AAA Authorization Works Different than What Documentation Says

According to the documentation, the "aaa authorization config-commands" permits a user to make configuration changes and the "aaa authorization commands 15 PRIV-15 groups tacacs+ local if-authenticated" permits the user to run the commands assigned to it by the AAA server. Supposedly, even if the commands were authorized, global configuration commands would not be allowed without the "aaa authorization config-commands". Well, I removed both for testing purposes and user ise-3 (configured in ISE with a privilege 15 IOS shell) and the user can run any commands without any issues. It seems that the only commands needed are the global "aaa authorization exec ISE group tacacs+ local if-authenticated" and the VTY "authorization exec ISE".

What is the purpose of the "aaa authorization config-commands" and the "aaa authorization commands 15 PRIV-15 group tacacs+ local if-authenticated" commands then? Did I miss anything?

Sign In or Register to comment.