No "list-name" option availbale for aaa authorization command.

Similar Messages

• Aaa authorization commands for pix 535

  Hi ,
  Can you provide aaa authorization commands for pix 535
  Sanjay Nalawade.

  Hi,
  Please find the AAA config for PIX.
  aaa-server TACACS+ protocol tacacs+
  max-failed-attempts 5
  aaa-server TACACS+ (ExranetFW-In) host
  timeout 5
  key ********
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authorization command LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa authorization exec authentication-server
  Karuppuchamy

• Exclude specific user from aaa authorization commands

  Hi there,
  I am trying to find a solution to exclude specific users from being authorized (AAA command authorization) when entering commands on the switch/router.
  We use an AAA setup with Cisco ACS. On the devices we use:
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 5 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  is it possible, to exclude an  user, say User1, from being command authorized?
  In other words, when User1 logs on the switch/router, the switch/router shouldn't check the ACS if User1 is authorized to use this command.
  We tried this with method lists in combination with ACL's on the VTY's:
  line VTY 0
  access-class 1 in
  line VTY 1
  access-class 2 in
  Let's say, User1 always logs in from a specific IP, which is mentioned in access-list 2, the switch would use the method mentioned within the line vty 1.
  But apparently, when a remote connection is being established, the switch/router uses the first VTY which is available, instead of watching which ACL can be matched to the source IP from the User.
  Does anyone have some tips/tricks how to handle this?
  Maybe a custom attribute from the ACS?
  Kind Regards

  If that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands. 
  Thank you for rating helpful posts!

• AAA authorization commands

  Hi All
  Probably i am going to ask a stupid question but i am really confused regarding the purpose of "aaa authorization commands x default local" command. I understand that if this command is configured, it authorizes each and every command of that level but in my experience, this command is not doing anything. The outcome is same whether it is configured or not.
  Following is my aaa part config
  username cisco privilege 15 secret cisco 
  aaa new-model
  aaa authentication login default local enable
  aaa authorization exec default local if-authenticated
  aaa authorization commands 15 default local if-authenticated
  Now whether i keep the last command or remove it, username "cisco" is able to use every level 15 command so my question is, why i bother configuring this command?
  Would really appreciate your quick reply
  Regards

  Thanx a lot for your quick response. Really appreciate that.
  So does this mean, can i safely assume that if i am using local database then i don't require "aaa authorization command level" command??
  that is following should be the config
  username cisco privilege 15 secret cisco 
  aaa new-model
  aaa authentication login default local enable
  aaa authorization exec default local if-authenticated
  privilege exec level 15 show   (just an example)
  privilege exec level 15 debug
  I have tested this and it worked fine without using "aaa authorization command level"
  Moreover, regarding the use of AAA server, my eventual plan is to use TACACS+ but before that,  i wanted to get a good grip of AAA functionality and therefore started off with local user database.  
  So u mean to say, if i am using TACACS+ for authentication and authorization purposes and in ACS Server, user "cisco" has been assigned level 15 but with authorization set of "show" and "debug" only then by using "aaa authorization commands level" in a router, i can successfully restrict user "cisco" to "debug" and "show" only? In my point of view, i can achieve this anyway (restricting "cisco" user to only use "show and debug) without using "aaa authorization command level" (like i tested with local database)??
  will really appreciate your kind response

• Aaa authorization command

  Hi!
  I have issued the aaa authorization command tacacs on my asa, but the ACS is not letting me do any command now. I'm trying to issue the no
  aaa authorization command tacacs, but it does not let me.
  How can i rollback??
  Please Help me
  Tkx
  Miguel

  What version of ACS are you running?
  If you are running acs 4.x then you will have to go to your group settings and under shell command authorization permit all commands, if you are using acs 5, you will have to go to your authorization policy, click customize if the command set column isnt active already and assign the command set to allow all commands. I think by default there should be a permit all.
  Thanks,
  Tarik

• ACS Tacacs+ aaa authorization commands

  Hi,
  I would like to authorize only certain configuration commands by the Tacacs Server, so in the group setup of ACS, I have checked : command, I have written in the field : configure, and declared as arguments : permit terminal and permit snmp-server enable traps. But I can not configure snmp until I declare in the router : privilege config level 7 snmp-server enable. (I use a level 7 user)
  My question is : is there a way to control the granularity of configuration commands on the ACS, in the same way as you can control the granularity of the show commands ?
  Many thanks
  Patrice

  Yes, you can get very granular using Command Authorization Sets and they can be applied to individual users or groups.
  Setting Up and Managing Shared Profile Components
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00800d9e6b.html
  hth

• Configuring aaa local command authorization

  i am a bit struggling with how to configure aaa local command authorization, i am not getting any material also for configuring it. Please tell me how to configure aaa local command authorization.. or possible give me some useful links for that..

