Authorization config-commands - doubts

Hello Everyone,
So, for AAA Authorization,
When I issue : aaa authorization commands 15 default local. -> It will authorize every command on the exec for lvl 15.
The command above will overlap the: aaa authorization config-commands. ?!
I should use : aaa authorization config-commands. Just when i'm trying to authorize configuration commands ?!

No, the aaa authorization config-commands is a must for the aaa authorization commands 15 default local to work. If the config-commands is missing from your config then no authorization will happen for level 15 commands. Take a look at this post:
https://supportforums.cisco.com/discussion/11409121/command-confusion-aaa-authorization-config-commands
Thank you for rating helpful posts!

Similar Messages

  • Aaa authorization config-commands

    Hello,
    Can anybody explain what is the purpose of this command. I studied the documentation (command reference) but unable to clearly understand the purpose of this command.
    Thanks in advance,
    Regards,
    Mo

    This was the best desciption of this command I could find on cisco's site. It sounds to me like if you use the no form of this command you will not be able to use any configuration commands.
    Cisco:
    Usage Guidelines
    If the aaa authorization commands level method command is enabled, all commands, including configuration commands, are authorized by authentication, authorization, and accounting (AAA) using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using the no aaa authorization config-commands command stops the network access server from attempting configuration command authorization.
    After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
    Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
    Note You will get the same result if you (1) do not configure this command, or (2) configure no aaa authorization config-commands.
    The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
    aaa new-model
    aaa authorization command 15 group tacacs+ none
    no aaa authorization config-commands
    http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf16.html#wp1086510

  • Command confusion - aaa authorization config-commands

    I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.
      >> Shell Command Authorization Sets
          Name: Restricted_Voice
          Description: Configure port voice vlan only.
          Unmatched Commands: Deny
          Add: enable
          Add: configure / permit terminal <cr>
          Add: interface / permit Gi*
          Add: interface / permit Fa*
          Add: switchport / permit voice vlan *
    My switch configuration has the following aaa authorization related lines:
         aaa authorization commands 1 default group tacacs+ if-authenticated
         aaa authorization commands 15 default group tacacs+ if-authenticated
    When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.
    I went and read up the command reference for "aaa authorization config-commands" in
    http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587.
    My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.
    It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me.  I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?

    Hi Axa,
    I have a similar setup and have full Exec Level permissions using only aaa authorization commands level method
    The below is taken from cisco.com and explains that you should not require the
    aaa authorization config-commands unless you have at some point used the no aaa authorization config-commands command to prevent configuration commands from the Exec User
    This in essense is a hidden configured default i.e.you switch on auth for config-commands automatically when you use the aaa authorization commands level method command!
    From Cisco.com (I have underlined the key points)
    aaa authorization config-commands
    To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization commands level method1 command was issued.
    aaa authorization config-commands
    no aaa authorization config-commands
    Syntax Description
    This command has no arguments or keywords.
    Defaults
    After the aaa authorization commands level method has been issued, this command is enabled by default—meaning that all configuration commands in the EXEC mode will be authorized.
    Usage Guidelines
    If aaa authorization commands level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server from attempting configuration command authorization.
    After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
    Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
    Examples
    The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
    aaa new-model
    aaa authorization command 15 tacacs+ none
    no aaa authorization config-commands

  • ACS 3.3 Config Command Authorization

    Hi,
    I want to allow an user only to add/remove routes on a router. The shell command authorization works fine. But when the user is in config mode, he can start any command!
    The debug says:
    1w2d: AAA/AUTHOR: config command authorization not enabled
    How can I enable this and how/where can I configure it on the ACS?
    Thanks in advance

    On ACs just allow the user to enter the "route" command like you have any other shell command they're allowed to do.
    On the router/NAS, you have to tell it specifically that you want authorization for config commands with the following:
    aaa authorization config-commands
    Note that the format of this command changes slightly on different IOS versions, but if you do "aaa authorization ?" you'll be able to figure it out.

  • Config commands authorization on ASA

    Hi, is there a way to control the config commands with tacacs+ authorization ?
    When I enable the configure command, in ACS shell coomand authorization set, all other config commands are enabled.
    In IOS there's the "aaa authorization config-commands", how to with ASA ?

    Please check this link that explains about command authorization on ASA.
    these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
    aaa-server authserver protocol tacacs+
    aaa-server authserver host 10.1.1.1
    aaa authorization command authserver
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • 3640 - AAA/AUTHOR: config command authorization not enabled

    Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
    I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
    I attach you the files with config and logs.
    Thanks you in advance.

