AAA authorization commands

Hi All
Probably i am going to ask a stupid question but i am really confused regarding the purpose of "aaa authorization commands x default local" command. I understand that if this command is configured, it authorizes each and every command of that level but in my experience, this command is not doing anything. The outcome is same whether it is configured or not.
Following is my aaa part config
username cisco privilege 15 secret cisco
aaa new-model
aaa authentication login default local enable
aaa authorization exec default local if-authenticated
aaa authorization commands 15 default local if-authenticated
Now whether i keep the last command or remove it, username "cisco" is able to use every level 15 command so my question is, why i bother configuring this command?
Would really appreciate your quick reply
Regards

Thanx a lot for your quick response. Really appreciate that.
So does this mean, can i safely assume that if i am using local database then i don't require "aaa authorization command level" command??
that is following should be the config
username cisco privilege 15 secret cisco
aaa new-model
aaa authentication login default local enable
aaa authorization exec default local if-authenticated
privilege exec level 15 show (just an example)
privilege exec level 15 debug
I have tested this and it worked fine without using "aaa authorization command level"
Moreover, regarding the use of AAA server, my eventual plan is to use TACACS+ but before that, i wanted to get a good grip of AAA functionality and therefore started off with local user database.
So u mean to say, if i am using TACACS+ for authentication and authorization purposes and in ACS Server, user "cisco" has been assigned level 15 but with authorization set of "show" and "debug" only then by using "aaa authorization commands level" in a router, i can successfully restrict user "cisco" to "debug" and "show" only? In my point of view, i can achieve this anyway (restricting "cisco" user to only use "show and debug) without using "aaa authorization command level" (like i tested with local database)??
will really appreciate your kind response

Similar Messages

Aaa authorization commands for pix 535

Hi ,
Can you provide aaa authorization commands for pix 535
Sanjay Nalawade.

Hi,
Please find the AAA config for PIX.
aaa-server TACACS+ protocol tacacs+
max-failed-attempts 5
aaa-server TACACS+ (ExranetFW-In) host
timeout 5
key ********
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authorization command LOCAL
aaa accounting command privilege 15 TACACS+
aaa authorization exec authentication-server
Karuppuchamy

Exclude specific user from aaa authorization commands

Hi there,
I am trying to find a solution to exclude specific users from being authorized (AAA command authorization) when entering commands on the switch/router.
We use an AAA setup with Cisco ACS. On the devices we use:
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
is it possible, to exclude an user, say User1, from being command authorized?
In other words, when User1 logs on the switch/router, the switch/router shouldn't check the ACS if User1 is authorized to use this command.
We tried this with method lists in combination with ACL's on the VTY's:
line VTY 0
access-class 1 in
line VTY 1
access-class 2 in
Let's say, User1 always logs in from a specific IP, which is mentioned in access-list 2, the switch would use the method mentioned within the line vty 1.
But apparently, when a remote connection is being established, the switch/router uses the first VTY which is available, instead of watching which ACL can be matched to the source IP from the User.
Does anyone have some tips/tricks how to handle this?
Maybe a custom attribute from the ACS?
Kind Regards

If that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands.
Thank you for rating helpful posts!

Aaa authorization command

Hi!
I have issued the aaa authorization command tacacs on my asa, but the ACS is not letting me do any command now. I'm trying to issue the no
aaa authorization command tacacs, but it does not let me.
How can i rollback??
Please Help me
Tkx
Miguel

What version of ACS are you running?
If you are running acs 4.x then you will have to go to your group settings and under shell command authorization permit all commands, if you are using acs 5, you will have to go to your authorization policy, click customize if the command set column isnt active already and assign the command set to allow all commands. I think by default there should be a permit all.
Thanks,
Tarik

No "list-name" option availbale for aaa authorization command.

I have a 1721 router running 122-15.T14 and want to implement authorization but the router does not provide command option for list name.
I want to implement the following command:
"aaa authorization network groupauthor group radius"
but the only option is default after "network".
Router#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-K9SY7-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 27-Aug-04 23:26 by cmong
Image text-base: 0x80008120, data-base: 0x80F731A0
ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
ROM: C1700 Software (C1700-K9SY7-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
Router uptime is 5 minutes
System returned to ROM by reload
System image file is "flash:c1700-k9sy7-mz.122-15.T14.bin"
cisco 1721 (MPC860P) processor (revision 0x400) with 56844K/8692K bytes of memory.
Processor board ID FOC08302CF6 (610086355), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
2 Serial(sync/async) network interface(s)
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Router(config)#aaa authorization network ?
default The default authorization list.
Router(config)#aaa authorization network