  Hi,
  For aaa authorization command set.Kindly refer to link.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d4.html
  I hope this help.Please rate this post.
  cheers
  Sachin

• AAA Authorization named authorization list

  Ladies and Gents,
  Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
  Cisco.com extract below
  When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
  Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
  My question is how do you define the Named Method List i.e. the none-default method list?
  I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
  Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
  Thanks in advance
  David

  Hi David,
  An example of a named AAA list might look something like this:
  aaa authorization exec TacExec group AAASrv local
  In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
  Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
  Below is a cut and paste from the AAA section on one of my devices:
  aaa new-model
  ip tacacs source-interface
  tacacs-server host 10.x.x.x key 7
  tacacs-server host 10.x.x.y key 7
  aaa group server tacacs+ TacSrvGrp
  server 10.x.x.x
  server 10.x.x.y
  aaa authentication login default local
  aaa authentication login TacLogin group TacSrvGrp local
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default local
  aaa authorization exec TacAuth group TacSrvGrp local
  aaa authorization commands 0 default local
  aaa authorization commands 0 TacCommands0 group TacSrvGrp local
  aaa authorization commands 1 default local
  aaa authorization commands 1 TacCommands1 group TacSrvGrp local
  aaa authorization commands 15 default local
  aaa authorization commands 15 TacCommands15 group TacSrvGrp local
  aaa accounting exec default start-stop group TacSrvGrp
  aaa accounting commands 15 default start-stop group TacSrvGrp
  aaa session-id common
  Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
  line con 0
  exec-timeout 5 0
  line aux 0
  exec-timeout 5 0
  line vty 0 4
  exec-timeout 15 0
  authorization commands 0 TacCommands0
  authorization commands 1 TacCommands1
  authorization commands 15 TacCommands15
  authorization exec TacAuth
  login authentication TacLogin
  transport input ssh
  For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
  One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
  Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
  Hope this helps!

• Allow some show commands in AAA Authorization Set

  I'm working on creating AAA authorization sets for our environment and ran into a question!
  I'd like to be able to enable ALL show commands except 'show run'.  I would also like to enable 'show run interface'.  I've figured out how to enable all show commands and disable show run.  The problem I'm finding is that since 'show run interface' is a subset of 'show run' it seems to disable.  Even if I try to explicitly enable it.
  Is there a way to disable 'show run' but enable all other show commands and 'show run interface' with a AAA authorization set?
  ACS Version 4.1.
  Command set is configured:

