Полезная информация

cc/td/doc/product/software/ios120/12cgcr/secur_r
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Authorization Commands

Authorization Commands

This chapter describes the commands used to configure authentication, authorization, and accounting (AAA) authorization. AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it.

For information on how to configure authorization using AAA, refer to the "Configuring Authorization" chapter in the Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "Authorization Configuration Examples" section located at the end of the "Configuring Authorization" chapter in the Security Configuration Guide.

aaa authorization

Use the aaa authorization global configuration command to set parameters that restrict a user's network access. Use the no form of this command to disable authorization for a function.

aaa authorization {network | exec | commands level | reverse-access} {default | list-name} [method1 [method2...] ]
no aaa authorization {network | exec | commands level | reverse-access}

Syntax Description

network

Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA.

exec

Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information.

commands

Runs authorization for all commands at the specified privilege level.

level

Specific command level that should be authorized. Valid entries are
0 through 15.

reverse-access

Runs authorization for reverse access connections, such as reverse Telnet.

default

Uses the listed authorization methods that follow this argument as the default list of methods for authorization.

list-name

Character string used to name the list of authorization methods.

method1 [method2...]

One of the keywords listed in Table 9.

Default

Authorization is disabled for all actions (equivalent to the method keyword none). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.


Note This command cannot be used with TACACS or extended TACACS.

Use the aaa authorization command to enable authorization and to create named methods lists, defining authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed. A method list is simply a named list describing the authorization methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or all methods defined are exhausted.


Note The Cisco IOS software attempts authorization with the next listed method only when there is no response from the previous method. If authorization fails at any point in this cycle---meaning that the security server or local username database responds by denying the user services---the authorization process stops and no other authorization methods are attempted.

Use the aaa authorization command to create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding all method names) and method identifies the list of authorization method(s) tried in the given sequence.

Method keywords are described in Table 9.


Table 9: AAA Authorization Methods
Keyword Description

tacacs+

Requests authorization information from the TACACS+ server.

if-authenticated

Allows the user to access the requested function if the user is authenticated.

none

No authorization is performed.

local

Uses the local database for authorization.

radius

Uses RADIUS to get authorization information.

krb5-instance

Uses the instance defined by the kerberos instance map command.

Cisco IOS software supports the following six methods for authorization:

Method lists are specific to the type of authorization being requested. AAA supports four different types of authorization:

When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.

Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed.

The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following:

For a list of supported RADIUS attributes, refer to the "RADIUS Attributes" appendix in the Security Configuration Guide. For a list of supported TACACS+ AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix in the Security Configuration Guide.


Note There are five commands associated with privilege level 0: disable, enable, exit, help, and logout. If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included in the privilege level command set.

Example

The following example defines the network authorization method list named scoobee, which specifies that RADIUS authorization will be used on serial lines using PPP. If the RADIUS server fails to respond, then local network authorization will be performed.

aaa authorization network scoobee radius local

Related Commands

You can use the master indexes or search online to find documentation of related commands.

aaa accounting
aaa new-model

aaa authorization config-commands

To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization commands level method1 command was issued.

aaa authorization config-commands
no aaa authorization config-commands

Syntax Description

This command has no arguments or keywords.

Default

After the aaa authorization command level method has been issued, this command is enabled by default---meaning that all configuration commands in the EXEC mode will be authorized.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

If aaa authorization command level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server from attempting configuration command authorization.

After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.

Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization command level method command.

Example

The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:

aaa new-model
aaa authorization command 15 tacacs+ none
no aaa authorization config-commands

Related Commands

You can use the master indexes or search online to find documentation of related commands.

aaa authorization

aaa authorization reverse-access

To configure a network access server to request authorization information from a security server before allowing a user to establish a reverse Telnet session, use the aaa authorization reverse-access global configuration command. Use the no form of this command to restore the default value for this command.

aaa authorization reverse-access {radius | tacacs+}
no aaa authorization reverse-access {radius | tacacs+}

Syntax Description

radius

Specifies that the network access server will request authorization from a RADIUS security server before allowing a user to establish a reverse Telnet session.

tacacs+

Specifies that the network access server will request authorization from a TACACS+ security server before allowing a user to establish a reverse Telnet session.

Default

The default for this command is disabled, meaning that authorization for reverse Telnet is not requested.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3.

Telnet is a standard terminal emulation protocol used for remote terminal connection. Normally, you log in to a network access server (typically through a dialup connection) and then use Telnet to access other network devices from that network access server. There are times, however, when it is necessary to establish a reverse Telnet session. In reverse Telnet sessions, the Telnet connection is established in the opposite direction---from inside a network to a network access server on the network periphery to gain access to modems or other devices connected to that network access server. Reverse Telnet is used to provide users with dialout capability by allowing them to Telnet to modem ports attached to a network access server.

It is important to control access to ports accessible through reverse Telnet. Failure to do so could, for example, allow unauthorized users free access to modems where they can trap and divert incoming calls or make outgoing calls to unauthorized destinations.

Authentication during reverse Telnet is performed through the standard AAA login procedure for Telnet. Typically the user has to provide a username and password to establish either a Telnet or reverse Telnet session. This command provides an additional (optional) level of security by requiring authorization in addition to authentication. When this command is enabled, reverse Telnet authorization can use RADIUS or TACACS+ to authorize whether or not this user is allowed reverse Telnet access to specific asynchronous ports, after the user successfully authenticates through the standard Telnet login procedure.

