authorization
Configures AAA TACACS authorization
parameters. This feature allows network administrators to limit user accessibility and
configure varying levels of accessibility for different users.
Supported on the following devices:
- Access Points: AP3000/X, AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502,
AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543,
AP8533.
- Service Platforms:
NX5500, NX7500, NX9500, NX9600
- Virtual Platforms: CX9000, VX9000
Syntax
authorization [access-method|allow-privileged-commands|server]
authorization access-method [all|console|telnet|ssh] {(console|ssh|telnet)}
authorization server [<1-2>|preference]
authorization server <1-2> [host|retry-timeout-factor|timeout]
authorizationserver <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
authorization server <1-2> retry-timeout-factor <50-200>
authorization server <1-2> timeout <3-5> {attempts <1-3>}
authorization server preference [authenticated-server-host|authenticated-server-number|
none]
Parameters
authorization access-method [all|console|telnet|ssh] {(console|ssh|telnet)}
| access-method |
Configures the access method for command authorization |
| all |
Authorizes commands from all access methods |
| console |
Authorizes commands from the console only |
| telnet |
Authorizes commands from Telnet only |
| ssh |
Authorizes commands from SSH only |
| {console|ssh|telnet} |
Optional. Configures more than one access method for command
authorization |
authorization allow-privileged-commands
| allow-privileged-commands |
Allows privileged commands execution without command authorization. This
option is disabled by default. |
authorization server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
| server <1-2> |
Configures a TACACS authorization server. Up to 2 TACACS servers can be
configured
- <1-2> – Specify
the TACACS server index from 1 - 2.
|
| host <IP/HOSTNAME> |
Sets the TACACS server‘s IP address or hostname |
| secret [0 <SECRET>| 2 <SECRET>|<SECRET>] |
Optional. Configures the secret used to authorize with the TACACS
server
- 0 <SECRET> –
Configures a clear text secret
- 2 <SECRET> –
Configures an encrypted secret
- <SECRET> –
Specify the secret key. The shared key should not exceed 127
characters.
|
| port <1-65535> |
Optional. Specifies the port used to connect to the TACACS server
- <1-65535> –
Specify a value for the TCP authorization port from 1 - 65535. The
default port is 49.
|
authorization server <1-2> retry-timeout-factor <50-200>
| server <1-2> |
Configures a TACACS authorization server. Up to 2 TACACS servers can be
configured
- <1-2> – Specify
the TACACS server index from 1 - 2.
|
| retry-timeout-factor <50-200> |
Configures the scaling of timeouts between consecutive TACACS
authorization retries
- <50-200> –
Specify the scaling factor from 50 - 200. The default is 100.
A value of 100 indicates the interval between consecutive retires
remains the same irrespective of the number of retries.
A value
lesser than 100 indicates the interval between consecutive retries
reduces with each successive retry.
A value greater than 100
indicates the interval between consecutive retries increases with each
successive retry.
|
authorization server <1-2> timeout <3-5> {attempts <1-3>}
| server <1-2> |
Configures a TACACS authorization server. Up to 2 TACACS servers can be
configured
- <1-2> – Specify
the TACACS server‘s index from 1- 2.
|
| timeout <3-5> |
Configures the timeout, in seconds, for each request sent to the TACACS
server. This is the time allowed to elapse before another request is sent to
the TACACS server. If a response is received from the TACACS server within
this time, no retry is attempted.
- <3-5> – Specify
a value from 3 - 5 seconds. The default is 3 seconds.
|
| attempts <1-3> |
Optional. Indicates the number of retry attempts to make before giving
up
- <1-3> – Specify
a value from 1 - 3. The default is 3.
|
authorization server preference [authenticated-server-host|authenticated-server-number|
none]
| preference |
Configures the authorization server preference |
| authenticated-server-host |
Sets the authentication server as the authorization server This
parameter indicates the same server is used for authentication and
authorization. The server is referred to by its hostname.
|
| authenticated-server- number |
Sets the authentication server as the authorization server This
parameter indicates the same server is used for authentication and
authorization. The server is referred to by its index or
number.
|
| none |
Indicates the authorization server is independent of the authentication
server |
Examples
nx9500-6C8809(config-aaa-tacacs-policy-test)#authorization allow-privileged-commands
nx9500-6C8809(config-aaa-tacacs-policy-test)#show context
aaa-tacacs-policy test
authentication directed-request
accounting server preference authorized-server-number
authorization allow-privileged-commands
accounting auth-fail
accounting commands
nx9500-6C8809(config-aaa-tacacs-policy-test)#