    Yep! I'm really running 12.1!
    I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
    Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
    sh run | i aaa
    aaa new-model
    aaa authentication attempts login 5
    aaa authentication banner ^C
    aaa authentication fail-message ^C
    aaa authentication login My-RADIUS group radius local
    aaa accounting exec My-RADIUS start-stop group radius
    aaa session-id common
    Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
    Let me know what other thoughts you may have.
    Thanks
    Nik

  • Problem with the "make config" command

    Kernel Compilation from Source for New Users
    I download the linux-2.6.37-ARCH source files and copied them to /usr/src/.Then i  used "cd linux-2.6.37-ARCH" to move to that directory so i could
    use the "make config" command.Now,when i use "make config" a prompt comes up and I'm not sure how to configure it to my system.
    (when the prompt comes up there are several hundred questions to answer)
    [root@Online linux-2.6.37-ARCH]# make config
    scripts/kconfig/conf --oldaskconfig Kconfig
    # using defaults found in arch/x86/configs/x86_64_defconfig
    * Linux/x86_64 2.6.37 Kernel Configuration
    * General setup
    Prompt for development and/or incomplete code/drivers (EXPERIMENTAL) [Y/n/?]
    I think i might have just figured it out. "make xconfig"
    Last edited by unilx (2011-02-20 23:35:24)

    unilx wrote:...so i could use the "make config" command.Now,when i use "make config" a prompt comes up ...
    Are you sure of that command?  Could you have meant make menuconfig  ??

  • Missing "config" command in CLI (Cisco 1140 AP)

    Hi All
    I am trying to chang IP configuraton for my Cisco 1140 AP, but in CLI I dont have a "config" command (i used en before to enable administrative mode)
    Bellow are the commands I can see:
    AP7081.0506.d54a#?
    Exec commands:
      cd               Change current directory
      clear            Reset functions
      clock            Manage the system clock
      crypto           Encryption related commands.
      debug            Debugging functions (see also 'undebug')
      delete           Delete a file
      dir              List files on a filesystem
      disable          Turn off privileged commands
      enable           Turn on privileged commands
      exit             Exit from the EXEC
      fsck             Fsck a filesystem
      help             Description of the interactive help system
      led              LED functions
      lock             Lock the terminal
      login            Log in as a particular user
      logout           Exit from the EXEC
      lwapp            lwapp exec commands
      mkdir            Create new directory
      monitor          Monitoring different system events
      more             Display the contents of a file
      name-connection  Name an existing network connection
      no               Disable debugging functions
      ping             Send echo messages
      pwd              Display current working directory
      release          Release a resource
      reload           Halt and perform a cold restart
      rename           Rename a file
      renew            Renew a resource
      rmdir            Remove existing directory
      send             Send a message to other tty lines
      set              Set system parameter (not config)
      show             Show running system information
      systat           Display information about terminal lines
      terminal         Set terminal line parameters
      test             Test subsystems, memory, and interfaces
      traceroute       Trace route to destination
      undebug          Disable debugging functions (see also 'debug')
      upgrade          Upgrade software
      verify           Verify a file
      where            List active connections
    In addition, I am keep getting the following messages:
    *Mar  1 00:38:13.933: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
    *Mar  1 00:38:23.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
    I am not sure what I am doing wrong. I try to do a hard reset but it didnt work.
    Any ideas?

    Thanks
    Another queastion:
    I verified that my AP is Lightweight by the part id (AIR-LAP1141N)
    Now, when I browse to Cisco download page, I have 3 options for OS:
    - Autonomous AP IOS Software
    - IOS Boot Images
    - IOS Software
    - Lightweight AP IOS Software
    Which of the above should I use in order to switch the AP to regular mode?
    Does anyone knows what is the difference between IOS software and the Autonomous IOS software?

  • Kde4-config: command not found (after upgrade of kde4 to version 4.6)

    When I upgraded my KDE desktop to latest version, it seems that it has removed the kde4-config command.
    Unfortunately I don't know which package it belongs to?
    I get the error when I execute startkde script from ~/.xinitrc
    I have tested to re-install KDE but it doesn't resolve my problem.
    Anyone know which package it is?

    Ok, very weird, I re-installed latest version of kdelibs again and now I have the kde4-config command.
    Problem solved.
    Thanks!

  • Can't run service perfigo config command on NAC

    I have a new NAC Manager server for a fresh deployment. I logged in using root password with a serial connection to the server.
    I can't seem to be able to run the "service perfigo config" command to perform the initial CAM configuration.
    [root@nacmanager /]# service perfigo start
    perfigo: unrecognized service
    [root@nacmanager /]#
    Any idea what might be the problem?
    Thanks in advance.

    What is happening when you are booting from a CD where NAC ISO is installed on it?
    Usually, during boot, you should receive a installer welcome message:
    Cisco Clean Access 4.8.2 Installer (C) 2011 Cisco Systems, Inc.
                   Welcome to the Cisco Clean Access Installer!
    - To install a Cisco Clean Access device, press the key.
    - To install a Cisco Clean Access device over a serial console, enter serial at the boot prompt and press the key.
    boot: serial
    You can type serial if you are connected through console, after that it will check for existing installations and will ask you if you need to install a NAC Manager or Server:
    Please choose one of the following configurations:
    1) CCA Manager.
    2) CCA Server.
    3) Exit.
    You choose 1 or 2 depending on the server type. The software will install and the server will reboot.
    After the reboot, you login as root and automatically the configuration utility will launch by itself and you will set the basic parameters:
    CentOS release 5.3 (Final)
    Kernel 2.6.18-128.1.10.el5PAE on an i686
    nacmanager login: root
    Welcome to the Cisco Clean Access Manager quick configuration utility.
    Note that you need to be root to execute this utility.
    The utility will now ask you a series of configuration questions.
    Please answer them carefully.
    Cisco Clean Access Manager, (C) 2011 Cisco Systems, Inc.
    Configuring the network interface:
    Please enter the IP address for the interface eth0 []: 172.30.1.1
    You entered 172.30.1.1 Is this correct? (y/n)? [y]
    etc......
    Hope this helps.
    Regards,

