To set parameters that restrict network access to a user, use the aaa authorization global configuration command. To disable authorization for a function, use the no form of this command.
aaa authorization {network | exec | commands level | reverse-access }{default | list-name}
[method1 [method2...]]
no aaa authorization {network | exec | commands level | reverse-access }
network Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA.
exec Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information.
commands Runs authorization for all commands at the specified privilege level.
level Specific command level that should be authorized. Valid entries are
0 through 15.reverse-access Runs authorization for reverse access connections, such as reverse Telnet.
default Uses the listed authorization methods that follow this argument as the default list of methods for authorization.
list-name Character string used to name the list of authorization methods.
method1 [method2...] One of the keywords listed in Table 9.
Authorization is disabled for all actions (equivalent to the method keyword none ). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place.
Global configuration
| Release | Modification | 10.0 | This command was introduced. |
|---|
This command cannot be used with TACACS or extended TACACS.
Use the aaa authorization command to enable authorization and to create named methods lists, defining authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed. A method list is simply a named list describing the authorization methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or all methods defined are exhausted.
The Cisco IOS software attempts authorization with the next listed method only when there is no response from the previous method. If authorization fails at any point in this cyclemeaning that the security server or local username database responds by denying the user servicesthe authorization process stops and no other authorization methods are attempted.
Use the aaa authorization command to create a list by entering the list-nameand themethod, where list-name is any character string used to name this list (excluding all method names) and methodidentifies the list of authorization method(s) tried in the given sequence.
Method keywords are described in Table 9.
| Keyword | Description |
| tacacs+ | Requests authorization information from the TACACS+ server. |
| if-authenticated | Allows the user to access the requested function if the user is authenticated. |
| none | No authorization is performed. |
| local | Uses the local database for authorization. |
| radius | Uses RADIUS to get authorization information. |
| krb5-instance | Uses the instance defined by the kerberos instance map command. |
Cisco IOS software supports the following six methods for authorization:
Method lists are specific to the type of authorization being requested. AAA supports four different types of authorization:
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed.
The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following:
For a list of supported RADIUS attributes, refer to the "RADIUS Attributes" appendix in the Security Configuration Guide . For a list of supported TACACS+ AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix in the Security Configuration Guide .
There are five commands associated with privilege level 0: disable, enable, exit, help, and logout. If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included in the privilege level command set.
The following example defines the network authorization method list named scoobee, which specifies that RADIUS authorization will be used on serial lines using PPP. If the RADIUS server fails to respond, then local network authorization will be performed.
aaa authorization network scoobee radius local
| Command | Description |
|---|---|
| aaa accounting | Enables AAA accounting of requested services for billing or security purposes. |
| aaa new-model | Enables the AAA access control model. |
Printed for apswan@ctr.ap.nic.in on Wed Mar 5 22:32:57 PST 2003
All material in this document copyright 2000 Cisco Systems, Inc. All rights reserved. No material may be reproduced or distributed without written permission of Cisco Systems, Inc.