Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

9 module online course

Start now!
back to overview

Autocommands in AAA environment

A reader who prefers to remain anonymous has reported an interesting observation: autocommands configured on local usernames do not work after configuring aaa new-model.

I’ve immediately suspected that the problem lies in the granularity of the AAA mechanisms and a quick lab test proved it: the username/password check is configured with the aaa authentication login configuration commands, whereas the autocommand feature belongs to the EXEC authorization and has to be configured separately with the aaa authorization exec command.

The following configuration can be used if you want to use local usernames and autocommands within the AAA framework (add TACACS+/RADIUS servers as needed):

aaa new-model
aaa authentication login default local 
aaa authorization exec default local
username local password 0 local
username test password 0 test
username test autocommand show ip route

This article is part of You've asked for it series.

Please read our Blog Commenting Policy before writing a comment.

1 comment:

  1. Autumn Aeterna04 August, 2009 12:17

    When using RADIUS/Tacacs, there's a corresponding AV pair (autocmd=x). 'Username ... autocommand' will work only for local users.


Constructive courteous comments are most welcome. Anonymous trolling will be removed with prejudice.