- Dial-In Security
- Dial-In User Authentication, Authorization, and Accounting (AAA)
- AAA Authentication Setup with TACACS+ and RADIUS
- AAA Authorization Setup
- AAA Accounting Setup
- Using All AAA Services Simultaneously
- Virtual Private Networks (VPNs)
- Summary
AAA Authorization Setup
Whereas authentication is concerned with ensuring that the device or end user is who it claims to be, authorization is concerned with allowing and disallowing authenticated users access to certain areas and programs on the network.
The command for enabling authorization follows:
aaa authorization service-type {default | list-name} method1 [method2] [method3] [method4]
With this command, service-type must be one of the service types listed in Table 10-4.
Table 10-4 AAA Authorization Service Types
Service Type |
Description |
commands {level} |
Checks authorization for any EXEC command at the optionally specified level |
exec |
Checks authorization to run an EXEC shell |
network |
Checks authorization for network activities |
reverse-access |
Checks authorization for reverse Telnet |
The next parameter is either the key word default or a list name. The list name can be virtually any word except the word default, and it is used to name the following list of authorization methods. The parameters method1, method2, method3, and method4 are used to specify the order in which authentication takes place. At least one method must be used, with a maximum total of four methods specified. The possible values for the method are shown in Table 10-5.
Table 10-5 AAA Authorization Methods
Method |
Description |
if-authenticated |
If the user is already authenticated, the user is allowed to access the service. |
krb5-instance |
This uses the instance defined with the kerberos instance map command. |
local |
The local database is consulted. |
radius |
The RADIUS server's database is consulted to see if the user has the appropriate rights. |
tacacs+ |
The TACACS+ server's database is consulted to see if the user has the appropriate rights. |
NOTE
When AAA authorization is not enabled, all users are allowed full access. Once authentication is started, the default changes to allow no access.
This means that the administrator must create a user with full access rights configured before authorization is enabled. Failure to do so will immediately lock the administrators out of their own system the moment the aaa authorization command is entered.
The only way to recover from this is to reboot the router. If this is a production router, rebooting might be unacceptable. Be sure that at least one user always has full rights.
Configuring AAA authorization is very similar to AAA authentication. Look at the following configuration. This configuration checks the authorization for users of the S2 interface when accessing network service such as PPP:
aaa new-model !Set up for AAA tacacs-server host 172.30.1.50 !The TACACS+ server is at 172.30.1.50 tacacs-server key mysecretkey !Use the encrypted keys interface s2 aaa authorization network tacacs+ !Start authorization for network services