Tacacs Command Authorization

Similar Messages

• TACACS+ command authorization and ACS "Quirk"(?)

  Hi All,
  I've created a limited access command set for a few of my engineers. They can shut/no shut ports, change VLANs on access-ports etc, but they can't access critical ports like uplinks. That's working fine. I'd like to take it a step further and ensure that they can't accidently assign a server vlan to a user access port. Using ACS 4.2
  For the example, i'll use Vlan 101, which is one of my server networks.
  My Command set says:
  Command: switchport
  Arguements: permit access, permit vlan, deny 101
  Permit Unmatched Args is UNCHECKED.
  When I debug the aaa authorization, i see this:
  146425: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): user=<my Testuser>
  146426: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV service=shell
  146427: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd=switchport
  146428: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=access
  146429: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=vlan
  146430: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=101
  146431: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=<cr>
  146432: Mar  8 09:39:19.362: AAA/AUTHOR (3413047404): Post authorization status = PASS_ADD
  I know I have the correct command set applied, because it blocks me appropriately for other commands.
  146451: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): user=<my Testuser>
  146452: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV service=shell
  146453: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd=interface
  146454: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=GigabitEthernet
  146455: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=1/1
  146456: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=<cr>
  146457: Mar  8 09:39:22.730: AAA/AUTHOR (838742026): Post authorization status = FAIL
  Any thoughts why it's not working as expected?

  Don’t mean to be ignorant about this, but is there a way to export the config from ACS? Router config section is below…I’ve used this successfully with 4.2 several times…
  ip tacacs source-interface gi 0/0
  tacacs-server directed-request
  tacacs-server key
  tacacs-server host x.x.x.x
  aaa new-model
  aaa authentic login default group tacacs+ local
  aaa authentic login no-tacacs none
  aaa authentic enable default group tacacs+ enable
  aaa author config-commands
  aaa author exec default if-authenticated
  aaa author commands 1 default if-authenticated
  aaa author commands 15 default group tacacs+ local
  aaa author console
  aaa account exec default start-stop group tacacs+
  aaa account commands 0 default start-stop group tacacs+
  aaa account commands 1 default start-stop group tacacs+
  aaa account commands 15 default start-stop group tacacs+
  aaa account connection default start-stop group tacacs+
  aaa account system default start-stop group tacacs+
  aaa session-id common

• Nexus, command authorization using TACACS.

  Hello.
  Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
  Thanks.
  Regards.
  Andrea

  Hi Andrea,
  We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
  username admin password role network-admin ; local admin user
  feature tacacs+ ; enable the tacacs feature
  tacacs-server host key ; define key for tacacs server
  aaa group server tacacs+ tacacs ; create group called 'tacacs'
      server ;define tacacs server IP
      use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
      source-interface mgmt0 ; ...and send them from the mgmt interface
  aaa authentication login default group tacacs ; use tacacs for login auth
  aaa authentication login console group tacacs  ; use tacacs for console login auth
  aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
  aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
  aaa accounting default group tacacs ; send accounting records to tacacs
  Hope that works for you!
  (That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
  Rob...

• ACS Tacacs+ aaa authorization commands

  Hi,
  I would like to authorize only certain configuration commands by the Tacacs Server, so in the group setup of ACS, I have checked : command, I have written in the field : configure, and declared as arguments : permit terminal and permit snmp-server enable traps. But I can not configure snmp until I declare in the router : privilege config level 7 snmp-server enable. (I use a level 7 user)
  My question is : is there a way to control the granularity of configuration commands on the ACS, in the same way as you can control the granularity of the show commands ?
  Many thanks
  Patrice

  Yes, you can get very granular using Command Authorization Sets and they can be applied to individual users or groups.
  Setting Up and Managing Shared Profile Components
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00800d9e6b.html
  hth

• Specific shell command authorization - ACS/TACACS+ on 2900XL

  Hello all -
  I've been struggling with one particular issue here. I'm running ACS 3.2, and trying to set up secure access to my switches. I have "grad students" from my university that I want to allow to perform specific functions, i.e. change a port's vlan, and write to memory, etc.
  I successfully set up the authorization piece, and my test account can log in. I successfully assign a privilege level of 7 also, which gives me basic look rights by default. Accounting is also working, showing the connections and commands I enter.
  What I want to do is use ACS to enable a specific group of commands, so I can change them if needed in one place (ACS) and not have to touch 400+ devices. ACS says it can do it, but it doesn't seem to work. I created a Shell Command Group and specififed the commands, no luck. Even if I modify the "Unmatched commands" toggle to "permit" (which should allow any commands, right?) it still doesn't allow any commands. I added the Shell Command group to the group the students are members of...
  My AAA commands are as follows:
  aaa new-model
  aaa authentication login default local group tacacs+
  aaa authorization exec default local group tacacs+
  aaa authorization commands 7 default group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 7 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  Any ideas? Any thoughts?
  Thanks!
  Michael
  QU.edu

