Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AAA authorization with no user group

Can anyone help me with understanding one thing about AAA authorization on Cisco IOS. Here is a config fragment:

aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+ local

Do I understand correctly that authorization allows some commands (like "commands 15") for some users (like "group tacacs+")? So why there is no option "group" for the config-commands?

Everyone's tags (2)
3 REPLIES
Silver

Re: AAA authorization with no user group

Hi Denis,

First of all we need to understand one thing, what is config-commands, Commands 1 and commands 15, This will help you understand these aaa commands.

Config-commands----Commands that we can run under configuration Mode, For example: when you login to the router, enter the priv mode and then enter the configuration mode> Type question mark> It will give you the list of the commands that can be run on Config mode.

Similarly , when you enter priv mode (# mode also known as level 15) > Type question mark, It will also display you list of commands that you can run on that mode.

You can always check the level, By following command:

#show privilege level.

and in the same way, You can check what command can be run on what level.

   Now Moving on the aaa commands:

aaa authorization config-commands--- This command will check the authorization for the commands on the configuration Mode.

aaa authorization exec default group tacacs+ local--- This command will provide the user level 15 access directly, bypassing enable authentication

aaa authorization commands 1 default group tacacs+---This command will check the authorization of the commands that can be run on level 1.

aaa authorization commands 15 default group tacacs+ local-----
This command will check the authorization for the commands that can be run on level 15

I hope this helps:

BR

Minakshi (Rate the helpful posts)

Silver

AAA authorization with no user group

The following links will provide you the detail insight in the working and understanding of the following commands

           http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_tech_note09186a0080107cfd.shtml

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html

Silver

AAA authorization with no user group

372
Views
0
Helpful
3
Replies