.7.71' authen_type=ASCII service=LOGIN priv=1
Switch#
Switch#
Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.
Please share the experience.
Thanks in advance,
Subodh

Hi Subodh,
I understand that you are trying to use command authorization using RADIUS.
aaa authorization commands 15 default group radius if-authenticated local
Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed on a router and which cannot.
Please refer the following link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.
Regards,
Karthik Chandran
*kindly rate helpful post*

Nexus, command authorization using TACACS.

Hello.
Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
Thanks.
Regards.
Andrea

Hi Andrea,
We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
username admin password role network-admin ; local admin user
feature tacacs+ ; enable the tacacs feature
tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
    server ;define tacacs server IP
    use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
    source-interface mgmt0 ; ...and send them from the mgmt interface
aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local ; use tacacs for config command authorization
aaa authorization commands default group tacacs local ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs
Hope that works for you!
(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
Rob...

Aaa authorization config-commands

Hello,
Can anybody explain what is the purpose of this command. I studied the documentation (command reference) but unable to clearly understand the purpose of this command.
Thanks in advance,
Regards,
Mo

This was the best desciption of this command I could find on cisco's site. It sounds to me like if you use the no form of this command you will not be able to use any configuration commands.
Cisco:
Usage Guidelines
If the aaa authorization commands level method command is enabled, all commands, including configuration commands, are authorized by authentication, authorization, and accounting (AAA) using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using the no aaa authorization config-commands command stops the network access server from attempting configuration command authorization.
After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
Note You will get the same result if you (1) do not configure this command, or (2) configure no aaa authorization config-commands.
The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
aaa new-model
aaa authorization command 15 group tacacs+ none
no aaa authorization config-commands
http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf16.html#wp1086510

Command confusion - aaa authorization config-commands

I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.
>> Shell Command Authorization Sets
      Name: Restricted_Voice
      Description: Configure port voice vlan only.
      Unmatched Commands: Deny
      Add: enable
      Add: configure / permit terminal <cr>
      Add: interface / permit Gi*
      Add: interface / permit Fa*
      Add: switchport / permit voice vlan *
My switch configuration has the following aaa authorization related lines:
     aaa authorization commands 1 default group tacacs+ if-authenticated
     aaa authorization commands 15 default group tacacs+ if-authenticated
When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.
I went and read up the command reference for "aaa authorization config-commands" in
http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587.
My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.
It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me. I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?

Hi Axa,
I have a similar setup and have full Exec Level permissions using only aaa authorization commands level method
The below is taken from cisco.com and explains that you should not require the
aaa authorization config-commands unless you have at some point used the no aaa authorization config-commands command to prevent configuration commands from the Exec User
This in essense is a hidden configured default i.e.you switch on auth for config-commands automatically when you use the aaa authorization commands level method command!
From Cisco.com (I have underlined the key points)
aaa authorization config-commands
To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization commands level method1 command was issued.
aaa authorization config-commands
no aaa authorization config-commands
Syntax Description
This command has no arguments or keywords.
Defaults
After the aaa authorization commands level method has been issued, this command is enabled by default—meaning that all configuration commands in the EXEC mode will be authorized.
Usage Guidelines
If aaa authorization commands level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server from attempting configuration command authorization.
After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
Examples
The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
aaa new-model
aaa authorization command 15 tacacs+ none
no aaa authorization config-commands

AAA issue ( command authorization failed)

I am getting the issue, and following is the script , cannot find and locate the cause of error !
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hexxor
boot-start-marker
boot-end-marker
enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
enable password 7 0525112F05411F075231123E
username hexxor password 7 024D2A103F26243363593D1C2B5C
aaa new-model
aaa authentication login T-AUTH group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
aaa accounting exec T-ACC start-stop group tacacs+
aaa accounting commands 15 T-ACC start-stop group tacacs+
interface Vlan1
no ip address
interface Vlan50
ip address 128.1.50.54 255.255.255.0
no ip route-cache
ip default-gateway 128.1.50.254
no ip http server
ip http secure-server
ip sla enable reaction-alerts
logging trap debugging
logging 10.241.40.20
logging 128.1.50.245
access-list 1 permit 128.1.50.245
snmp-server host 10.241.40.27 Armageddon
snmp-server host 128.1.50.245 Armageddon
tacacs-server host 10.241.40.22
tacacs-server host 10.241.40.23
tacacs-server directed-request
tacacs-server key 7 020813480E052F2E4D
line con 0
exec-timeout 5 0
password 7 1142374E2332201E2B3D1F210678
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport preferred none
line vty 0 4
exec-timeout 5 0
password 7 06281801684358174E231727
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport input telnet
transport output telnet
line vty 5 15
password 7 0228137B2F0B5E2F077A0C35
end

Based on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
I would suggest this as a first test:
- login to the device.
- go into enabl mode.
- attempt the show run command. (I assume that it will fail)
- check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
If you want to do a second test to verify the cause of the problem then I would suggest this:
- remove from the config these lines
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
then login to the device, go into enable mode, attempt the show run command
Try one or both of these tests and post back to tell us of the results.
HTH
Rick

3640 - AAA/AUTHOR: config command authorization not enabled

Similar Messages

Maybe you are looking for