How to assign authorization commands to vty or interface?

Unanswered Question
Oct 11th, 2007

Attempting to set up multiple group by command permissions.

I have created the Shell Cmd Auth Set and assigned a group to that Set.

On my switch I have following cmds

Aaa new-model

Aaa authentication login default group tacacs+ local

Aaa authorization config-commands

Aaa authorization exec default group tacacs+ local

Aaa authorization commands 1 default group tacacs+ if-authenticated

Now from what I understand I need to Enter the line configuration mode for the lines to which I want to apply the authorization method list.

How is this done?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (8 ratings)
Jagdeep Gambhir Thu, 10/11/2007 - 16:22

Nothing is reqd on line config. Since you have used word " default ", all aaa commands will be effective for telnet , http ,console etc.

So if you have made command author set in acs and have also binded it with usergroup , you are all set, good to go.



Please rate helpful posts

VaughanTK Thu, 10/11/2007 - 16:29

within my Cmd Auth set I have denied configure and when I test I still am able to issue the configure cmd.

Premdeep Banga Thu, 10/11/2007 - 16:32

this is because you have only configured authorization for level 1 commands not level 15.

conf t is a level 15 command

add, aaa authorization commands 15 default....



spanglenuts Fri, 10/12/2007 - 03:54

I'm work with vaughantk...

I added the command "aaa authorization commands 15 default group tacacs+ if-authenticated" and took out the "aaa authorization commands 1 default group tacacs+ if-authenticated"

It appears to be working correctly now, but...

Can we just have the "aaa authorization commands 15 default.." and then deny everything we don't want? Or do we need "aaa authorization commands 1 default.." and so on for each privilege level we have?

Thank you for the help!


Premdeep Banga Fri, 10/12/2007 - 03:58

all the major commands are at level 15 by default. So monitoring 15 should solve your purpose.

You can also refer to,

Building a Scalable TACACS+ Device Management Framework:

Command authorization for other levels are only required, if you have manually moved some commands to different level, and want to them to be allowed by Tacacs server first before they are allowed to be executed.



Premdeep Banga Sat, 10/13/2007 - 09:43

Please mark this thread as resolved, so that others can benefit from it.



spanglenuts Sat, 10/13/2007 - 23:17

Thanks for all the help last thing for this thread.

So we now have in our config...

Aaa new-model

Aaa authentication login default group tacacs+ local

Aaa authorization config-commands

Aaa authorization exec default group tacacs+ local

Aaa authorization commands 15 default group tacacs+ if-authenticated

After we add the 3rd and 5th line to the configuration, we are instantly denied almost all commands. I'm assuming because it is checking with tacacs everytime a command is sent, and the group we are currently in is not one of the new groups with a command authorization set. Is there something we can add so that the old(current) groups will still work if their command authorization sets are not created yet, or is this an all or nothing deal? We would like to be able to create command authorizations sets for one group at a time, and the old/current groups still work.

Thanks for the help!


Premdeep Banga Sun, 10/14/2007 - 10:48

Hi Andrew,

As you said that you do not want other groups to be affected. Then for the mean while what you can do is, on all groups under which you have users, whom you don?t want to get affected.

Go to Group Setup > Edit Settings > check "Per Group Command Authorization" and check "Permit" > Submit + Restart.

And once you have configured the commands set, that you want this group should be allowed, select the appropriate one.

This is the only option, because, as soon as you apply the above mentioned commands, as you said, level 15 commands gets verified against the ACS server for authorization.



spanglenuts Sun, 10/14/2007 - 11:37

Thanks Prem! You have been a ton of help.

Do you have any suggestions for where to find information on doing the same thing(Command Set Authorization) for Juniper Routers using Tacacs or Radius?

Thanks again,



This Discussion