I have a following very minimalistic AAA configuration in ISR router with IOS 12.4(22)T:
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+
aaa session-id common
After authentication I end up in privilege level 15. Now if execute commands like conf t
or show ver
, the router does not consult with TACACS+ server(I run a packet capture on TACACS+ server TCP port 49). What exactly the aaa authorization exec default group tacacs+
does? When does the command authorization happen?
Best Answer
The statement
allows you to start a CLI session (a command shell). Without it, you can't get a command prompt.
You can see more information here.
EDIT: From: http://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/sec_cfg_authorizatn.html#wp1058237
I think the confusion comes from the difference in how different TACACS daemons respond. Cisco ACS may respond differently than your Shrubbery daemon or tacacs.net.
Here is some more reference material, although not exactly what you're asking for: TACACS Attribute-Value Pairs