  Changing it to 'deny running-config' does the exact same thing.  It looks like it's seeing the 'show running-config' then stoping on that before anything else.  I've tried adding 'permit run interface' in ACS and same thing.  Other AAA Authorization set commands work just fine.
  On the switch (its a 2960G-8TC-K) running 12.2(58)SE2.
  aaa group server tacacs+ SHS
  server 10.10.11.200
  aaa authentication login verifyme group TACACS+ local
  aaa authorization config-commands
  aaa authorization exec verifyme group TACACS+ local
  aaa authorization commands 0 default group TACACS+
  aaa authorization commands 1 default group TACACS+
  aaa authorization commands 15 default group TACACS+
  aaa accounting send stop-record authentication failure
  aaa accounting exec verifyme start-stop group TACACS+
  aaa accounting commands 15 default start-stop group TACACS+
  aaa accounting network verifyme start-stop group TACACS+
  aaa accounting system default start-stop group TACACS+
  aaa session-id common
  Debugs!
  Jun 21 11:07:39: AAA: parse name=tty0 idb type=-1 tty=-1
  Jun 21 11:07:39: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
  Jun 21 11:07:39: AAA/MEMORY: create_user (0x3A790DC) user='test' ruser='SGAVEJ01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Port='tty0' list='' service=CMD
  Jun 21 11:07:39: AAA/AUTHOR/CMD: tty0 (4105592267) user='test'
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV service=shell
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd=show
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=running-config
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=interface
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=GigabitEthernet
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=0/1
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD(4105592267): found list "default"
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Method=TACACS+ (tacacs+)
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): user=test
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV service=shell
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd=show
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=running-config
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=interface
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=GigabitEthernet
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=0/1
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=
  Jun 21 11:07:39: TAC+: Using default tacacs server-group "TACACS+" list.
  Jun 21 11:07:39: TAC+: Opening TCP/IP to 10.10.11.200/49 timeout=5
  Jun 21 11:07:39: TAC+: Opened TCP/IP handle 0x3A41210 to 10.10.11.200/49 using source 10.40.0.14
  Jun 21 11:07:39: TAC+: 10.10.11.200 (4105592267) AUTHOR/START queued
  Jun 21 11:07:39: TAC+: (4105592267) AUTHOR/START processed
  Jun 21 11:07:39: TAC+: (-189375029): received author response status = FAIL
  Jun 21 11:07:39: TAC+: Closing TCP/IP 0x3A41210 connection to 10.10.11.200/49
  Jun 21 11:07:39: AAA/AUTHOR (4105592267): Post authorization status = FAIL
  Jun 21 11:07:39: AAA/MEMORY: free_user (0x3A790DC) user='test' ruser='SGAVEJ01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

• AAA authorization fails, but still command is executed...

  Hi everyone,
  i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).
  Now I try to configure a loopback or Vlan interface, which should not be allowed.
  COMMANDS IMPLEMENTED:
  aaa authorization config-commands
  aaa authorization commands 0 vty group tacacs+ none
  aaa authorization commands 1 vty group tacacs+ none
  aaa authorization commands 15 vty group tacacs+ none
  line vty 0 15
  authorization commands 0 vty
  authorization commands 1 vty
  authorization commands 15 vty
  COMMAND AND OUTPUT FROM TESTING:
  SWITCH(config)#int vlan 2
  Command authorization failed.
  DEBUG AAA AUTHORIZATION:
  SWITCH#
  Dec  7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1
  Dec  7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
  Dec  7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=
  'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD
  Dec  7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"
  Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2
  Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>
  Dec  7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL
  Dec  7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r
  em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15
  As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.
  RESULT:
  SWITCH#sh run int vlan 2
  Building configuration...
  Current configuration : 38 bytes
  interface Vlan2
  no ip address
  end
  QUESTION:
  I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.
  But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.
  Is this me not understandig the basic concept of AAA or is this some other problem?
  The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).
  The Tacacs runs Cisco Secure ACS4.2.0.124
  Thanks,
  Tom

  Hi Tom,
  this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
  The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
  As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
  You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
  hth
  Herbert

• AAA Authorization with ACS Shell-Sets

  Hi all,
  I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
  I am having trouble getting AAA Authorization to work correctly with ACS.
  I am able to set the users up on ACS fine and assign them shell and priv level 7.
  I then setup a Shell Auth Set, and enter in the commands show and configure.
  When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
  to access global config mode by typing in conf (or configure) terminal or t.
  If I type con? the only command there is connect, configure is never an option...
  The only way I can get this to work is by entering the command:
  privilege exec level 7 configure terminal
  I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
  This is most frustrating
  The ACS Server is set up with a Shell Command Authorization Set named Level_7
  It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
  The "Permit Unmatched Args" is also selected.
  See an excerpt of my IOS config below:
  aaa new-model
  aaa group server tacacs+ ACS
  server 10.90.0.11
  aaa authentication login default group ACS local
  aaa authorization exec default group ACS
  aaa authorization commands 7 default group ACS local
  tacacs-server host 10.90.0.11 key cisco
  privilege exec level 7 configure terminal
  privilege exec level 7 configure
  privilege exec level 7 show running-config
  privilege exec level 7 show
  Hope you can help me with this one..
  P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?

