Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

tacacs problem with catOS switches


i have a issue where the same command which is denied in IOS switches is allowed in catOS switches. No idea why it happens since my TACACS server(free tacacs server from cisco) denies the sh conf or sh run command for a particular user

when a user logs into a ios switch and issue a sh run ,it says command authorisation failed since i denied that user from issuing that sh conf or sh run command.

But the same command sh conf or sh run works on the catos switch. both my CATOS and IOS switches points to the same tacacs server and i have no clue how it works with catos since i denied that command.

Also strange since the same command gets denied in IOS(the way i want) but works with catOS.

Every other thing with my tacacs works fine for both IOS and CATOS except for this strange thing.

I really dont want the user to run a sh conf command in CATOS switch. what should i do fix this and why this works like this.

I tried rearranging the commands like CATOS commands first and then IOS ,but no luck :(

does any one had the same issue before.

  • AAA Identity and NAC
New Member

Re: tacacs problem with catOS switches

any updates for me :(

Hall of Fame Super Silver

Re: tacacs problem with catOS switches

It sounds to me like you have configured your IOS boxes with authentication and with authorization and that perhaps you have configured your catOS boxes with authentication but not authorization. If you would post the configuration of one of them we would be able to see more clearly what is going on and perhaps could then give you better advice.



New Member

Re: tacacs problem with catOS switches


I have enabled authorisation in catos switches as well. it works very well with authorisation since a person cant do any thing other than changing the port. if he tries to change the tacacs paramaters it will show command authorisation failed.

so that means (atlast as far as i know) the authorisation command works since the user cant change any thing except what i allowed in my tacacs and both the IOS and CATOS point to the same tacacs server. i have another group which has full access in the CATOS and that works the way i want. the only issue is with this user group which allows them to run a sh conf or sh run command in the catos switches

New Member

Re: tacacs problem with catOS switches

HI trackme,

Would love to see ure config for both IOS and catos as I am trying to do the same but have not succeeded.

One thing I am doing tho, is I have multiple NDG's. I have two user groups. Grp A has access to all. Grp B shd. have "all" access to only some NDG's but restricted access to other NDG's. I have also enabled direct access to the priv mode .. so that everyone has to log in only once to get to enable.

So my question is how can I get grp B to have "one stop" login to priv. mode for some NDG's and not to others?

sorry for no help to u ...