Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
Silver

Is AAA authorization the same between IOS for routers and switches?

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Cisco 2851 is running IOS 12.4(24)T while Catalyst 3750 is running IOS 12.2(35)SE5

With the exact configuration of AAA above, when the Cisco 2851 is lost contact with

the TACACS server, I can perform configuration changes without any issues.

However, if the Catalyst 3750 loses contact with the tacacs server, while in enable

mode, I can NOT do "configure t" and that I get the response "command authorization failed"

Anyone know why? Thanks.

1 REPLY

Re: Is AAA authorization the same between IOS for routers and sw

Logically it is same but we have seen different behavior from IOS to IOS.

Check the debugs on 3750 or best is to check tacacs administrator logs in acs and see how 3750 is sending that "config t" command.

Compare the syntax with your command authorization set in acs.

Regards,

~JG

Do rate helpful posts

129
Views
0
Helpful
1
Replies
CreatePlease to create content