Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Tacacs+ config help

Having some trouble with a tacacs config.. 

I can SSH into my 3560 switch with a tacacs configured username / password but commands like write mem or dir display an error message.

The command 'write <cr>' is not authorized for user [username] and client [ip addr] 

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common

 

 

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Hi Rob,As everything is

Hi Rob,

As everything is Tacacs+ specific.

If the command is not being authorized, this has be checked on the Tacacs+ server.

What is the Tacacs+ server that you are using?

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
3 REPLIES
Silver

Hi Rob,As everything is

Hi Rob,

As everything is Tacacs+ specific.

If the command is not being authorized, this has be checked on the Tacacs+ server.

What is the Tacacs+ server that you are using?

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
New Member

tacacs.net is the software. I

tacacs.net is the software. 

I'm digging through the documentation, but its quite lousy IMHO. 

I'll start troubleshooting this from a server authorization perspective, I just found I can rename the authorization.xml to authorization.xml.old. I've tested and now I have full control over commands.

Looks like I'll have to tweak this list of commands / permissions and rename again get this working. 

Thanks for pointing me in the right direction.

-Rob

Silver

Great !Please mark the answer

Great !

Please mark the answer as resolved so others can take guidance with the same type of issue.

 

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
152
Views
0
Helpful
3
Replies