aaa authorization

Use this command to configure command and exec authorization method lists. This list is identified by default or a user-specified list-name. If tacacs is specified as the authorization method, authorization commands are notified to a TACACS + server. If none is specified as the authorization method, command authorization is not applicable. A maximum of five authorization method lists can be created for the commands type.

Note

Note

Local method is not supported for command authorization. Command authorization with RADIUS (Remote Authentication Dial In User Service) will work if, and only if, the applied authentication method is also radius.

Per-Command Authorization

When authorization is configured for a line mode, the user manager sends information about an entered command to the AAA server. The AAA server validates the received command, and responds with either a PASS or FAIL response. If approved, the command is executed. Otherwise, the command is denied and an error message is shown to the user. The various utility commands like tftp, and ping, and outbound Telnet should also pass command authorization. Applying the script is treated as a single command apply script, which also goes through authorization. Startup-config commands applied on device boot-up are not an object of the authorization process.

The per-command authorization usage scenario is this:

  1. Configure Authorization Method List:

    aaa authorization commands listname tacacs radius none

  2. Apply AML to an Access Line Mode (console, Telnet, SSH):

    authorization commands listname

  3. Commands entered by the user will go through command authorization via TACACS+ or RADIUS server and will be accepted or denied.

    Exec Authorization

When exec authorization is configured for a line mode, the user may not be required to use the enable command to enter Privileged EXEC mode. If the authorization response indicates that the user has sufficient privilege levels for Privileged EXEC mode, then the user bypasses User EXEC mode entirely.

The exec authorization usage scenario is this:

  1. Configure Authorization Method List:

    aaa authorization exec listname method1 [method2....]

  2. Apply AML to an Access Line Mode (console, Telnet, SSH):

    authorization exec listname

  3. When the user logs in, in addition to authentication, authorization will be performed to determine if the user is allowed direct access to Privileged EXEC mode.
    Format aaa authorization {commands|exec} {default|list-name} method1[method2]
    Mode Global Config
    Parameter Description
    commands Provides authorization for all user-executed commands.
    exec Provides exec authorization.
    default The default list of methods for authorization services.
    list-name Alphanumeric character string used to name the list of authorization methods.
    method TACACS+/RADIUS/Local and none are supported.

The following shows an example of the command:

(Extreme 220) (Routing) #
(Extreme 220) (Routing) #configure
(Extreme 220) (Config) (Config)#aaa authorization exec default  tacacs+ none
(Extreme 220) (Config) (Config)#aaa authorization commands default tacacs+ none