Usage Guidelines
Use the
aaa
authorizationcommand to enable authorization and to create named methods lists, which define authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways in which authorization will be performed and the sequence in which these methods will be performed. A method list is a named list that describes the authorization methods (such as RADIUS or TACACS+) that must be used in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or until all the defined methods are exhausted.
Note |
The Cisco IOS software attempts authorization with the next listed method only when there is no response from the previous method. If authorization fails at any point in this cycle--meaning that the security server or the local username database responds by denying the user services--the authorization process stops and no other authorization methods are attempted.
|
If the
aaa
authorization command for a particular authorization type is issued without a specified named method list, the default method list is automatically applied to all interfaces or lines (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place. The default authorization method list must be used to perform outbound authorization, such as authorizing the download of IP pools from the RADIUS server.
Use the
aaa
authorization command to create a list by entering the values for the
list-nameand the
method arguments, where
list-name is any character string used to name this list (excluding all method names) and
methodidentifies the list of authorization methods tried in the given sequence.
Note |
In the table below, the
group
group-name,
group
ldap,
group
radius, and
group
tacacs
+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the
radius-server
host and
tacacs-server
host commands to configure the host servers. Use the
aaa
group
server
radius,
aaa
group
server
ldap,and
aaa
group
server
tacacs+ commands to create a named group of servers.
|
The table below describes the method keywords.
Table 2 aaa authorization Methods
Keyword
|
Description
|
cache
group-name
|
Uses a cache server group for authorization.
|
group
group-name
|
Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the
server
group
group-name command.
|
group
ldap
|
Uses the list of all Lightweight Directory Access Protocol (LDAP) servers for authentication.
|
group
radius
|
Uses the list of all RADIUS servers for authentication as defined by the
aaa
group
server
radius command.
|
group
tacacs+
|
Uses the list of all TACACS+ servers for authentication as defined by the
aaa
group
server
tacacs+ command.
|
if-authenticated
|
Allows the user to access the requested function if the user is authenticated.
Note
| The
if-authenticated method is a terminating method. Therefore, if it is listed as a method, any methods listed after it will never be evaluated.
|
|
local
|
Uses the local database for authorization.
|
none
|
Indicates that no authorization is performed.
|
Cisco IOS software supports the following methods for authorization:
- Cache Server Groups--The router consults its cache server groups to authorize specific rights for users.
- If-Authenticated --The user is allowed to access the requested function provided the user has been authenticated successfully.
- Local --The router or access server consults its local database, as defined by the
username command, to authorize specific rights for users. Only a limited set of functions can be controlled through the local database.
- None --The network access server does not request authorization information; authorization is not performed over this line or interface.
- RADIUS --The network access server requests authorization information from the RADIUS security server group. RADIUS authorization defines specific rights for users by associating attributes, which are stored in a database on the RADIUS server, with the appropriate user.
- TACACS+ --The network access server exchanges authorization information with the TACACS+ security daemon. TACACS+ authorization defines specific rights for users by associating attribute-value (AV) pairs, which are stored in a database on the TACACS+ security server, with the appropriate user.
Method lists are specific to the type of authorization being requested. AAA supports five different types of authorization:
- Commands --Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
- EXEC --Applies to the attributes associated with a user EXEC terminal session.
- Network --Applies to network connections. The network connections can include a PPP, SLIP, or ARA connection.
Note |
You must configure the
aaa
authorization
config-commands command to authorize global configuration commands, including EXEC commands prepended by the
do command.
|
- Reverse Access --Applies to reverse Telnet sessions.
- Configuration --Applies to the configuration downloaded from the AAA server.
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, the method lists must be applied to specific lines or interfaces before any of the defined methods are performed.
The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following:
- Accept the request as is.
- Make changes to the request.
- Refuse the request and authorization.
For a list of supported RADIUS attributes, see the module RADIUS Attributes. For a list of supported TACACS+ AV pairs, see the module TACACS+ Attribute-Value Pairs.
Note |
Five commands are associated with privilege level 0:
disable,
enable,
exit,
help, and
logout. If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included in the privilege level command set.
|