|
|
This chapter describes the commands used to configure authentication, authorization, and accounting (AAA) authorization. AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it.
For information on how to configure authorization using AAA, refer to the "Configuring Authorization" chapter in the Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "Authorization Configuration Examples" section located at the end of the "Configuring Authorization" chapter in the Security Configuration Guide.
Use the aaa authorization global configuration command to set parameters that restrict a user's network access. Use the no form of this command to disable authorization for a function.
aaa authorization {network | exec | command level} method| network | Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA protocol. |
| exec | Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information. |
| command | Runs authorization for all commands at the specified privilege level. |
| level | Specific command level that should be authorized. Valid entries are 0 through 15. |
| method | One of the keywords in Table 6. |
Authorization is disabled for all actions (equivalent to the keyword none).
Global configuration
This command first appeared in Cisco IOS Release 10.0.
Use the aaa authorization command to create at least one, and up to four, authorization methods that can be used when a user accesses the specified function. Method keywords are described in Table 6.
The additional methods of authorization are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authorization succeed even if all methods return an error.
If authorization is not specifically set for a function, the default is none and no authorization is performed.
| Keyword | Description |
|---|---|
| tacacs+ | Requests authorization information from the TACACS+ server. |
| if-authenticated | Allows the user to access the requested function if the user is authenticated. |
| none | No authorization is performed. |
| local | Uses the local database for authorization. |
| radius | Uses RADIUS to get authorization information. |
| krb5-instance | Uses the instance defined by the Kerberos instance map command. |
The authorization command causes a request packet containing a series of attribute value pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following:
For a list of supported RADIUS attributes, refer to the "RADIUS Attributes" appendix in the Security Configuration Guide. For a list of supported TACACS+ AV pairs, refer to the "TACACS+ AV Pairs" appendix in the Security Configuration Guide.
The following example specifies that TACACS+ authorization is used for all network-related requests. If this authorization method returns an error (if the TACACS+ server cannot be contacted), no authorization is performed and the request succeeds.
aaa authorization network tacacs+ none
The following example specifies that TACACS+ authorization is run for level 15 commands. If this authorization method returns an error (if the TACACS+ server cannot be contacted), no authorization is performed and the request succeeds.
aaa authorization command 15 tacacs+ none
You can use the master indexes or search online to find documentation of related commands.
aaa accounting
aaa new-model
To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization command level method command was issued.
aaa authorization config-commandsThis command has no arguments or keywords.
After the aaa authorization command level method has been issued, this command is enabled by default--meaning that all configuration commands in the EXEC mode will be authorized.
Global configuration
This command first appeared in Cisco IOS Release 11.2.
If aaa authorization command level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server not from attempting configuration command authorization.
After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization command level method command.
The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
aaa new-model aaa authorization command 15 tacacs+ none no aaa authorization config-commands
You can use the master indexes or search online to find documentation of related commands.
To enable the AAA access control model, use the aaa new-model global configuration command. Use the no form of this command to disable this functionality.
aaa new-modelThis command has no arguments or keywords.
AAA is not enabled.
Global configuration
This command first appeared in Cisco IOS Release 10.0.
This command enables the AAA access control system. After you have enabled AAA, TACACS and Extended TACACS commands are no longer available. If you initialize AAA functionality and later decide to use TACACS or extended TACACS, issue the no version of this command then enable the version of TACACS that you want to use.
The following example initializes AAA:
aaa new-model
You can use the master indexes or search online to find documentation of related commands.
aaa accounting
aaa authentication arap
aaa authentication enable default
aaa authentication local-override
aaa authentication login
aaa authentication ppp
aaa authorization
tacacs-server key
|
|