Authorization List Configuration

Use the Authorization List Configuration page to view and configure the authorization lists for users who access the CLI and for users who access the network through IEEE 802.1X-enabled ports. Authorization lists are used to determine whether a user is permitted to perform a given activity on the system or network. Several authorization lists are preconfigured on the system. These are default lists, and they cannot be deleted. Additionally, the List Name and Authorization Type settings for the default lists cannot be changed.

To access this page, click System > AAA > Authorization List in the navigation menu.

Click to expand in new window

Authorization List Configuration Fields

Field Description
List Name The name of the authorization list. This field can be configured only when adding a new authorization list.
Authorization Type The type of authorization list, which is one of the following:
  • Command: Determines which CLI commands a user is permitted to issue. When command authorization is enabled, each command a user enters must be validated before the command is executed.
  • EXEC: Determines whether a user can bypass User EXEC mode and enter Privileged EXEC mode directly after a successful Login authentication.
  • Network: Determines whether the user is permitted to access various network services. This authorization type applies to port-based access (IEEE 802.1X) rather than access to the CLI.
Method Options The method(s) used to authorize a user's access to the device or network services. The possible methods are as follows:
  • TACACS+: When a user issues a CLI command, the device contacts the configured TACACS+ server to verify whether the user is allowed to issue the command. If approved, the command is executed. Otherwise, the command fails.
  • RADIUS: When a user is authenticated by the RADIUS (Remote Authentication Dial In User Service) server, the device downloads a list of permitted/denied commands from the RADIUS server. The list of authorized commands that are associated with the authenticated user is cached during the user's session. If this method is selected, the authentication method for the access type must also be RADIUS.
  • Local: Uses a list stored locally on the system to determine whether the user is authorized to access the given services.
  • None: No authorization is used. If the method is None, the authorization type is effectively disabled.
List Type The type of authorization list, which is one of the following:
  • Default: The list is preconfigured on the system. This type of list cannot be deleted, and only the Method Options are configurable.
  • Configured: The list has been added by a user.
Access Line The access method(s) that use the list for authorization. The settings for this field are configured on the Authorization Selection page.

To reset the Method Options for a default authorization list to the factory default values, click the Reset icon associated with the entry. You must confirm the action before the entry is reset.

After you click Add or Edit, a window opens and allows you to configure authorization list settings.

When adding an authorization list, you can configure the List Name and Authorization Type fields as well as the Authorization Methods. When editing an existing authentication list, only the Authorization Methods can be configured. The following information describes how to set the Authorization Methods.

Click to expand in new window

Add New Authorization List Fields

Field Description
Authorization Methods This area includes the Available Methods and Selected Methods fields. For lists that allow multiple authorization methods, the order in which you move the method from the Available Methods field to the Selected Methods field determines the order in which the device attempts to authorize the user.
Available Methods The authorization methods that can be used for the authorization list. Not all methods are available for all lists. To set the authorization method, select the method in the Available Methods field and click the right arrow to move it into the Selected Methods field.
Selected Methods The authorization methods currently configured for the list. When multiple methods are in this field, the order in which the methods are listed is the order in which the methods will be used to authorize a user. If the user fails to be authorized using the first method, the device attempts to authorize the user by using the next method in the list. No authorization methods can be added after None. To remove a method from this field, select it and click the left arrow to return it to the Available Methods area.