|
|
AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it.
This chapter describes the following topics and tasks:
For a complete description of the authorization commands used in this chapter, refer to the "Authorization Commands" chapter in the Security Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.
Cisco IOS software supports three different types of authorization:
AAA supports five different methods of authorization:
Before configuring authorization, you must first perform the following tasks:
This chapter describes the following tasks:
For authorization configuration examples using the commands in this chapter, refer to the "TACACS+ Configuration Examples" section located at the end of the this chapter.
The aaa authorization command allows you to set parameters that restrict a user's network access. To enable AAA authorization, perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Set parameters that restrict a user's network access. | aaa authorization {network | exec | command level} {tacacs+ | if-authenticated | none | local | radius | krb5-instance} |
To enable authorization for all network-related service requests (including SLIP, PPP, PPP NCPs, and ARA protocols), use the network keyword. To enable authorization to determine if a user is allowed to run an EXEC shell, use the exec keyword.
To enable authorization for specific, individual EXEC commands associated with a specific privilege level, use the command keyword. This allows you to authorize all commands associated with a specified command level from 0 to 15.
To have the network access server request authorization information via a TACACS+ security server, use the aaa authorization command with the tacacs+ method keyword. For more specific information about configuring authorization using a TACACS+ security server, refer to the "Configuring TACACS" chapter. For an example of how to enable a TACACS+ server to authorize the use of network services, including PPP and ARA, see the "TACACS+ Authorization Example" section at the end of this chapter.
To allow users to have access to the functions they request as long as they have been authenticated, use the aaa authorization command with the if-authenticated method keyword. If you select this method, all requested functions are automatically granted to authenticated users.
To perform no authorization for the actions associated with a particular type of authentication, use the aaa authorization command with the none method keyword. If you select this method, authorization is disabled for all actions.
To select local authorization, which means that the router or access server consult its local user database to determine the functions a user is permitted, use the aaa authorization command with the local method keyword. The functions associated with local authorization are defined by using the username global configuration command. For a list of permitted functions, refer to the "Configuring Authentication" chapter.
To have the network access server request authorization via a RADIUS security server, use the aaa authorization command with the radius method keyword. For more specific information about configuring authorization using a RADIUS security server, refer to the "Configuring RADIUS" chapter. For an example of how to enable a RADIUS server to authorize services, see the "RADIUS Authorization Example" section at the end of this chapter.
To run authorization to determine if a user is allowed to run an EXEC shell at a specific privilege level based on a mapped Kerberos instance, use the krb5-instance method keyword. For more information, refer to the "Enable Kerberos Instance Mapping" section of the "Configuring Kerberos" chapter. For an example of how to enable Kerberos instance mapping, see the "Kerberos Instance Mapping Examples" section at the end of this chapter.
The aaa authorization command with the keyword command attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server not from attempting configuration command authorization. To disable AAA authorization for all global configuration commands, perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Disable authorization for all global configuration commands. | no aaa authorization config-command |
RADIUS and TACACS+ authorization both define specific rights for users by processing attributes, which are stored in a database on the security server. For both RADIUS and TACACS+, attributes are defined on the security server, associated with the user, and sent to the network access server where they are applied to the user's connection.
For a list of supported RADIUS attributes, refer to the "RADIUS Attributes" appendix. For a list of supported TACACS+ AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix.
This section contains the following configuration examples:
The following example uses a TACACS+ server to authorize the use of network services, including PPP and ARA. If the TACACS+ server is not available or an error occurs during the authorization process, the fallback method (none) is to grant all authorization requests:
aaa authorization network tacacs+ none
The following example allows network authorization using TACACS+:
aaa authorization network tacacs+
The following example provides the same authorization, but also creates address pools called mci and att:
aaa authorization network tacacs+ ip address-pool local ip local-pool mci 172.16.0.1 172.16.0.255 ip local-pool att 172.17.0.1 172.17.0.255
These address pools can then be selected by the TACACS daemon. A sample configuration of the daemon follows:
user = mci_customer1 {
login = cleartext "some password"
service = ppp protocol = ip {
addr-pool=mci
}
}
user = att_customer1 {
login = cleartext "some other password"
service = ppp protocol = ip {
addr-pool=att
}
The following example shows how to configure the router to authorize using RADIUS:
aaa authorization exec radius if-authenticated aaa authorization network radius
The lines in this sample RADIUS authorization configuration are defined as follows:
The following global configuration example maps the Kerberos instance, admin, to enable mode:
kerberos instance map admin 15
The following example configures the router to check users' Kerberos instances and set appropriate privilege levels:
aaa authorization exec krb5-instance
For more information about configuring Kerberos, refer to the "Configuring Kerberos" chapter.
|
|