Examples

The following example causes the network access server to request authorization information from a TACACS+ security server before allowing a user to establish a reverse Telnet session:

aaa new-model
aaa authentication login default tacacs+
aaa authorization reverse-access tacacs+
!
tacacs-server host 172.31.255.0
tacacs-server timeout 90
tacacs-server key goaway

The lines in this sample TACACS+ reverse Telnet authorization configuration are defined as follows:

The following example configures a generic TACACS+ server to grant a user, "jim," reverse Telnet access to port tty2 on the network access server named godzilla and to port tty5 on the network access server named gamera:

user = jim
    login = cleartext lab
    service = raccess {
        port#1 = godzilla/tty2
        port#2 = gamera/tty5

Note In this example, "godzilla" and "gamera" are the configured host names of network access servers, not DNS names or alias.

The following example configures the TACACS+ server (CiscoSecure) to authorize a user named Jim for reverse Telnet:

user = jim
profile_id = 90
profile_cycle = 1
member = Tacacs_Users
service=shell {
default cmd=permit
}
service=raccess {
allow "c2511e0" "tty1" ".*"
refuse ".*" ".*" ".*"
password = clear "goaway"

Note CiscoSecure only supports reverse Telnet using the command line interface in versions 2.1(x) through version 2.2(1).

An empty "service=raccess {}" clause permits a user to have unconditional access to network access server ports for reverse Telnet. If no "service=raccess" clause exists, the user is denied access to any port for reverse Telnet.

For more information about configuring TACACS+, refer to the "Configuring TACACS+" chapter in the Security Configuration Guide. For more information about configuring CiscoSecure, refer to the CiscoSecure Access Control Server User Guide, version 2.1(2) or greater.

The following example causes the network access server to request authorization from a RADIUS security server before allowing a user to establish a reverse Telnet session:

aaa new-model
aaa authentication login default radius
aaa authorization reverse-access radius
!
radius-server host 172.31.255.0
radius-server key go away

The lines in this sample RADIUS reverse Telnet authorization configuration are defined as follows:

The following example configures the RADIUS server to grant a user named "jim" reverse Telnet access at port tty2 on network access server godzilla:

Password = "goaway"
User-Service-Type = Shell-User
cisco-avpair = "raccess:port#1=godzilla/tty2"

An empty "raccess:port#1=nasname1/tty2" clause permits a user to have unconditional access to network access server ports for reverse Telnet. If no "raccess:port#1=nasname1/tty2" clause exists, the user is denied access to any port for reverse Telnet.

For more information about configuring RADIUS, refer to the "Configuring RADIUS" chapter in the Security Configuration Guide.

Related Commands

You can use the master indexes or search online to find documentation of related commands.

aaa authorization

aaa new-model

To enable the AAA access control model, use the aaa new-model global configuration command. Use the no form of this command to disable the AAA access control model.

aaa new-model
no aaa new-model

Syntax Description

This command has no arguments or keywords.

Default

AAA is not enabled.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

This command enables the AAA access control system. After you have enabled AAA, TACACS and extended TACACS commands are no longer available. If you initialize AAA functionality and later decide to use TACACS or extended TACACS, issue the no version of this command then enable the version of TACACS that you want to use.

Example

The following example initializes AAA:

aaa new-model

Related Commands

You can use the master indexes or search online to find documentation of related commands.

aaa accounting
aaa authentication arap
aaa authentication enable default
aaa authentication local-override
aaa authentication login
aaa authentication ppp
aaa authorization
tacacs-server key

authorization

To enable AAA authorization for a specific line or group of lines, use the authorization line configuration command. Use the no form of this command to disable authorization.

authorization {arap | commands level | exec | reverse-access} [default | list-name]
no authorization {arap | commands level | exec | reverse-access} [default | list-name]

Syntax Description

arap

Enables authorization for line(s) configured for AppleTalk Remote Access (ARA) protocol.

commands

Enables authorization on the selected line(s) for all commands at the specified privilege level.

level

Specific command level to be authorized. Valid entries are 0 through  15.

exec

Enables authorization to determine if the user is allowed to run an EXEC shell on the selected line(s).

reverse-access

Enables authorization to determine if the user is allowed reverse access privileges.

default

(Optional) The name of the default method list, created with the aaa authorization command.

list-name

(Optional) Specifies the name of a list of authorization methods to use. If no list name is specified, the system uses the default. The list is created with the aaa authorization command.

Default

Authorization is not enabled.

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3T.

After you enable the aaa authorization command and define a named authorization method list (or use the default method list) for a particular type of authorization, you must apply the defined lists to the appropriate lines for authorization to take place. Use the authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines.

Example

The following example enables command authorization (for level 15) using the method list named charlie on line 10:

line 10
  authorization commands 15 charlie

Related Commands

You can use the master indexes or search online to find documentation of related commands.

aaa accounting
aaa authentication arap
login authentication
nasi authentication

ppp authorization

To enable AAA authorization on the selected interface, use the ppp authorization interface configuration command. Use the no form of this command to disable authorization.

ppp authorization [default | list-name]
no ppp authorization

Syntax Description

default

(Optional) The name of the method list is created with the aaa authorization command.

list-name

(Optional) Specifies the name of a list of authorization methods to use. If no list name is specified, the system uses the default. The list is created with the aaa authorization command.

Default

Authorization is disabled.

Command Mode

Interface configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3T.

After you enable the aaa authorization command and define a named authorization method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for authorization to take place. Use the ppp authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected interface.

Example

The following example enables authorization on asynchronous interface 4 and uses the method list named charlie:

interface async 4
  encapsulation ppp
  ppp authorization charlie

Related Commands

You can use the master indexes or search online to find documentation of related commands.

aaa authorization


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.