AAAGlobal Config

aaa authorization exec default group tacacs+ local

Configures AAA authorization for EXEC sessions, using TACACS+ as the primary method and local authentication as fallback, to control user access to the CLI after authentication.

Syntax·Global Config

aaa authorization exec default group tacacs+ local

When to Use This Command

Centralized control of user CLI access in a multi-site enterprise network using TACACS+ servers
Providing fallback to local user accounts when TACACS+ servers are unreachable during WAN outages
Enforcing different privilege levels for different user groups via TACACS+ authorization
Integrating with existing TACACS+ infrastructure for consistent access control across all network devices

Command Examples

Basic AAA Authorization for EXEC with TACACS+ and Local Fallback

aaa authorization exec default group tacacs+ local

Router(config)# aaa authorization exec default group tacacs+ local
Router(config)# end
Router# show running-config | include aaa authorization exec
aaa authorization exec default group tacacs+ local

The command enables EXEC authorization using the default method list. The 'group tacacs+' specifies TACACS+ as the primary server group, and 'local' provides fallback to local database. The output confirms the configuration is applied.

Verifying AAA Authorization Configuration

show aaa method-list authorization exec

Method List Name: default
  Type: Authorization
  Group: tacacs+
  Local: Yes

This output shows the method list details. 'Method List Name' is 'default', 'Type' is Authorization, 'Group' lists the server group (tacacs+), and 'Local: Yes' indicates local fallback is configured.

Understanding the Output

The command itself does not produce output; it configures the device. To verify, use 'show running-config | include aaa authorization exec' to see the line. The output shows the exact command as configured. In a real network, you would also check TACACS+ server reachability with 'test aaa group tacacs+ username password' and monitor debug output with 'debug aaa authorization' to see authorization decisions. Good values show 'PASS' for authorization, while failures indicate misconfiguration or server issues.

CCNA Exam Tips

CCNA exam may ask which command enables EXEC authorization with TACACS+ and local fallback; remember the exact syntax 'aaa authorization exec default group tacacs+ local'.

Understand that 'default' applies to all lines unless overridden; exam might test overriding with named lists.

Know that 'group tacacs+' refers to a server group defined under 'tacacs server' commands; exam may test the difference between 'group' and 'single-connection'.

Be aware that 'local' fallback is used only if TACACS+ servers are unreachable, not if they reject authorization.

Common Mistakes

Forgetting to configure TACACS+ server definitions and keys before using 'group tacacs+', causing authorization failures.

Using 'aaa authorization exec default local' without TACACS+, which bypasses centralized control.

Misordering methods: placing 'local' before 'group tacacs+' causes local to be tried first, defeating the purpose of centralized authorization.

Related Commands

aaa new-model

Enables AAA (Authentication, Authorization, and Accounting) security services on a Cisco device, required before configuring any AAA commands.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions