Command:

aaa authorization


Mode:

Router(config)#


Syntax:

aaa authorization {network | exec | commands level| reverse-access | configuration | config-commands | auth-proxy | ipmobile} {default | list-name} method1 [method2...] 


no aaa authorization {network | exec | commands level| reverse-access | configuration | config-commands | auth-proxy | ipmobile} 

 

Syntax Description:

auth-proxy

For Authentication Proxy Services.

network

Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP.

exec

Runs authorization to determine if the user is allowed to run an EXEC shell.

commands

Runs authorization for all commands at the specified privilege level.

config-commands

For configuration mode commands.

configuration

Downloads the configuration from the AAA server.

ipmobile

For Mobile IP services.

level

Specific command level that should be authorized. Valid entries are 0 through 15.

reverse-access

Runs authorization for reverse access connections, such as reverse Telnet.

default

Uses the listed authorization methods that follow this argument as the default list of methods for authorization.

list-name

Character string used to name the list of authorization methods.

method1 [method2...]

One of the keywords listed in the table below.

 

Command Description:

 

Use the aaa authorization global configuration command to set parameters that restrict a user's network access. Use the no form of this command to disable authorization for a function. Use the aaa authorization command to enable authorization and to create named methods lists, defining authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed. A method list is simply a named list describing the authorization methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable one or more security protocols to be used for authorization to be designated, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or all methods defined are exhausted.


Note The Cisco IOS software attempts authorization with the next listed method only when there is no response from the previous method. If authorization fails at any point in this cycle (meaning that the security server or local username database responds by denying the user services) the authorization process stops and no other authorization methods are attempted.


Use the aaa authorization command to create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding all method names) and method identifies the list of authorization method(s) tried in the given sequence.

Method keywords are described in the table below.

 Table: AAA Authorization Methods

Keyword Description

group radius

Uses the list of all RADIUS to provide authorization service.

if-authenticated

Allows the user to access the requested function if the user is
authenticated.

None

No authorization is performed.

Local

Uses the local database for authorization.

group tacacs+

Uses the list of all TACACS+ to provide authorization services.

krb5-instance

Uses the instance defined by the kerberos instance map command.

 

Cisco IOS software supports the following six methods for authorization:

 

 

Method lists are specific to the type of authorization being requested. AAA supports four different types of authorization:

 

 

When creating a named method list, a particular list of authorization methods for the indicated authorization type is defined. Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following: 

 

For a list of supported RADIUS attributes, refer to the "RADIUS Attributes" appendix in the Cisco IOS Release 11.3 Security Configuration Guide. For a list of supported TACACS+ AV pairs, refer to the "TACACS+ AV Pairs" appendix in the Cisco IOS Release 11.3 Security Configuration Guide.


Note There are five commands associated with privilege level 0; disable, enable, exit, help, and logout. If AAA authorization is configured for a privilege level greater than 0, these five commands will not be included in the privilege level command set.


 

Example:

 

The following example defines the network authorization method list named scoobee, which specifies that RADIUS authorization will be used on serial lines using PPP. If the RADIUS server fails to respond, then local network authorization will be performed.

 

Router(config)#aaa authorization network scoobee group radius local


Misconceptions:

 

This command can be used with TACACS or extended TACACS.


Related Commands:

 

aaa accounting

 

aaa new-model

 


� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)