cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
371
Views
0
Helpful
1
Replies

Is AAA authorization the same between IOS for routers and switches?

cisco24x7
Level 6
Level 6

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Cisco 2851 is running IOS 12.4(24)T while Catalyst 3750 is running IOS 12.2(35)SE5

With the exact configuration of AAA above, when the Cisco 2851 is lost contact with

the TACACS server, I can perform configuration changes without any issues.

However, if the Catalyst 3750 loses contact with the tacacs server, while in enable

mode, I can NOT do "configure t" and that I get the response "command authorization failed"

Anyone know why? Thanks.

1 Reply 1

Jagdeep Gambhir
Level 10
Level 10

Logically it is same but we have seen different behavior from IOS to IOS.

Check the debugs on 3750 or best is to check tacacs administrator logs in acs and see how 3750 is sending that "config t" command.

Compare the syntax with your command authorization set in acs.

Regards,

~JG

Do rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: