authorization

Configures AAA TACACS authorization parameters. This feature allows network administrators to limit user accessibility and configure varying levels of accessibility for different users.

Supported on the following devices:

Syntax

authorization [access-method|allow-privileged-commands|server]
authorization access-method [all|console|telnet|ssh] {(console|ssh|telnet)}
authorization server [<1-2>|preference]
authorization server <1-2> [host|retry-timeout-factor|timeout]
authorizationserver <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
authorization server <1-2> retry-timeout-factor <50-200>
authorization server <1-2> timeout <3-5> {attempts <1-3>}
authorization server preference [authenticated-server-host|authenticated-server-number|
none]

Parameters

authorization access-method [all|console|telnet|ssh] {(console|ssh|telnet)}
access-method Configures the access method for command authorization
all Authorizes commands from all access methods
console Authorizes commands from the console only
telnet Authorizes commands from Telnet only
ssh Authorizes commands from SSH only
{console|ssh|telnet} Optional. Configures more than one access method for command authorization
authorization allow-privileged-commands
allow-privileged-commands Allows privileged commands execution without command authorization. This option is disabled by default.
authorization server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
server <1-2> Configures a TACACS authorization server. Up to 2 TACACS servers can be configured
  • <1-2> – Specify the TACACS server index from 1 - 2.
host <IP/HOSTNAME> Sets the TACACS server‘s IP address or hostname
secret [0 <SECRET>| 2 <SECRET>|<SECRET>] Optional. Configures the secret used to authorize with the TACACS server
  • 0 <SECRET> – Configures a clear text secret
  • 2 <SECRET> – Configures an encrypted secret
  • <SECRET> – Specify the secret key. The shared key should not exceed 127 characters.
port <1-65535> Optional. Specifies the port used to connect to the TACACS server
  • <1-65535> – Specify a value for the TCP authorization port from 1 - 65535. The default port is 49.
authorization server <1-2> retry-timeout-factor <50-200>
server <1-2> Configures a TACACS authorization server. Up to 2 TACACS servers can be configured
  • <1-2> – Specify the TACACS server index from 1 - 2.
retry-timeout-factor <50-200> Configures the scaling of timeouts between consecutive TACACS authorization retries
  • <50-200> – Specify the scaling factor from 50 - 200. The default is 100.

A value of 100 indicates the interval between consecutive retires remains the same irrespective of the number of retries.

A value lesser than 100 indicates the interval between consecutive retries reduces with each successive retry.

A value greater than 100 indicates the interval between consecutive retries increases with each successive retry.

authorization server <1-2> timeout <3-5> {attempts <1-3>}
server <1-2> Configures a TACACS authorization server. Up to 2 TACACS servers can be configured
  • <1-2> – Specify the TACACS server‘s index from 1- 2.
timeout <3-5> Configures the timeout, in seconds, for each request sent to the TACACS server. This is the time allowed to elapse before another request is sent to the TACACS server. If a response is received from the TACACS server within this time, no retry is attempted.
  • <3-5> – Specify a value from 3 - 5 seconds. The default is 3 seconds.
attempts <1-3> Optional. Indicates the number of retry attempts to make before giving up
  • <1-3> – Specify a value from 1 - 3. The default is 3.
authorization server preference [authenticated-server-host|authenticated-server-number|
none]
preference Configures the authorization server preference
authenticated-server-host Sets the authentication server as the authorization server

This parameter indicates the same server is used for authentication and authorization. The server is referred to by its hostname.

authenticated-server- number Sets the authentication server as the authorization server

This parameter indicates the same server is used for authentication and authorization. The server is referred to by its index or number.

none Indicates the authorization server is independent of the authentication server

Examples

nx9500-6C8809(config-aaa-tacacs-policy-test)#authorization allow-privileged-commands
nx9500-6C8809(config-aaa-tacacs-policy-test)#show context
aaa-tacacs-policy test
 authentication directed-request
 accounting server preference authorized-server-number
 authorization allow-privileged-commands
 accounting auth-fail
 accounting commands
nx9500-6C8809(config-aaa-tacacs-policy-test)#

Related Commands

no (aaa-tacacs-policy-config-mode-command) Resets values or disables commands