Congure AAA Authorization for Roles
Authorization services determine if the user has permission to use a command in the CLI. Users with only privilege levels can use
commands in privilege-or-role mode (the default) provided their privilege level is the same or greater than the privilege level of those
commands. Users with dened roles can use commands provided their role is permitted to use those commands. Role inheritance is also
used to determine authorization.
Users with roles and privileges are authorized with the same mechanism. There are six methods available for authorization: radius,
tacacs+, local, enable, line, and none.
When role-based only AAA authorization is enabled, the enable, line, and none methods are not available. Each of these three
methods allows users to be authorized with either a password that is not specic to their userid or with no password at all. Because of the
lack of security, these methods are not available for role-based only mode.
To congure AAA authorization, use the aaa authorization exec command in CONFIGURATION mode. The aaa
authorization exec command determines which CLI mode the user will start in for their session; for example, Exec mode or Exec
Privilege mode. For information about how to congure authentication for roles, see Congure AAA Authentication for Roles.
aaa authorization exec {method-list-name | default} method [… method4]
You can further restrict users’ permissions, using the aaa authorization command command in CONFIGURATION mode.
aaa authorization command {method-list-name | default} method [… method4]
Examples of Applying a Method List
The following conguration example applies a method list: TACACS+, RADIUS and local:
!
radius-server host 10.16.150.203 key <clear-text>
!
tacacs-server host 10.16.150.203 key <clear-text>
!
aaa authentication login ucraaa tacacs+ radius local
aaa authorization exec ucraaa tacacs+ radius local
aaa accounting commands role netadmin ucraaa start-stop tacacs+
!
The following conguration example applies a method list other than default to each VTY line.
NOTE
: Note that the methods were not applied to the console so the default methods (if congured) are applied there.
!
line console 0
exec-timeout 0 0
line vty 0
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 1
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 2
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 3
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 4
732
Security
To Next Page
Loading...
Need help?
General