  Hi,
  So here it is,
  You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
  Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
  This is what I suggest the commands back to normal level.
  Below provided are steps to configure shell command authorization:
  Follow the following steps over the router:
  !--- is the desired username
  !--- is the desired password
  !--- we create a local username and password
  !--- in case we are not able to get authenticated via
  !--- our tacacs+ server. To provide a back door.
  username password privilege 15
  !--- To apply aaa model over the router
  aaa new-model
  !--- Following command is to specify our ACS
  !--- server location, where is the
  !--- ip-address of the ACS server. And
  !--- is the key that should be same over the ACS and the router.
  tacacs-server host key
  !--- To get users authentication via ACS, when they try to log-in
  !--- If our router is unable to contact to ACS, then we will use
  !--- our local username & password that we created above. This
  !--- prevents us from locking out.
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ local
  aaa authorization config-commands
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  !--- Following commands are for accounting the user's activity,
  !--- when user is logged into the device.
  aaa accounting exec default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Configuration on ACS
  [1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
  Provide any name to the set.
  provide the sufficent description (if required)
  (a) For Full Access administrative set.
  In Unmatched Commands, select 'Permit'
  (b) For Limited Access set.
  In Unmatched commands, select 'Deny'.
  And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
  For example: If we want user to be only able to access the following commads:
  login
  logout
  exit
  enable
  disable
  show
  Then the configuration should be:
  ------------------------Permit unmatched Args--
  login permit
  logout permit
  exit permit
  enable permit
  disable permit
  configure permit terminal
  interface permit ethernet
  permit 0
  show permit running-config
  in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
  [2] Press 'Submit'.
  [3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
  (cont...)

• AAA authorization and accounting

  Hello everyone.
  I am given a project to implement AAA on routers and switches in our environment. Can some one please help me out in understanding the difference between,
  1) aaa authorization exec and aaa authorization command option.
  2) aaa accounting exec and aaa accounting command option.
  Many thanks.
  Sent from Cisco Technical Support Android App

  Hello,
  1) aaa authorization exec and aaa authorization command option.
  The first one authorizes if the user has the right privilege level to enter to one of the IOS priviliege levels (0,1,15) you can customize this.
  The second one authorizes the different commands a user can type and send to the device
  2) aaa accounting exec and aaa accounting command option.
  The first one again accounts when a users enters a specific user-level (Privileged level 15 or Exec user-level 1)
  Second one sends an accounting message per each command send to the box
  Check my blog at http:laguiadelnetworking.com for further information.
  Cheers,
  Julio Carvajal Segura

• Command confusion - aaa authorization config-commands

  I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.
    >> Shell Command Authorization Sets
        Name: Restricted_Voice
        Description: Configure port voice vlan only.
        Unmatched Commands: Deny
        Add: enable
        Add: configure / permit terminal <cr>
        Add: interface / permit Gi*
        Add: interface / permit Fa*
        Add: switchport / permit voice vlan *
  My switch configuration has the following aaa authorization related lines:
       aaa authorization commands 1 default group tacacs+ if-authenticated
       aaa authorization commands 15 default group tacacs+ if-authenticated
  When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.
  I went and read up the command reference for "aaa authorization config-commands" in
  http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587.
  My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.
  It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me.  I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?

  Hi Axa,
  I have a similar setup and have full Exec Level permissions using only aaa authorization commands level method
  The below is taken from cisco.com and explains that you should not require the
  aaa authorization config-commands unless you have at some point used the no aaa authorization config-commands command to prevent configuration commands from the Exec User
  This in essense is a hidden configured default i.e.you switch on auth for config-commands automatically when you use the aaa authorization commands level method command!
  From Cisco.com (I have underlined the key points)
  aaa authorization config-commands
  To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization commands level method1 command was issued.
  aaa authorization config-commands
  no aaa authorization config-commands
  Syntax Description
  This command has no arguments or keywords.
  Defaults
  After the aaa authorization commands level method has been issued, this command is enabled by default—meaning that all configuration commands in the EXEC mode will be authorized.
  Usage Guidelines
  If aaa authorization commands level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server from attempting configuration command authorization.
  After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
  Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
  Examples
  The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
  aaa new-model
  aaa authorization command 15 tacacs+ none
  no aaa authorization config-commands

