Configuring AAA Authorization

You can restrict the type of operation users can perform or the network resources they can access by using the AAA authorization service. After AAA authorization is enabled and configured, user profiles are stored on the local database or in a remote security server. From information in these profiles, users' sessions are configured after they have been authenticated.

AAA supports five different methods of authorization:

■ TACACS+—User profile information is stored on a remote security server that has TACACS+ services running. The network access server communicates with the TACACS+ service to configure the user's session.

■ If-authenticated—Successful authentication is required first before the user is allowed to access the requested function.

■ None—Authorization is not performed over this line or interface.

■ Local—User information is stored locally on the router or access server

■ RADIUS—User profile information is stored on a remote security server. The router or access server requests authorization information from the RADIUS security server.

AAA authorization controls the user's activity by permitting or denying access to what type of network access a user can start (PPP, SLIP, ARAP), what type of commands the user can execute, and more. The seven types of AAA authorization supported on the Cisco IOS Software are as follows:

■ Auth-proxy—Applies specific security policies on a per-user basis.

■ Commands—Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.

■ EXEC—Applies to a user EXEC terminal session.

■ Network—Applies to network connections. This can include a PPP, SLIP, or ARAP connection.

■ Reverse access—Applies to reverse telnet sessions.

■ Configuration—Applies to downloading configurations from the AAA server.

■ IP mobile—Applies to authorization for IP mobile services.

The syntax for the aaa authorization command is as follows:

Router(config)# aaa authorization {auth-proxy | network | exec | commands level | reverse-access | configuration | ipmobile} {default | list-name} [method1 [method2]]

Table 7-5 shows aaa authorization command parameters. Table 7-5 aaa authorization Command Parameters

Keyword

Description

network

Enables authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP.

auth-proxy

Enables authorization that applies specific security policies on a per-user basis. For detailed information on the authentication proxy feature, see Chapter 15, "Authentication Proxy and the Cisco IOS Firewall."

exec

Enables authorization to determine whether a user is allowed to run an EXEC shell.

commands

Enables authorization for specific, individual EXEC commands associated with a specific privilege level. This enables you to authorize all commands associated with a specified command level from 0 to 15.

reverse-access

Enables authorization for reverse telnet functions.

configuration

Downloads the configuration from the AAA server.

default

Uses the listed authentication methods that follow this argument as the default list of methods for authorization.

level

Specific command level that should be authorized, from 0 through 15.

list-name

Character string used to name the list of authentication methods.

method

Specifies at least one of the keywords that follow.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

(This table has been reproduced by Cisco Press with the permission of Cisco Systems Inc. Copyright © 2003 Cisco Systems, Inc. All Rights Reserved.)

(This table has been reproduced by Cisco Press with the permission of Cisco Systems Inc. Copyright © 2003 Cisco Systems, Inc. All Rights Reserved.)

The following steps outline the configuration procedure for AAA authorization methods:

Step 1 Create an authorization method list for a particular authorization type and enable authorization.

Router(config)# aaa authorization {auth-proxy | network | exec | commands level | reverse-access | configuration | ipmobile} {default | list-name} [methodl [method2...]]

Step 2 Enter the line configuration mode for the lines to which you want to apply the authorization method list.

Router(config)# line [aux | console | tty | vty]line-number [ending-line-number]

Step 3 Apply the authorization list to a line or set of lines.

Router(config-line)# authorization {arap | commands level | exec | reverse-access} {default | list-name}

Example 7-4 shows a sample configuration of a NAS (enabled for AAA and communication with a RADIUS security server) for AAA services to be provided by the RADIUS server. If the RADIUS server fails to respond, the local database is queried for authentication and authorization information.

Example 7-4 Configuring a NAS for AAA Services Provided by the RADIUS Server Router(config)#aaa new-model

Router(config)#aaa authentication login admins local Router(config)#aaa authorization network la-users group radius local Router(config)#username mark password whatisthema7r1x Router(config)#radius-server host 10.2.1.17 Router(config)#radius-server key ToPs3cret Router(config)#interface group-async 1 Router(config-line)#group-range 1 16 Router(config-line)#encapsulation ppp Router(config-line)#ppp authentication chap admins Router(config-line)#ppp authorization la-users Router(config)#line 1 16 Router(config-line)#autoselect ppp Router(config-line)#modem dialin

The lines in this sample RADIUS AAA configuration are defined as follows:

■ The aaa new-model command enables AAA network security services.

■ The aaa authentication ppp dialins group radius local command defines the authentication method list dialins, which specifies that RADIUS authentication and then (if the RADIUS server does not respond) local authentication is used on serial lines using PPP.

■ The aaa authorization network la-users group radius local command defines the network authorization method list named la-users, which specifies that RADIUS authorization will be used on serial lines using PPP. If the RADIUS server fails to respond, local network authorization is performed.

■ The username command defines the username and password to be used for the PPP Password Authentication Protocol (PAP) caller identification.

■ The radius-server host command defines the name of the RADIUS server host.

■ The radius-server key command defines the shared secret text string between the NAS and the RADIUS server host.

■ The interface group-async command selects and defines an asynchronous interface group.

■ The ppp authentication chap dialins command selects Challenge Handshake Authentication Protocol (CHAP) as the method of PPP authentication and applies the dialins method list to the specified interfaces.

■ The ppp authorization la-users command applies the la-users network authorization method list to the specified interfaces.

0 0

Post a comment