  Hey Steve -
  I tried your recommendation, and it works, kinda. When I turn on that command, after authentication, I get dropped in at Privlege 15 and have full access to commands.
  Unfortunately, this is different than the telnet access in a key way; when I telnet in, I get Priv-15, but I'm restricted on commands I can do based upon ACS authorization of specific commands. When I console in, I have full access to all commands, with no restrictions.
  Additionally, my console access has two level security, with a login password (to Priv-1) and an enable password (to Priv-15). When I use the "Privilege level 15" command, it bypasses the enable password for the local accounts and allows full access with just the login password.
  Maybe I'm asking for too much. (And I appreciate your patience with me!) What I want on the console port is this:
  1. A username prompt
  - this is fine
  2. A password prompt
  - this is fine also
  3. User name & PW are authenticated against ACS
  - this works
  4. If user is a valid ACS user, they should receive Priv-15 rights and be restricted by the commands they are authenticated to use in ACS
  - this does not work. They only receive Priv-15 if I use "privilege level 15", but they are not restricted at all to certain commands. (They _are_ restricted under telnet however.)
  5. If a user is not a valid ACS but a local account exists, the user gets dumped to a Priv-1 prompt, and must enter the enable to get to Priv-15. (This also is how it works under telnet.)
  Sorry if this really confusing, it's difficult to explain in a forum. I'm basically looking for the same behavior from a console connection as from a telnet connection; I'm not sure why it's so difficult to do...
  Michael

• Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

  Hello All,
  I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
  My Steps:
  Created a user in ACS
  Shared Profile Components
  Create Shell command Autorization Set - "ReadOnly"
  Unmatched Commands - Deny
  Unchecked - Permit Unmatched Arg
  Commands Added
  permit interface
  permit vlan
  permit snmp contact
  permit power inline
  permit version
  permit switch
  permit controllers utilization
  permit env all
  permit snmp location
  permit ip http server status
  permit logging
  Created a group - "GroupTest" with the following
  Confirgured - Network Access Restrictions (NAR)
  Max Sessions - Unlimited
  Enable Options - No Enable Privilege
  TACACS+ Settings
  Shell (exec)
  Priviledge level is check with 1 as the assigned level
  Shell Command Authorization Set
  "ReadOnly" - Assign a Shell Command Authorization Set for any network device
  I have configured following on my Router/Switch
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+ if-authenticated
  privilege exec level 1 show log
  I have attached below the documention I have gone over.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

  "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
  Correct me if I am wrong."
  Regards
  Vamsi

• Command authorization error when using aaa cache

  Hi,
  I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
  % tty2 Unknown authorization method 6 set for list command
  The command is then always authorized against the tacacs server.
  The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
  I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
  Deleting the cache entry and using only the tacacs group the error message disappears.
  Any suggestions?
  Thanks.
  Frank
  ======
  config
  ======
  aaa new-model
  aaa group server tacacs+ group_tacacs
  server 10.10.10.10
  server 10.10.10.11
  cache expiry 12
  cache authorization profile admin_user
  cache authentication profile admin_user
  aaa authentication login default cache group_tacacs group group_tacacs local
  aaa authentication enable default cache group_tacacs group group_tacacs enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default cache group_tacacs group group_tacacs local
  aaa authorization commands 15 default cache group_tacacs group group_tacacs local
  aaa accounting exec default start-stop group group_tacacs
  aaa cache profile admin_user
  profile admin no-auth
  aaa session-id common
  tacacs-server host 10.10.10.10 single-connection
  tacacs-server host 10.10.10.11 single-connection
  tacacs-server directed-request
  tacacs-server key 7 <removed>
  ============
  debug output
  ============
  ap#
  Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
  Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
  Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
  Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
  Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
  ap#
  Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
  Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
  Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
  Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
  Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
  Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
  Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
  Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
  priv=15 vrf= (id=0)

  Hi,
  I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
  Regards,
  Vivek

• Command authorization issue.

