Configuring AAA Authorization

You can restrict the type of operation users can perform or the network resources they can access by using the AAA authorization service. After AAA authorization is enabled and customized, user profiles are stored on the local database or in a remote security server. From information in these profiles, users' sessions are configured after they have been authenticated.

AAA supports six different methods of authorization:

• TACACS+ User profile information is stored on a remote security server that has TACACS+ services running. The network access server communicates with the TACACS+ service to configure the user's session.

• If-authenticated Successful authentication is required first before the user is allowed to access the requested function.

• None Authorization is not performed over this line or interface.

• Local User information is stored locally on the router or access server.

• RADIUS User profile information is stored on a remote security server. The router or access server requests authorization information from the RADIUS security server.

• Kerberos instance map The router or access server uses the instance defined by the kerberos instance map command to authorize.

AAA authorization controls the user's activity by permitting or denying access to which type of network access a user can start (PPP, Serial Line Internet Protocol [SLIP], AppleTalk Remote Access Protocol [ARAP]), what type of commands the user can execute, and more. Cisco IOS Software supports the following 11 types of AAA authorization:

• auth-proxy Applies specific security policies on a per-user basis. It requires the Cisco IOS Firewall feature set.

• commands Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.

• exec Applies to a user EXEC terminal session.

• network Applies to network connections. This can include a PPP, SLIP, or ARAP connection.

• reverse-access Applies to reverse Telnet sessions.

• configuration Applies to downloading configurations from the AAA server.

• ipmobile Applies to authorization for IP mobile services.

• cache filterserver Applies to the authorization for caches and the downloading of access control list (ACL) configurations from a RADIUS filter server.

• config-commands Applies to configuration mode commands a user issues. Identical commands in configuration and EXEC mode can lead to some confusion in the authorization process. This command clears the intended authorization to the specific mode.

• console Applies to the authorization of console line. This command must be used in conjunction with the authorization command on the line console port.

• template Applies to the use of customer templates for virtual private network (VPN) routing and forwarding (VRF). The templates may be local or remote.

The syntax for the aaa authorization command is as follows:

[View full width]aaa authorization {auth-proxy | network | cache filterserver | exec commands level | config-commands | console | reverse-access | configuration | ipmol template)

default | list-name) [methodl [method2]]

Table 7-6 shows aaa authorization command parameters. network

Enables authorization for all network-related service requests, including SLIP, PPP, PPP Network Control Programs (NCP), ARAP and 802.1X virtual LAN (VLAN) assignments.

0 0

Post a comment