I think that your issue is version related. I have a customer who is running a bunch of 1721 routers and when I do aaa authorization network ?
I get both default and the option to name a list.
I checked with the Software Advisor on CCO and it looks to me like the named-list feature was added in 12.3. As long as you are running 12.2 I do not think you will have the option for a named-list for network authorization.
HTH
Rick

ACS Tacacs+ aaa authorization commands

Hi,
I would like to authorize only certain configuration commands by the Tacacs Server, so in the group setup of ACS, I have checked : command, I have written in the field : configure, and declared as arguments : permit terminal and permit snmp-server enable traps. But I can not configure snmp until I declare in the router : privilege config level 7 snmp-server enable. (I use a level 7 user)
My question is : is there a way to control the granularity of configuration commands on the ACS, in the same way as you can control the granularity of the show commands ?
Many thanks
Patrice

Yes, you can get very granular using Command Authorization Sets and they can be applied to individual users or groups.
Setting Up and Managing Shared Profile Components
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00800d9e6b.html
hth

Command execution get very slow when AAA Authorization enable on ASR 1006

Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it take time to move to next command level) ...
These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.
Did any one face such issue , and how it is fix ...
See the Show version for ASR
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 24-Mar-11 23:32 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes
Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes
System returned to ROM by reload
System restarted at 17:47:32 IST Thu Oct 4 2012
System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"
Last reload reason: EHSA standby down
AAA Commands on ASR 1006
aaa new-model
aaa group server tacacs+ tacgroup
server 10.48.128.10
server 10.72.160.10
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
aaa authentication login default group tacgroup local
aaa authentication enable default group tacgroup enable
aaa accounting exec default start-stop group tacgroup
aaa accounting commands 1 default start-stop group tacgroup
aaa accounting commands 15 default start-stop group tacgroup
aaa accounting connection default start-stop group tacgroup
aaa accounting system default start-stop group tacgroup
aaa authorization commands 0 default group tacgroup none
aaa authorization commands 1 default group tacgroup none
aaa authorization commands 15 default group tacgroup none
aaa session-id common
tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166
tacacs-server key 7 053B071C325B411B1D25464058

I think your issue maybe related to your tacacs server. If you re-order the two servers (typically a 5 second timer before failover occurs) and see if that improves your performance:
You can try to debug the issue by referring to the command reference guide....i.e. debug tacacs...you can also try to telnet to both ip address to port 49 to see if the connection opens, in order to rule out issues where a firewall or routing to one of the tacacs servers is failing. I also noticed you have the shared secret and tacacs server defined for one of the servers, is the sam present for the other server that is in the server group?
server 10.48.128.10
server 10.72.160.10
to
server 10.72.160.10
server 10.48.128.10
Thanks,
Tarik Admani
*Please rate helpful posts*

Aaa authorization config-commands

Hello,
Can anybody explain what is the purpose of this command. I studied the documentation (command reference) but unable to clearly understand the purpose of this command.
Thanks in advance,
Regards,
Mo

This was the best desciption of this command I could find on cisco's site. It sounds to me like if you use the no form of this command you will not be able to use any configuration commands.
Cisco:
Usage Guidelines
If the aaa authorization commands level method command is enabled, all commands, including configuration commands, are authorized by authentication, authorization, and accounting (AAA) using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using the no aaa authorization config-commands command stops the network access server from attempting configuration command authorization.
After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
Note You will get the same result if you (1) do not configure this command, or (2) configure no aaa authorization config-commands.
The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
aaa new-model
aaa authorization command 15 group tacacs+ none
no aaa authorization config-commands
http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf16.html#wp1086510

Allow some show commands in AAA Authorization Set

I'm working on creating AAA authorization sets for our environment and ran into a question!
I'd like to be able to enable ALL show commands except 'show run'. I would also like to enable 'show run interface'. I've figured out how to enable all show commands and disable show run. The problem I'm finding is that since 'show run interface' is a subset of 'show run' it seems to disable. Even if I try to explicitly enable it.
Is there a way to disable 'show run' but enable all other show commands and 'show run interface' with a AAA authorization set?
ACS Version 4.1.
Command set is configured:

