To set the
parameters that restrict user access to a network, use the
aaa
authorization command in global configuration mode. To remove the
parameters, use the
no form of this
command.
aaa authorization {
auth-proxy
| cache |
commands
level |
config-commands |
configuration |
console |
credential-download |
exec | multicast |
network |
onep |
policy-if |
prepaid |
radius-proxy |
reverse-access |
subscriber-service
|
template}
{ default |
list_name
}
[ method1 [
method2
...]]
Syntax Description
auth-proxy
|
Runs
authorization for authentication proxy services.
|
cache
|
Configures
the authentication, authorization, and accounting (AAA) server.
|
commands
|
Runs
authorization for all commands at the specified privilege level.
|
level
|
Specific
command level that should be authorized. Valid entries are 0 through 15.
|
config-commands
|
Runs
authorization to determine whether commands entered in configuration mode are
authorized.
|
configuration
|
Downloads
the configuration from the AAA server.
|
console
|
Enables
the console authorization for the AAA server.
|
credential-download
|
Downloads
EAP credential from Local/RADIUS/LDAP.
|
exec
|
Enables
the console authorization for the AAA server.
|
multicast
|
Downloads
the multicast configuration from the AAA server.
|
network
|
Runs
authorization for all network-related service requests, including Serial Line
Internet Protocol (SLIP), PPP, PPP Network Control Programs (NCPs), and
AppleTalk Remote Access (ARA).
|
onep
|
Runs
authorization for the ONEP service.
|
reverse-access
|
Runs
authorization for reverse access connections, such as reverse Telnet.
|
template
|
Enables
template authorization for the AAA server.
|
default
|
Uses the
listed authorization methods that follow this keyword as the default list of
methods for authorization.
|
list_name
|
Character
string used to name the list of authorization methods.
|
method1
[ method2...]
|
(Optional)
An authorization method or multiple authorization methods to be used for
authorization. A method may be any one of the keywords listed in the table
below.
|
Command Default
Authorization is
disabled for all actions (equivalent to the method keyword
none ).
Command Modes
Global configuration
Command History
Release
|
Modification
|
Cisco IOS XE Gibraltar 16.10.1
|
This command was introduced.
|
Usage Guidelines
Use the
aaa
authorization command to enable authorization and to create named
methods lists, which define authorization methods that can be used when a user
accesses the specified function. Method lists for authorization define the ways
in which authorization will be performed and the sequence in which these
methods will be performed. A method list is a named list that describes the
authorization methods (such as RADIUS or TACACS+) that must be used in
sequence. Method lists enable you to designate one or more security protocols
to be used for authorization, which ensures a backup system in case the initial
method fails. Cisco IOS software uses the first method listed to authorize
users for specific network services; if that method fails to respond, the Cisco
IOS software selects the next method listed in the method list. This process
continues until there is successful communication with a listed authorization
method, or until all the defined methods are exhausted.
Note |
The Cisco IOS
software attempts authorization with the next listed method only when there is
no response from the previous method. If authorization fails at any point in
this cycle--meaning that the security server or the local username database
responds by denying the user services--the authorization process stops and no
other authorization methods are attempted.
|
If the
aaa
authorization command for a particular authorization type is
issued without a specified named method list, the default method list is
automatically applied to all interfaces or lines (where this authorization type
applies) except those that have a named method list explicitly defined. (A
defined method list overrides the default method list.) If no default method
list is defined, then no authorization takes place. The default authorization
method list must be used to perform outbound authorization, such as authorizing
the download of IP pools from the RADIUS server.
Use the
aaa
authorization command to create a list by entering the values for
the
list-name and
the
method
arguments, where
list-name is
any character string used to name this list (excluding all method names) and
method
identifies the list of authorization methods tried in the given sequence.
Note |
In the table that follows, the group group-name , group ldap , group radius , and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius server and tacacs server commands to configure the host servers. Use the aaa group server radius , aaa group server ldap , and aaa group server tacacs+ commands to create a named group of servers.
|
This table
describes the method keywords.
Table 1. aaa
authorization Methods
Keyword
|
Description
|
cache
group-name
|
Uses a
cache server group for authorization.
|
group
group-name
|
Uses a
subset of RADIUS or TACACS+ servers for accounting as defined by the
server group
group-name command.
|
group ldap
|
Uses the
list of all Lightweight Directory Access Protocol (LDAP) servers for
authentication.
|
group radius
|
Uses the
list of all RADIUS servers for authentication as defined by the
aaa group server
radius command.
|
grouptacacs+
|
Uses the
list of all TACACS+ servers for authentication as defined by the
aaa group server
tacacs+ command.
|
if-authenticated
|
Allows the
user to access the requested function if the user is authenticated.
Note
|
The
if-authenticated method is a terminating method.
Therefore, if it is listed as a method, any methods listed after it will never
be evaluated.
|
|
local
|
Uses the
local database for authorization.
|
none
|
Indicates
that no authorization is performed.
|
Cisco IOS software
supports the following methods for authorization:
-
Cache Server Groups—The router consults its cache server groups to authorize specific rights for users.
-
If-Authenticated—The user is allowed to access the requested function provided the user has been authenticated successfully.
-
Local—The router or access server consults its local database, as defined by the username command, to authorize specific rights for users. Only a limited set of functions can be controlled through the local database.
-
None—The network access server does not request authorization information; authorization is not performed over this line or
interface.
-
RADIUS—The network access server requests authorization information from the RADIUS security server group. RADIUS authorization
defines specific rights for users by associating attributes, which are stored in a database on the RADIUS server, with the
appropriate user.
-
TACACS+—The network access server exchanges authorization information with the TACACS+ security daemon. TACACS+ authorization
defines specific rights for users by associating attribute-value (AV) pairs, which are stored in a database on the TACACS+
security server, with the appropriate user.
Method lists are
specific to the type of authorization being requested. AAA supports five
different types of authorization:
-
Commands—Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands,
including global configuration commands, associated with a specific privilege level.
-
EXEC—Applies to the attributes associated with a user EXEC terminal session.
-
Network—Applies to network connections. The network connections can include a PPP, SLIP, or ARA connection.
Note |
You must configure the aaa authorization config-commands command to authorize global configuration commands, including EXEC commands prepended by the do command.
|
-
Reverse Access—Applies to reverse Telnet sessions.
-
Configuration—Applies to the configuration downloaded from the AAA server.
When you create a
named method list, you are defining a particular list of authorization methods
for the indicated authorization type.
Once defined, the
method lists must be applied to specific lines or interfaces before any of the
defined methods are performed.
The authorization
command causes a request packet containing a series of AV pairs to be sent to
the RADIUS or TACACS daemon as part of the authorization process. The daemon
can do one of the following:
-
Accept the
request as is.
-
Make changes
to the request.
-
Refuse the
request and authorization.
For a list of
supported RADIUS attributes, see the module RADIUS Attributes. For a list of
supported TACACS+ AV pairs, see the module TACACS+ Attribute-Value Pairs.
Note |
Five commands
are associated with privilege level 0:
disable ,
enable ,
exit ,
help , and
logout . If
you configure AAA authorization for a privilege level greater than 0, these
five commands will not be included in the privilege level command set.
|
Examples
The following
example shows how to define the network authorization method list named
mygroup, which specifies that RADIUS authorization will be used on serial lines
using PPP. If the RADIUS server fails to respond, local network authorization
will be performed.
Device(config)# aaa authorization network mygroup group radius local