Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

aaa authorization

Hi Guys

I have doubt regarding this commands.

aaa authorization exec default group tacacs+ if-authenticated

likewise for commands

what exactly does this commands have effect.because when i enter this commands and try to access the switch via telnet and try to execute sh run i get authorization failed message.any help appricaited.

Thanks

Mahmood

8 REPLIES
Community Member

Re: aaa authorization

Hi Mahmood

When a user wants to login or shell to your router ,router asks for username and password ,since you ve configured tacacs in the configuration your router check the password with a tacacs server ,it seems you did not configure any radius or tacacs server in your router so your router cant find any aaa server.

Did you configure any server in your router or not ,if not you should do password recovery by changing the config register code to 0x2142 from Rommon and if you use a switch the password recovery steps will be differ from routers so let me know what kind of cisco switches do you use if want to recover your switch.

Please do rate helpful comments.

Best Regards B.Mozaffari

Re: aaa authorization

HI, [Pls Rate if Helps U]

[PLs check the Privilege Levels given to the User on the Switch] - Follows in Detail:

You can configure access levels on the routers so the junior administrators do not have complete access to the router. Cisco routers have 16 different privilege levels that you can configure. The 16 levels range from 0 to 15, where 15 is equal to full access. You can customize levels 2 to 15 to provide monitoring abilities to the secondary administrators. Here is a sample configuration for privilege levels on the router:

RA(config)#privilege exec level 3 ping

RA(config)#privilege exec level 3 traceroute

Command:

--------

aaa authorization exec default group tacacs+ if-authenticated

Explanation:

-------------

exec

Runs authorization to determine if the user is allowed to run an EXEC shell.

default

Uses the listed authorization methods that follow this argument as the default list of methods for authorization

tacacs+

Requests authorization information from the TACACS+ server.

if-authenticated

Allows the user to access the requested function if the user is authenticated.

PLS Rate If Helps ! !

Best Regards,

Guru Prasad R

Re: aaa authorization

Hi Thanks for the reply.

tacacs+ is configured and the aaa server is reachable.i am getting authenticatin from it.

but when i try to run a command i get command autorization failed.As per u r post do mean that if the user gets autenticacted then he should be able to use any commans is that so.

Thanks

Mahmood

Re: aaa authorization

HI, [Pls Rate if Helps U]

See below cmds:

---------------

RA(config)#privilege exec level 3 ping

RA(config)#privilege exec level 3 traceroute

Privilege level 3 is given & that too the user to whom this particular level given is authorised to execute Ping & traceroute cmds.

If you need full access privilege level = 15

Hope this helps U. Pls Rate

Best Regards,

Guru Prasad R

Re: aaa authorization

HI, [Pls rate if Helps]

http://www.netcraftsmen.net/welcher/papers/priv.htm

This Link will help you more on Privilege levels to the Administrators.

Pls Rate if Helps

Best Regards,

Guru Prasad R

Re: aaa authorization

Hi Mahmood,

If-Authenticated means that the user is allowed to access the requested function provided the user has been authenticated successfully.

Your problem simply means that you have configured the router to use tacacs for authorization but no commands are allowed for this username, try editing your tacacs.

HTH, please rate if it does help,

Mohammed Mahmoud.

Re: aaa authorization

Hi Mahmoud thanks for the reply.

Can u guide me where i can edit these settings in the tacacs server.

Thanks

Mahmood

Re: aaa authorization

Hi Mahmood,

I am not that experienced in tacacs configuration as we have a unix guy here doing this stuff, but it should look something like this, under the user name profile:

cmd = show {

permit ip

permit interface

permit controller

permit atm

permit processes

permit caller

permit users

deny .*

}

HTH, please do rate helpful replies,

Mohammed Mahmoud.

327
Views
0
Helpful
8
Replies
CreatePlease to create content