  • List of "about:config" commands

    I want to be able to really fine tune/customize firefox, but many of the changes I want to make are only available thru "about:config". An example of such a change -- how to force new tabs to open blank -- took quite a bit of searching and knowing what question to ask or how to phrase it. Is there a list of all the "about:config" commands, and if so, where do I find/get them? Is it just a printable list (acceptable, but just...), a basic searchable database (better, but probably still have to know/phrase a question), or best yet, a keyword searchable db with both of the previous options? Also, is this putative list version specific, or is it constantly updated with a mix of old and new commands? I realize the risk of severely damaging the firefox installation, and am prepared to take it, as I think I'm reasonably cautious, and would check out any truly questionable changes before making them.

    hello eviltwin, here is a site which covers many preferences from about:config (however it's neither complete nor always up-to-date): http://kb.mozillazine.org/About:config_entries
    mozilla's own documentation in this regard is rather limited currently: https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference

  • Command Authorization Config best practice using ACS

    Hi
    Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
    Regards
    V Vinodh.

    Vinodh,
    The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
    Please check this link,
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • Config command authorization not enabled

    Can someone tell me why I'm getting this message. I'm beginning to think this has something to do with my device failing authorization.
    Show version
    Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.1(19)EW1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

    Yep! I'm really running 12.1!
    I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
    Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
    sh run | i aaa
    aaa new-model
    aaa authentication attempts login 5
    aaa authentication banner ^C
    aaa authentication fail-message ^C
    aaa authentication login My-RADIUS group radius local
    aaa accounting exec My-RADIUS start-stop group radius
    aaa session-id common
    Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
    Let me know what other thoughts you may have.
    Thanks
    Nik

  • Abap command doubt

    Hi folks..
    One doubt.. In one of my program. I've used one command which is as follows .
    uom_s[] = uom[].
    where uom is a structure like  bapi_marm_ga  and
    uom_s is a structure like bapi_marm.
    all the relevant values got copied to uom_s table. but in uom_s there is field GTIN_VARIANT which gets populated automatically with value '00'. whereas there was no corresponding value in GTIN_VARIANT  in uom table.
    but there were two fields ( both type n ) in uom which were having '000000' and '00' value which has no corresponding field in uom_s. so how this command work which has populated a field automatically.
    GTIN_VARIANT in uom and uom_s are type c field length 2.
    so how this command works ...
    I hope I'm clear.

    yes my problem is solved. I've cleared that field explicitly
    thanks anyway

  • Utils import config command failed on CUCM8.6.1

    I've created cucm861sub.flp file and uploaded it to the datastore on ESXi 4.1, then mapped to the floppy, i.e. I followed procedure on cisco wiki to the last letter. Still, after applying command I'm receiving following error: "Cannot locate configuration file"
    I've used Winimage to crate 1.44MB floppy that contains only one file, called platformConfig.xml (file was downloaded directly from CCO).
    Was anybody able to apply successfully new identity feature?

    I opened a TAC case and found this is a bug.  CSCtx55507 :utils import config" is failing.
    these are the call manager versions that has the fix for this issue:  8.6(2.10000.30), 8.6(1.98000.87), 8.6(1.98000.39) or any later  version.

Maybe you are looking for

  • View for active Incidents related to WI (Problem) with status (Active) works but can't be changed.

    Hi, I wanted to create a view of Incidents which are linked to a Problem (any problem). I did a quick test using the Incident (advanced) class, selected to display Incidents with status Active and [Work Item] Is Related To Work Item and status for Pr

  • "No Access" privelage on external drive?

    I purchased a SMARTDISK 250gig USB2 drive for my iMac G4 and MacBook Pro. Unfortunately, playing around with permissions for the drive (via Get Info), I set all to "No Acceess" and logged out. When logging back in, the drive does not appear. Firing u

  • Solaris 10 net install doesn't start

    Hi All, I'm trying to install Solaris 10 through a network installation guided by this document: http://www-uxsup.csx.cam.ac.uk/pub/doc/sun/solaris10/solaris10_network_installation.pdf I've did everything as described in chapter 6 and when try to boo

  • Translations in production system.

    Dear experts, We're currently reviewing all modified objects in an upgrade project to ECC 6.0 and we are seing that there are lots of objects directly translated in the production system. If we reset to original this objects in the development system

  • Using exp/imp appears to fail

    Hello Everyone. We are trying to export a set of table from one Oracle Database to another and have come across a problem. Exporting via PL/SQL developer (v7) appears to be fine but when we try to import the generated .dmp file using the imp tool, it