aaa authorization config-commands

Unanswered Question
Jul 31st, 2005

Hello,

Can anybody explain what is the purpose of this command. I studied the documentation (command reference) but unable to clearly understand the purpose of this command.

Thanks in advance,

Regards,

Mo

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (1 ratings)
Richard Burts Mon, 08/01/2005 - 05:19

the aaa authorization command instructs the router to check with the authorization server to verify if the particular user who is logging in has authorization to execute certain commands, or to execute commands at a certain privilege level.

One way to understand it is that the first step is authentication which deals with the question of verifying who is signing in. Authorization is the next step and deals with the question now that we know who is signing in what commands or level of commands should they be able to execute.

HTH

Rick

m.mohanasundaram Tue, 08/02/2005 - 01:30

Hi,

Thank you for your reply. I understand the basic authentication and authorization concepts. This command "aaa authorization config-commands" is a special command within command authorization. According to documentation, no form of this command will not check for authorization of config commands, while it will check for authorization for all other EXEC level commands.

But it is not very clear to me what exactly it meant. It would be helpful if someone can explain a bit more with an example.

Thank you,

Mo

Michael Stuckey Tue, 08/02/2005 - 11:24

This was the best desciption of this command I could find on cisco's site. It sounds to me like if you use the no form of this command you will not be able to use any configuration commands.

Cisco:

Usage Guidelines

If the aaa authorization commands level method command is enabled, all commands, including configuration commands, are authorized by authentication, authorization, and accounting (AAA) using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using the no aaa authorization config-commands command stops the network access server from attempting configuration command authorization.

After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.

Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.

--------------------------------------------------------------------------------

Note You will get the same result if you (1) do not configure this command, or (2) configure no aaa authorization config-commands.

--------------------------------------------------------------------------------

The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:

aaa new-model

aaa authorization command 15 group tacacs+ none

no aaa authorization config-commands

http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf16.html#wp1086510

Actions

Login or Register to take actions

This Discussion

Posted July 31, 2005 at 8:48 PM
Stats:
Replies:3 Avg. Rating:4
Views:668 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard