Is AAA authorization the same between IOS for routers and switches?

Unanswered Question
Apr 10th, 2009
User Badges:
  • Silver, 250 points or more

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Cisco 2851 is running IOS 12.4(24)T while Catalyst 3750 is running IOS 12.2(35)SE5

With the exact configuration of AAA above, when the Cisco 2851 is lost contact with

the TACACS server, I can perform configuration changes without any issues.

However, if the Catalyst 3750 loses contact with the tacacs server, while in enable

mode, I can NOT do "configure t" and that I get the response "command authorization failed"

Anyone know why? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Fri, 04/10/2009 - 12:11
User Badges:
  • Red, 2250 points or more

Logically it is same but we have seen different behavior from IOS to IOS.

Check the debugs on 3750 or best is to check tacacs administrator logs in acs and see how 3750 is sending that "config t" command.

Compare the syntax with your command authorization set in acs.



Do rate helpful posts


This Discussion