Changing it to 'deny running-config' does the exact same thing. It looks like it's seeing the 'show running-config' then stoping on that before anything else. I've tried adding 'permit run interface' in ACS and same thing. Other AAA Authorization set commands work just fine.
On the switch (its a 2960G-8TC-K) running 12.2(58)SE2.
aaa group server tacacs+ SHS
server 10.10.11.200
aaa authentication login verifyme group TACACS+ local
aaa authorization config-commands
aaa authorization exec verifyme group TACACS+ local
aaa authorization commands 0 default group TACACS+
aaa authorization commands 1 default group TACACS+
aaa authorization commands 15 default group TACACS+
aaa accounting send stop-record authentication failure
aaa accounting exec verifyme start-stop group TACACS+
aaa accounting commands 15 default start-stop group TACACS+
aaa accounting network verifyme start-stop group TACACS+
aaa accounting system default start-stop group TACACS+
aaa session-id common
Debugs!
Jun 21 11:07:39: AAA: parse name=tty0 idb type=-1 tty=-1
Jun 21 11:07:39: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Jun 21 11:07:39: AAA/MEMORY: create_user (0x3A790DC) user='test' ruser='SGAVEJ01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Port='tty0' list='' service=CMD
Jun 21 11:07:39: AAA/AUTHOR/CMD: tty0 (4105592267) user='test'
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV service=shell
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd=show
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=running-config
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=interface
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=GigabitEthernet
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=0/1
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD(4105592267): found list "default"
Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Method=TACACS+ (tacacs+)
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): user=test
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV service=shell
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd=show
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=running-config
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=interface
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=GigabitEthernet
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=0/1
Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=
Jun 21 11:07:39: TAC+: Using default tacacs server-group "TACACS+" list.
Jun 21 11:07:39: TAC+: Opening TCP/IP to 10.10.11.200/49 timeout=5
Jun 21 11:07:39: TAC+: Opened TCP/IP handle 0x3A41210 to 10.10.11.200/49 using source 10.40.0.14
Jun 21 11:07:39: TAC+: 10.10.11.200 (4105592267) AUTHOR/START queued
Jun 21 11:07:39: TAC+: (4105592267) AUTHOR/START processed
Jun 21 11:07:39: TAC+: (-189375029): received author response status = FAIL
Jun 21 11:07:39: TAC+: Closing TCP/IP 0x3A41210 connection to 10.10.11.200/49
Jun 21 11:07:39: AAA/AUTHOR (4105592267): Post authorization status = FAIL
Jun 21 11:07:39: AAA/MEMORY: free_user (0x3A790DC) user='test' ruser='SGAVEJ01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

Command confusion - aaa authorization config-commands

I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.
>> Shell Command Authorization Sets
      Name: Restricted_Voice
      Description: Configure port voice vlan only.
      Unmatched Commands: Deny
      Add: enable
      Add: configure / permit terminal <cr>
      Add: interface / permit Gi*
      Add: interface / permit Fa*
      Add: switchport / permit voice vlan *
My switch configuration has the following aaa authorization related lines:
     aaa authorization commands 1 default group tacacs+ if-authenticated
     aaa authorization commands 15 default group tacacs+ if-authenticated
When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.
I went and read up the command reference for "aaa authorization config-commands" in
http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587.
My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.
It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me. I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?

Hi Axa,
I have a similar setup and have full Exec Level permissions using only aaa authorization commands level method
The below is taken from cisco.com and explains that you should not require the
aaa authorization config-commands unless you have at some point used the no aaa authorization config-commands command to prevent configuration commands from the Exec User
This in essense is a hidden configured default i.e.you switch on auth for config-commands automatically when you use the aaa authorization commands level method command!
From Cisco.com (I have underlined the key points)
aaa authorization config-commands
To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization commands level method1 command was issued.
aaa authorization config-commands
no aaa authorization config-commands
Syntax Description
This command has no arguments or keywords.
Defaults
After the aaa authorization commands level method has been issued, this command is enabled by default—meaning that all configuration commands in the EXEC mode will be authorized.
Usage Guidelines
If aaa authorization commands level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server from attempting configuration command authorization.
After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
Examples
The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
aaa new-model
aaa authorization command 15 tacacs+ none
no aaa authorization config-commands

AAA authorization fails, but still command is executed...

