AAA authorization exec explanation please....thank you

Unanswered Question

If I have this:

aaa authentication login default grouptacacs+ local line none

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local none

username localadmin password 7 xxxxxxxxxxxx

enable secret 5 xxxxxxxxxxxxxxxx

And all tacacs+ servers are unreachable.

Authentication will revert to local, so I would need to use a locally defined username of localadmin to access the unit. Correct?

If I can login using the local username, doesn't the authorizaiton exec fail and I cannot get an exec shell as I have no locally defined authorization set up?

If so, how do I set it up so I can login locally (which I think I have setup), but can also get into enable mode if the tacacs+ server(s) are down?

Is exec shell the privlidged mode or just the shell you get when you login and you need to execute a enable command to get to exec shell?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Richard Burts Thu, 06/04/2009 - 12:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I believe that exec shell is the exec that you get when you login and not the privilege level. I usually configure authentication as you have done and it works well - whether the TACACS server is available or not. I generally configure authorization this way:

aaa authorization exec default group tacacs+ if-authenticated

and find that it works well - whether the TACACS server is available or not.



Jagdeep Gambhir Thu, 06/04/2009 - 14:17
User Badges:
  • Red, 2250 points or more


Yes, if tacacs is down you need to login using locally configured user.

If you want to get into enable mode straight away then local user should have privilege 15. IF user priv is less then 15 then it will ask for enable password.

Shell exec is a privilege mode.



Do rate helpful posts


This Discussion