AAA Authorization Configuration command directory

This chapter describes the commands for authentication, authorization and accounting. AAA authorization can limit the effective service to a user. When the authorization result is effective, network access server configures the dialogue process of the user by using the authorization information fed back from authorization server.

aaa authorization

The global configuration command “aaa authorization” is used for setting the parameter to limit the authority of the user’s access to network. The “no” format of the command can be used for closing the authorization of some function.

aaa authorization network {default | list-name} [method1 [method2...] ]

no aaa authorization network

 

parameter:

network

The authorization of network type service

default

Default authorization methods list

list-name

The character string used for naming authentication methods list.

method1 [method2...]

One of the keywords listed in the form below.

 

default:

When the user requests for authorization and the authorization methods list required for use is not designated on the corresponding line or the interface, the default authorization methods list will be used. If default methods list is defined, no authorization will take place.  

command mode:

global configuration mode

explanation

The command “aaa authorization” is used for opening the authorization, creating authorization methods list and defining the authorization method that can be used when the user accesses to the designated functions. The authorization methods list defines the method for authorization implementation and sequence for executing these authorization methods. The methods list is only a simple naming list describing the authorization method for inquiry on the sequence (such as RADIUS andTACACS+). The methods list can designate one or multiple security protocols used for authorization. So it is able to guarantee a backup method in case all the above listed authorization methods fail. Under general condition, the listed first method is used at first in an attempt to authorize the user the authority to access to the designated network service. If the method does not work, the next method in the list shall be selected. The process shall be continued till the successful feedback of authorization results by using some authorization method or all the defined methods are used up.

Once the authorization methods list is defined, the methods list shall be used on the designated line or interface before the defined method is executed. As a part of the authorization process, the authorization command sends a series of request packets of AV pairs to the program of RADIUS or TACACS+server. The server is likely to execute one of the following actions:  

· The request is accepted completely

· The request is accepted and the attribute is added to limit the authority of user service

· Request is refused and authorization fails

Keyword of AAA Authorization:

Keyword

Description

Group

The server group is used for obtaining the authorization information

group-restrict

The server group is used for obtaining the authorization information. However, when the user has designated the server requested for use, the server group is disabled.

tacacs+

TACACS is used for obtained authorization information.

if-authenticated

If the user passes the authorization, the user is allowed to access the function required.

none

Authorizing the pass of none condition.

local

The local database is used for authorization.

radius

RADIUS is used for obtaining authorization information.

 

example

The following Example defines the network authorization methods list named “have a try”. The methods list designates RADIUS authorization method used on the serial line employing PPP. If RADIUS server makes no response, the local network authorization is executed.  

aaa authorization network have_a_try radius local

 Relevant command:

      aaa authentication