Configuring AAA Services on Cisco IOS XR Software
How to Configure AAA Services
SC-208
Cisco IOS XR System Security Configuration Guide
Note The Cisco IOS XR software attempts authorization with the next listed method only when there is no
response or an error response (not a failure) from the previous method. If authorization fails at any point
in this cycle—meaning that the security server or local username database responds by denying the user
services—the authorization process stops and no other authorization methods are attempted.
Method lists are specific to the type of authorization being requested. The Cisco IOS XR software
supports three types of AAA authorization:
• Command authorization: Applies to the EXEC mode commands a user issues. Command
authorization attempts authorization for all EXEC mode commands.
• EXEC authorization: Applies authorization for starting an EXEC session.
• Network authorization: Applies authorization for network services such as Internet Key Exchange
(IKE).
When you create a named method list, you are defining a particular list of authorization methods for the
indicated authorization type. When defined, method lists must be applied to specific lines or interfaces
before any of the defined methods will be performed. Do not use the names of methods, such as
TACACS+, when creating a new method list.
“Command” authorization, as a result of adding a command authorization method list to a line template,
is separate from, and is in addition to, “task-based” authorization, which is performed automatically on
the router. The default behavior for command authorization is none. Even if a default method list is
configured, that method list has to be added to a line template for it to be used.
The aaa authorization commands command causes a request packet containing a series of attribute
value (AV) pairs to be sent to the TACACS+ daemon as part of the authorization process. The daemon
can do one of the following:
• Accept the request as is.
• Refuse authorization.
Creation of a Series of Authorization Methods
Use the aaa authorization command to set parameters for authorization and to create named method
lists defining specific authorization methods that can be used for each line or interface.
The Cisco IOS XR software supports the following methods for authorization:
• none—The router does not request authorization information; authorization is not performed over
this line or interface.
• local—Uses local database for authorization.
• group tacacs+—Uses the list of all configured TACACS+ servers for authorization.
• group radius—Uses the list of all configured RADIUS servers for authorization.
SUMMARY STEPS
1. configure
2. aaa authorization {commands | exec | network} {default | list-name} {none | local | group
{tacacs+ | radius | group-name}}
3. end
or
commit
To Next Page
Loading...
Need help?
General