  Hello.
  I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
  The shell command set that I'm using is a "permit unmatched commands".
  Any idea?
  Thanks.
  Andrea

  What you're experiencing is a known defect:
  CSCtg38468    cat4k/IOS: banner exec failed with blank characters
  Symptom:
  %PARSE_RC-4-PRC_NON_COMPLIANCE:
  The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
  Conditions:
  Problem happens, when AAA authorization is used together with TACACS+
  Workaround:
  Make sure there is no blank character at the begining of line in the banner message.
  Problem Details: trying to configure banner exec with blank character at beginning of line failed.
  This happens when configuring the banner exec via telnet/ssh !
  When configuring the same banner exec via console-port, everything is fine.
  Note the blank characters at beginning of each line. When removing those, banner exec works fine.
  Again, this was working till IOS version 12.2(46)SG.
  Beginning with 12.2(50)SG1 and up, the behaviour has changed.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ACS command authorization sets

  I need help on the following please.
  1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
  2. Does anyone know where I can read up on command authorizations sets for ACS ??
  3. What is the debug command for CatOS to see cli output ?
  Many thanks
  Rod

  Thanks for your info. I have solved my problem -
  1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
  This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
  Problem resolved.
  Many thanks.

• ACS command authorization - deny CatOS "set" commands

  Cisco Secure ACS 4.2
  I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.
  I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.
  How do I go about setting this group up to deny set-based commands for the CatOS devices?

  Hi
  CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.
  However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.
  Hope that makes sense!

• TACACS + Command Logging Problems

  All,
  Working on a problem that I'm having getting command logging setup for my switch / router infrastructure.  Below is my config, authentication is working, both console & SSH.  Authorization is also working.  Some of my accounting features are working, like successful TACACS+ logins, but all my command logging features are not working properly.
  I'm currently running ACS V4.1.  Also, what is the difference between using named auth / accounting lists, and the default?  Is it just that I need to apply them to certian interfaces, where the default is applied to all interfaces?
  Configs:
  aaa new-model
  aaa authentication login SSH group tacacs+ local
  aaa authentication login CONSOLE local
  aaa authorization console
  aaa authorization exec CONSOLE local
  aaa authorization exec SSH group tacacs+
  aaa authorization network CONSOLE local
  aaa authorization network SSH group tacacs+
  aaa accounting exec SSH start-stop group tacacs+
  aaa accounting commands 0 SSH start-stop group tacacs+
  aaa accounting commands 1 SSH start-stop group tacacs+
  aaa accounting commands 15 SSH start-stop group tacacs+
  aaa accounting network SSH start-stop group tacacs+
  access-list 1 permit X.X.56.0 0.0.0.255
  tacacs-server host X.X.X.X key XXXXXXXXXXXXX
  tacacs-server timeout 30
  tacacs-server directed-request
  control-plane
  line con 0
  session-timeout 10
  authorization exec CONSOLE
  login authentication CONSOLE
  line vty 0 4
  session-timeout 10
  access-class 1 in
  authorization exec SSH
  accounting commands 0 SSH
  accounting commands 1 SSH
  accounting commands 15 SSH
  accounting exec SSH
  login authentication SSH
  transport input ssh
  line vty 5 15
  session-timeout 10
  access-class 1 in
  authorization exec SSH
  accounting commands 0 SSH
  accounting commands 1 SSH
  accounting commands 15 SSH
  accounting exec SSH
  login authentication SSH
  transport input ssh
  Any help is appreciated.
  Thanks!
  Jon

