aaa authorization

Unanswered Question
May 7th, 2007

Hi Guys

I have doubt regarding this commands.

aaa authorization exec default group tacacs+ if-authenticated

likewise for commands

what exactly does this commands have effect.because when i enter this commands and try to access the switch via telnet and try to execute sh run i get authorization failed message.any help appricaited.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mrmozaffari Mon, 05/07/2007 - 01:36

Hi Mahmood

When a user wants to login or shell to your router ,router asks for username and password ,since you ve configured tacacs in the configuration your router check the password with a tacacs server ,it seems you did not configure any radius or tacacs server in your router so your router cant find any aaa server.

Did you configure any server in your router or not ,if not you should do password recovery by changing the config register code to 0x2142 from Rommon and if you use a switch the password recovery steps will be differ from routers so let me know what kind of cisco switches do you use if want to recover your switch.

Please do rate helpful comments.

Best Regards B.Mozaffari

guruprasadr Mon, 05/07/2007 - 01:44

HI, [Pls Rate if Helps U]

[PLs check the Privilege Levels given to the User on the Switch] - Follows in Detail:

You can configure access levels on the routers so the junior administrators do not have complete access to the router. Cisco routers have 16 different privilege levels that you can configure. The 16 levels range from 0 to 15, where 15 is equal to full access. You can customize levels 2 to 15 to provide monitoring abilities to the secondary administrators. Here is a sample configuration for privilege levels on the router:

RA(config)#privilege exec level 3 ping

RA(config)#privilege exec level 3 traceroute



aaa authorization exec default group tacacs+ if-authenticated




Runs authorization to determine if the user is allowed to run an EXEC shell.


Uses the listed authorization methods that follow this argument as the default list of methods for authorization


Requests authorization information from the TACACS+ server.


Allows the user to access the requested function if the user is authenticated.

PLS Rate If Helps ! !

Best Regards,

Guru Prasad R

mahmoodmkl Mon, 05/07/2007 - 02:01

Hi Thanks for the reply.

tacacs+ is configured and the aaa server is reachable.i am getting authenticatin from it.

but when i try to run a command i get command autorization failed.As per u r post do mean that if the user gets autenticacted then he should be able to use any commans is that so.



guruprasadr Mon, 05/07/2007 - 04:00

HI, [Pls Rate if Helps U]

See below cmds:


RA(config)#privilege exec level 3 ping

RA(config)#privilege exec level 3 traceroute

Privilege level 3 is given & that too the user to whom this particular level given is authorised to execute Ping & traceroute cmds.

If you need full access privilege level = 15

Hope this helps U. Pls Rate

Best Regards,

Guru Prasad R

mohammedmahmoud Mon, 05/07/2007 - 04:20

Hi Mahmood,

If-Authenticated means that the user is allowed to access the requested function provided the user has been authenticated successfully.

Your problem simply means that you have configured the router to use tacacs for authorization but no commands are allowed for this username, try editing your tacacs.

HTH, please rate if it does help,

Mohammed Mahmoud.

mahmoodmkl Mon, 05/07/2007 - 08:07

Hi Mahmoud thanks for the reply.

Can u guide me where i can edit these settings in the tacacs server.



mohammedmahmoud Mon, 05/07/2007 - 10:30

Hi Mahmood,

I am not that experienced in tacacs configuration as we have a unix guy here doing this stuff, but it should look something like this, under the user name profile:

cmd = show {

permit ip

permit interface

permit controller

permit atm

permit processes

permit caller

permit users

deny .*


HTH, please do rate helpful replies,

Mohammed Mahmoud.


This Discussion