Authorization Set Not Working Properly

Answered Question
Nov 10th, 2009
User Badges:

I'm trying to set up an authorization set to restrict users to certain commands. However, it seems like it works for some commands, but not for others.

In ENABLE mode, the auth set seems to work properly. However, once I get into CONFIG mode, it no longer works. I can run any command.

What am I missing that could be causing this?

Also, note that I have this auth set assigned to a group.



Correct Answer by Jagdeep Gambhir about 7 years 7 months ago

Expected behavior, since we have seleted none in the authorization set...that is = no access.

You need to make a new set for limited group allowing certain commmands.

Check this link,



Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jagdeep Gambhir Tue, 11/10/2009 - 08:23
User Badges:
  • Red, 2250 points or more

It seems that you are missing this command,

aaa authorization config-command



Do rate helpful posts

jason.williams@... Tue, 11/10/2009 - 08:43
User Badges:

That might be it, the command isn't there.

I'll try it and let you know if that was it.



jason.williams@... Tue, 11/10/2009 - 10:37
User Badges:


aaa authorization config-command


However, I've got another issue (I think).

Other groups have "none" selected for the auth sets. When I log in as a user in one of those groups, I get an access denied error when I enter ANY command.

The only way that I've been able to work around this is to set the group to use group based command sets and permit everything.

Is there something else that I missed or is this necessary?

Here are my current AAA settings:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ none

aaa authorization exec no_tacacs none

aaa authorization config-command

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+




This Discussion