Use this command to configure command and exec authorization method lists. This list is identified by default or a user-specified list-name. If tacacs is specified as the authorization method, authorization commands are notified to a TACACS + server. If none is specified as the authorization method, command authorization is not applicable. A maximum of five authorization method lists can be created for the commands type.
Note
Local method is not supported for command authorization. Command authorization with RADIUS (Remote Authentication Dial In User Service) will work if, and only if, the applied authentication method is also radius.Per-Command Authorization
When authorization is configured for a line mode, the user manager sends information about an entered command to the AAA server. The AAA server validates the received command, and responds with either a PASS or FAIL response. If approved, the command is executed. Otherwise, the command is denied and an error message is shown to the user. The various utility commands like tftp, and ping, and outbound Telnet should also pass command authorization. Applying the script is treated as a single command apply script, which also goes through authorization. Startup-config commands applied on device boot-up are not an object of the authorization process.
The per-command authorization usage scenario is this:
aaa authorization commands listname tacacs radius none
authorization commands listname
Exec Authorization
When exec authorization is configured for a line mode, the user may not be required to use the enable command to enter Privileged EXEC mode. If the authorization response indicates that the user has sufficient privilege levels for Privileged EXEC mode, then the user bypasses User EXEC mode entirely.
The exec authorization usage scenario is this:
aaa authorization exec listname method1 [method2....]
authorization exec listname
Format | aaa authorization {commands|exec} {default|list-name} method1[method2] |
Mode | Global Config |
Parameter | Description |
---|---|
commands | Provides authorization for all user-executed commands. |
exec | Provides exec authorization. |
default | The default list of methods for authorization services. |
list-name | Alphanumeric character string used to name the list of authorization methods. |
method | TACACS+/RADIUS/Local and none are supported. |
The following shows an example of the command:
(Extreme 220) (Routing) # (Extreme 220) (Routing) #configure (Extreme 220) (Config) (Config)#aaa authorization exec default tacacs+ none (Extreme 220) (Config) (Config)#aaa authorization commands default tacacs+ none