"aaa authorization exec default group tacacs+ local if-authenticated" explanation

m4rtinm4rtin Posts: 170Member
I have a following simple AAA configuration:
C3550-24-A#sh run | i aaa|tacacs
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization exec default group tacacs+ 
aaa session-id common
tacacs-server host 192.168.1.65 key Pa55w0rd
tacacs-server directed-request
C3550-24-A#

In case I authenticate myself I end up in an enable mode shell:
C3550-24-A#sh priv
Current privilege level is 15
C3550-24-A#


In case I modify the "aaa authorization exec default group tacacs+" line and add "local if-authenticated" part:
C3550-24-A#sh run | i aaa|tacacs
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization exec default group tacacs+ local if-authenticated 
aaa session-id common
tacacs-server host 192.168.1.65 key Pa55w0rd
tacacs-server directed-request
C3550-24-A#

..then nothing changes. I mean I still end up in an enable mode shell after authentication. What for is the "local if-authenticated" part in the "aaa authorization exec default group tacacs+" command?
Sign In or Register to comment.