Hi everyone,
i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).
Now I try to configure a loopback or Vlan interface, which should not be allowed.
COMMANDS IMPLEMENTED:
aaa authorization config-commands
aaa authorization commands 0 vty group tacacs+ none
aaa authorization commands 1 vty group tacacs+ none
aaa authorization commands 15 vty group tacacs+ none
line vty 0 15
authorization commands 0 vty
authorization commands 1 vty
authorization commands 15 vty
COMMAND AND OUTPUT FROM TESTING:
SWITCH(config)#int vlan 2
Command authorization failed.
DEBUG AAA AUTHORIZATION:
SWITCH#
Dec 7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1
Dec 7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
Dec 7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=
'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD
Dec 7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"
Dec 7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2
Dec 7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>
Dec 7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL
Dec 7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r
em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15
As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.
RESULT:
SWITCH#sh run int vlan 2
Building configuration...
Current configuration : 38 bytes
interface Vlan2
no ip address
end
QUESTION:
I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.
But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.
Is this me not understandig the basic concept of AAA or is this some other problem?
The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).
The Tacacs runs Cisco Secure ACS4.2.0.124
Thanks,
Tom

Hi Tom,
this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
hth
Herbert

Aaa authorization console command

Hi,
I don't really understand the need of the command "aaa authorization console".
We indeed often configure these lines, which according to me already ar eapplied by default to VTY, Console, etc ...:
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
Am I wrong? Or do these lines apply only to the VTY linse?
Thanks by advance

I learned this locking out form console today in the hard-way
we use as standard
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
and I missed the trailing "if-authenticated" in line "aaa authorization exec default local group tacacs+ if-authenticated", unfortuanatly also the tacacs serves wasn't reachable.
So no way to log in without the hard way rebooting and reconfiguring again

Configuring aaa local command authorization

i am a bit struggling with how to configure aaa local command authorization, i am not getting any material also for configuring it. Please tell me how to configure aaa local command authorization.. or possible give me some useful links for that..

Hi,
For aaa authorization command set.Kindly refer to link.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d4.html
I hope this help.Please rate this post.
cheers
Sachin

AAA issue ( command authorization failed)

I am getting the issue, and following is the script , cannot find and locate the cause of error !
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hexxor
boot-start-marker
boot-end-marker
enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
enable password 7 0525112F05411F075231123E
username hexxor password 7 024D2A103F26243363593D1C2B5C
aaa new-model
aaa authentication login T-AUTH group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
aaa accounting exec T-ACC start-stop group tacacs+
aaa accounting commands 15 T-ACC start-stop group tacacs+
interface Vlan1
no ip address
interface Vlan50
ip address 128.1.50.54 255.255.255.0
no ip route-cache
ip default-gateway 128.1.50.254
no ip http server
ip http secure-server
ip sla enable reaction-alerts
logging trap debugging
logging 10.241.40.20
logging 128.1.50.245
access-list 1 permit 128.1.50.245
snmp-server host 10.241.40.27 Armageddon
snmp-server host 128.1.50.245 Armageddon
tacacs-server host 10.241.40.22
tacacs-server host 10.241.40.23
tacacs-server directed-request
tacacs-server key 7 020813480E052F2E4D
line con 0
exec-timeout 5 0
password 7 1142374E2332201E2B3D1F210678
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport preferred none
line vty 0 4
exec-timeout 5 0
password 7 06281801684358174E231727
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport input telnet
transport output telnet
line vty 5 15
password 7 0228137B2F0B5E2F077A0C35
end

Based on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
I would suggest this as a first test:
- login to the device.
- go into enabl mode.
- attempt the show run command. (I assume that it will fail)
- check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
If you want to do a second test to verify the cause of the problem then I would suggest this:
- remove from the config these lines
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
then login to the device, go into enable mode, attempt the show run command
Try one or both of these tests and post back to tell us of the results.
HTH
Rick

Question about usage of aaa accounting commands

Hi everyone,
I have the problem that Cisco routers and switches do not send some accounting command
information to ACS.
Accounting commands do not send to ACS are "show log" and "show version".
Accounting commands send to ACS are "show runn", "conf t" and "debug"
The configuration of routers and switches is the following
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host xxx.xxx.xxx.xxx key yyyy
I think the commands do not send to ACS are privilege level 1 command and the commands
send to ACS are privilege level 15 command.
So I need to additional aaa accounting command below to get routers and switches send level 1
command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
so need to configure "aaa accounting commands 1" for level 1 commands.
aaa accounting commands 1 default start-stop group tacacs+
Is my understanding correct ?
Your information would be greatly appreciated.
Best regards,

Hi,
plese do this and the router will send
everything to the ACS server, except
whatever you are doing to the router in http:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication VTY
ip http authentication aaa exec-authorization VTY
tacacs-server host 192.168.15.10 key 7 1446405858517C
tacacs-server directed-request
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line aux 0
session-timeout 35791
exec-timeout 35791 23
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication notac
transport input all
line vty 0
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
David
CCIE Security

AAA authorization commands

Similar Messages

Maybe you are looking for