Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA authorization exec explanation please....thank you

If I have this:

aaa authentication login default grouptacacs+ local line none

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local none

username localadmin password 7 xxxxxxxxxxxx

enable secret 5 xxxxxxxxxxxxxxxx

And all tacacs+ servers are unreachable.

Authentication will revert to local, so I would need to use a locally defined username of localadmin to access the unit. Correct?

If I can login using the local username, doesn't the authorizaiton exec fail and I cannot get an exec shell as I have no locally defined authorization set up?

If so, how do I set it up so I can login locally (which I think I have setup), but can also get into enable mode if the tacacs+ server(s) are down?

Is exec shell the privlidged mode or just the shell you get when you login and you need to execute a enable command to get to exec shell?

Thanks

Gene

2 REPLIES
Hall of Fame Super Silver

Re: AAA authorization exec explanation please....thank you

Gene

I believe that exec shell is the exec that you get when you login and not the privilege level. I usually configure authentication as you have done and it works well - whether the TACACS server is available or not. I generally configure authorization this way:

aaa authorization exec default group tacacs+ if-authenticated

and find that it works well - whether the TACACS server is available or not.

HTH

Rick

Re: AAA authorization exec explanation please....thank you

Gene,

Yes, if tacacs is down you need to login using locally configured user.

If you want to get into enable mode straight away then local user should have privilege 15. IF user priv is less then 15 then it will ask for enable password.

Shell exec is a privilege mode.

Regards,

~JG

Do rate helpful posts

662
Views
18
Helpful
2
Replies