• AAA authorization not working

  Hi,
  Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.
  When connected to console it worked-  Authenticated and then supplied the enable password.
  When telneted : it says "access approved" and  "authorization failed"
  Relevant switch configuration is as follows  and also debug of aaa authorization.
  +++++++++++++++++++++++++++++
  no service single-slot-reload-enable
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  hostname Switch
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication enable default enable
  aaa authorization config-commands
  aaa authorization exec default group radius if-authenticated local
  aaa authorization commands 15 default group radius if-authenticated local
  enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/
  username cisco privilege 15 password 7 05080F1C224233 
  vlan 10
  vlan 120
  ip subnet-zero
  vtp mode transparent
  spanning-tree extend system-id
  interface FastEthernet0/1
    switchport access vlan 10
    switchport mode access
    no ip address
    spanning-tree portfast
  interface GigabitEthernet0/1
    no ip address
  interface GigabitEthernet0/2
    no ip address
  interface Vlan1
    no ip address
    shutdown
  interface Vlan120
    ip address 10.12.8.70 255.255.255.240
  ip default-gateway 10.12.8.65
  ip classless
  ip http server
  radius-server host 192.168.38.169 auth-port 1812 acct-port 1813
  radius-server host 10.12.1.142 auth-port 1812 acct-port 1813
  radius-server retransmit 3
  radius-server key cisco
  line con 0
  line vty 0 4
    password 7 grrfcb7swe
    transport input telnet
  line vty 5 15
  end
  Debug output :
  Switch#
  21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
  21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
  21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
  21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
  21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
  21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
  21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
  21:45:07: AAA/AUTHEN (2947331915): status = PASS
  21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
  21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
  21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
  21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
  21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
  21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
  21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------#  authorization failed #
  21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
  21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='10.12.7.71' authen_type=ASCII service=LOGIN priv=1
  Switch#
  Switch#
  Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.
  Please share the experience.
  Thanks in advance,
  Subodh

  Hi Subodh,
  I understand that you are trying to use command authorization using RADIUS.
  aaa authorization commands 15 default group radius if-authenticated local
  Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed       on a router and which cannot.
  Please refer the following link:
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.
  Regards,
  Karthik Chandran
  *kindly rate helpful post*

• AAA issue ( command authorization failed)

  I am getting the issue, and following is the script , cannot find  and locate the cause of error !
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname hexxor
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
  enable password 7 0525112F05411F075231123E
  username hexxor password 7 024D2A103F26243363593D1C2B5C
  aaa new-model
  aaa authentication login T-AUTH group tacacs+ local
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
  aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
  aaa accounting exec T-ACC start-stop group tacacs+
  aaa accounting commands 15 T-ACC start-stop group tacacs+
  interface Vlan1
  no ip address
  interface Vlan50
  ip address 128.1.50.54 255.255.255.0
  no ip route-cache
  ip default-gateway 128.1.50.254
  no ip http server
  ip http secure-server
  ip sla enable reaction-alerts
  logging trap debugging
  logging 10.241.40.20
  logging 128.1.50.245
  access-list 1 permit 128.1.50.245
  snmp-server host 10.241.40.27 Armageddon
  snmp-server host 128.1.50.245 Armageddon
  tacacs-server host 10.241.40.22
  tacacs-server host 10.241.40.23
  tacacs-server directed-request
  tacacs-server key 7 020813480E052F2E4D
  line con 0
  exec-timeout 5 0
  password 7 1142374E2332201E2B3D1F210678
  authorization commands 15 T-AUTHOR
  authorization exec T-AUTHOR
  accounting commands 15 T-ACC
  accounting exec T-ACC
  login authentication T-AUTH
  transport preferred none
  line vty 0 4
  exec-timeout 5 0
  password 7 06281801684358174E231727
  authorization commands 15 T-AUTHOR
  authorization exec T-AUTHOR
  accounting commands 15 T-ACC
  accounting exec T-ACC
  login authentication T-AUTH
  transport input telnet
  transport output telnet
  line vty 5 15
  password 7 0228137B2F0B5E2F077A0C35
  end

  Based on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
  I would suggest this as a first test:
  - login to the device.
  - go into enabl mode.
  - attempt the show run command. (I assume that it will fail)
  - check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
  If you want to do a second test to verify the cause of the problem then I would suggest this:
  - remove from the config these lines
  aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
  aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
  then login to the device, go into enable mode, attempt the show run command
  Try one or both of these tests and post back to tell us of the results.
  HTH
  Rick