AAA authorization

Hello All,


  A few doubts on AAA authorization

1. If we have configured "aaa authorization exec" then does it  apply to both exec level commands(i.e., level 1 mode, the > prompt) AND the priveledged mode commands(the level 15 , the # prompt) OR do we also need the "aaa authorization commands 15" too?

2.I've seen cases where we configure "aaa authorization exec default tacacs+"  but we don't have the authorization on the tacacs, the authorization checks are only being performed against the privilege commands on the local router. The tacacs only provides the level of the user after he gets authenticated by the AAA, lets say level 7 and then the authorization of the commands is being done locally.Is it the usual way its done?





  • "aaa authorization exec" defines what privilege you will have at exec mode.

    "aaa authorization commands 15" authorizes each command, you enter at exec mode.

    "aaa authorization config-commands" authorizes each command, you enter at config and it's submode.

     "aaa authorization exec default tacacs+" gets the priviege level that should be given to user from the tacacs server.

    With regards


Sign In or Register to comment.