Autocommands in AAA environment

A reader who prefers to remain anonymous has reported an interesting observation: autocommands configured on local usernames do not work after configuring aaa new-model.

I’ve immediately suspected that the problem lies in the granularity of the AAA mechanisms and a quick lab test proved it: the username/password check is configured with the aaa authentication login configuration commands, whereas the autocommand feature belongs to the EXEC authorization and has to be configured separately with the aaa authorization exec command.

The following configuration can be used if you want to use local usernames and autocommands within the AAA framework (add TACACS+/RADIUS servers as needed):

aaa new-model
!
aaa authentication login default local 
aaa authorization exec default local
!
username local password 0 local
username test password 0 test
username test autocommand show ip route

This article is part of You've asked for it series.

1 comment:

  1. Autumn Aeterna04 August, 2009 12:17

    When using RADIUS/Tacacs, there's a corresponding AV pair (autocmd=x). 'Username ... autocommand' will work only for local users.

    http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_tacacs_attr_vp_ps6441_TSD_Products_Configuration_Guide_Chapter.html

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.