Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1440
Views
5
Helpful
6
Replies

AAA authorization and accounting

Go to solution
Rizwan Khan
Level 1
Level 1

‎08-13-2013 12:05 PM - edited ‎03-10-2019 08:46 PM

Hello everyone.
I am given a project to implement AAA on routers and switches in our environment. Can some one please help me out in understanding the difference between,
1) aaa authorization exec and aaa authorization command option.
2) aaa accounting exec and aaa accounting command option.
Many thanks.


Sent from Cisco Technical Support Android App

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-13-2013 09:06 PM

Hello,

1) aaa authorization exec and aaa authorization command option.
The first one authorizes if the user has the right privilege level to enter to one of the IOS priviliege levels (0,1,15) you can customize this.

The second one authorizes the different commands a user can type and send to the device

2) aaa accounting exec and aaa accounting command option.

The first one again accounts when a users enters a specific user-level (Privileged level 15 or Exec user-level 1)

Second one sends an accounting message per each command send to the box

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

6 Replies 6

Go to solution
amitamitkumar
Level 1
Level 1

‎08-13-2013 12:15 PM

In Brief(not command specific)-

In AAA autorization - the user will be granted access to a requested service only if the information in the user profile allows it(In ACS or Radius Server).

AAA accounting - during Newtork device access or doing any changes or config log will captured by ACS or Radius Server This data can then be analyzed for network management, client billing or auditing.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-13-2013 09:06 PM

Hello,

1) aaa authorization exec and aaa authorization command option.
The first one authorizes if the user has the right privilege level to enter to one of the IOS priviliege levels (0,1,15) you can customize this.

The second one authorizes the different commands a user can type and send to the device

2) aaa accounting exec and aaa accounting command option.

The first one again accounts when a users enters a specific user-level (Privileged level 15 or Exec user-level 1)

Second one sends an accounting message per each command send to the box

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
blenka
Level 3
Level 3

‎08-14-2013 05:02 PM


Kindly go through the link in which you will find the difference for the query you sent.

http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_tech_note09186a0080107cfd.shtml

Go to solution
Rizwan Khan
Level 1
Level 1

‎08-18-2013 03:13 AM

Thank you so much everyone for giving your valueable comments.

Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
Rizwan Khan
Level 1
Level 1

‎08-18-2013 03:26 AM

One another question. I am working on gns3 with 2 aaa servers on 2 different machines.
I am doing it for redundancy. When I want to add a device in primary acs its only working on ip address of directly connected interface and same is with secondary acs. I have primary server on 10.10.10.x network and secondary on 192.168.150.x network.if I add same router in primary acs console I have to use 10.10 interface and when I add it in secondary. Its not working unless I give 192 interface ip. I have reachibiliry to every network and I can even telnet the same router with these 2 interfaces. Please help me out. Thanks in advance.

Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎08-25-2013 02:15 AM

exec

Runs authorization to determine if the user is allowed to run an   EXEC shell. This facility might return user profile information such as autocommand information

commands

Runs authorization for all commands at the specified privilege   level.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents