Cisco-IOS AAA – Reason for ‘aaa authorization exec default group tacacs+’ Command in Cisco IOS

aaacisco-ios

I have a following very minimalistic AAA configuration in ISR router with IOS 12.4(22)T:

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ 
aaa session-id common

After authentication I end up in privilege level 15. Now if execute commands like conf t or show ver, the router does not consult with TACACS+ server(I run a packet capture on TACACS+ server TCP port 49). What exactly the aaa authorization exec default group tacacs+ does? When does the command authorization happen?

Best Answer

The statement

aaa authorization exec default group tacacs+

allows you to start a CLI session (a command shell). Without it, you can't get a command prompt.

You can see more information here.

EDIT: From: http://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/sec_cfg_authorizatn.html#wp1058237

AAA Authorization Types

Cisco IOS software supports five different types of authorization: •Auth-proxy—Applies specific security policies on a per-user basis. See "Related Documents" section for more information about where to find authentication proxy configuration documentation.

•Commands—Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.

•EXEC—Applies to the attributes associated with a user EXEC terminal session.

•Network—Applies to network connections. This can include a PPP, SLIP, or ARAP connection.

•Reverse Access—Applies to reverse Telnet sessions.

•Configuration—Applies to downloading configurations from the AAA server.

•IP Mobile—Applies to authorization for IP mobile services.

I think the confusion comes from the difference in how different TACACS daemons respond. Cisco ACS may respond differently than your Shrubbery daemon or tacacs.net.

Here is some more reference material, although not exactly what you're asking for: TACACS Attribute-Value Pairs

Related Topic