Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

config command authorization not enabled

Can someone tell me why I'm getting this message. I'm beginning to think this has something to do with my device failing authorization.

Show version

Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.1(19)EW1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Cisco Employee

Re: config command authorization not enabled

Are you really running 12.1?

When are you receiving the message?

Do you have aaa authorization enabled? Can you post the "sh run | i aaa" output?


New Member

Re: config command authorization not enabled

Yep! I'm really running 12.1!

I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.

Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.

sh run | i aaa


aaa new-model
aaa authentication attempts login 5
aaa authentication banner ^C
aaa authentication fail-message ^C
aaa authentication login My-RADIUS group radius local
aaa accounting exec My-RADIUS start-stop group radius
aaa session-id common


Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.

Let me know what other thoughts you may have.



Cisco Employee

Re: config command authorization not enabled

Hi, Nik,

The aaa authorization exec radius if-authenticated command configures the network access server to contact the RADIUS  server to determine if users are permitted to start an EXEC shell when  they login.

Try to use aaa authorization config-commands and aaa authorization commands 15.

Cheers, Iron


If  this helps you and/or answers your question please mark the question  as "answered" and/or rate it, so other users can easily find it.

New Member

Re: config command authorization not enabled


Thanks for your reply. However, I do wish for the users to be validated against RADIUS before they can use enable commands. When I entered your suggestion I can still authenticate without any problems. However, I still default to user mode. I would like it to default to priviledge mode once a user successfully logs in.

Your thoughts!

Hall of Fame Super Silver

Re: config command authorization not enabled


Part of what you posted seems to show that you are using non-default methods (My-RADIUS) for authentication and for accounting. It is not clear to me whether a non-default method is also desired for the authorization. Perhaps it would help to clarify if you would post the parts of the config that are for aaa and the parts of the config for the console and vty lines. (complete config might be even better - but these parts would get us started)



CreatePlease to create content