  This looks fine:
  3d22h: AAA/ACCT(00000034): Accounting method=tacacs+ (TACACS+)
  3d22h: TPLUS: Queuing AAA Accounting request 52 for processing
  3d22h: TPLUS: processing accounting request id 52
  3d22h: TPLUS: Sending AV task_id=114
  3d22h: TPLUS: Sending AV timezone=UTC
  3d22h: TPLUS: Sending AV service=shell
  3d22h: TPLUS: Sending AV priv-lvl=15
  3d22h: TPLUS: Sending AV cmd=write memory
  3d22h: TPLUS: Accounting request created for 52(testusr)
  3d22h: TPLUS: using previously set server X.X.X.X from group tacacs+
  3d22h: TPLUS(00000034)/0/NB_WAIT/36C23C0: Started 30 sec timeout
  3d22h: TPLUS(00000034)/0/NB_WAIT: socket event 2
  3d22h: TPLUS(00000034)/0/NB_WAIT: wrote entire 115 bytes request
  3d22h: TPLUS(00000034)/0/READ: socket event 1
  3d22h: TPLUS(00000034)/0/READ: Would block while reading
  3d22h: TPLUS(00000034)/0/READ: socket event 1
  3d22h: TPLUS(00000034)/0/READ: read entire 12 header bytes (expect 5 bytes data)
  3d22h: TPLUS(00000034)/0/READ: socket event 1
  3d22h: TPLUS(00000034)/0/READ: read entire 17 bytes response
  3d22h: TPLUS(00000034)/0/36C23C0: Processing the reply packet
  3d22h: TPLUS: Received accounting response with status PASS
  On ACS, look in the log directories for the CSTacacs and CSLog services, and find the entries corresponding to the above.
  Incidentally, you may want to make the timestamps on the router be datetime rather than uptime, it makes it esaier to correlate logs.
  service timestamp debug datetime localtime msec
  service timestamp log datetime localtime msec

• IOS XR Command authorization with ACS server

  We have a newly implemented ASR 9010 and are trying to figure out how to best configure it with TACACS, as it is slightly different than IOS.
  In ACS, we have two groups: Group 1 and Group 2
  Group 1 allows full access in the shell command authorization set.
  Group 2 allows limited access in the shell command set (basically just show commands).
  Both groups can login fine (aaa authentication login default group <groupname> local)
  Group 1 has full access to everything (group I am in). 
  Group 2 has NO access to anything (can't even perform show commands).
  Group 2 CAN access other IOS devices and can perform the various show commands.
  With regards to our authorization commands, we currently have it configured as:
  aaa authorization commands default group <groupname> local
  Why is it working for the one group, but not the other?  I've read how IOS XR uses task Ids and other various things that I'm unfamiliar with.  I'm mainly curious if I have to use those, if the authorized commands are configured in ACS.
  Thanks!
  Kyle

  dont have enough info to give you a full conclusive answer Kyle, but some suspicions.
  Task group not set right?
  Command groups not defined properly in tacacs for command author.
  if you only want show access, you can just use the task groups in XR with a read permission on any command for instance. no direct need to send every command down to tacacs (hate that slowness )
  More info here:
  https://supportforums.cisco.com/docs/DOC-15944
  xander

• Command authorization for ASA

  Hi all
     I have configured ASA firewall for command authorization with ACS.For users with privilege level 15 it is working fine.But when i login with users with privilege level 0, first when i enter the username and password ,it enters into enable mode.But after that when i put the enable password ,it is not working.password is not working.I configured to use the same PAP password option in the ACS enable section for the user.Also is it possible in ASA is it possible when user enters username and password,he could directly log into the exec mode rather than enable mode and assign privilege for the user as configured in the ACS user configuration.
  Thanks in advance
  Anvar

  Hi Dan
    I have alredy configured enable password using tacacs+.Please find my aaa config on ASA
  aaa authentication telnet console TACACS-SERVER LOCAL
  aaa authentication http console TACACS-SERVER LOCAL
  aaa authentication ssh console TACACS-SERVER LOCAL
  aaa authentication enable console TACACS-SERVER LOCAL
  aaa authentication serial console LOCAL
  aaa authorization command TACACS-SERVER LOCAL
  aaa accounting telnet console TACACS-SERVER
  aaa accounting command TACACS-SERVER
  aaa accounting ssh console TACACS-SERVER
  regards
  anvar

• Command authorization failure

  When logging to some of our routers, we get sometimes (not always!!!) a command authorization failure, sometimes the command works, sometimes the same command fails, also in the tacacs logs there is no trace of the attempt to log in on this router.

  We need to check the debugs as that will let us know why the command failed.
  debug tacacs
  debug aaa authorization
  What is the IOS ver running on the routers?
  Regards,
  ~JG
  Do rate helpful posts

• Cisco 4.2 radius command authorization

  Hi,
  I am trying to do command authorization in radius. I have searched but i couldnt get any luck.
  Is it possible to do this? if any yes can anyone tell me the steps. i would be great.
  Thanks,

  IOS does support command authorization, however, only with TACACS (updated by paul)
  very Nice configuration example on command authorization with tacacs
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo
  Rgds, Jatin
  Do rate helpful posts~