Define the Authorization Method Lists

Use the aaa authorization command to enable authorization and to create named methods lists, defining authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed.

A method list, as in authentication, is simply a named list describing the authorization methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable one or more security protocols for authorization to be designated, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services. If that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until successful communication occurs with a listed authorization method or all methods defined are exhausted.

Note

The Cisco IOS software attempts authorization with the next listed method only when no response occurs from the previous method. If authorization fails at any point in this cycle (meaning the security server or local user name database responds by denying the user services), the authorization process stops and no other authorization methods are attempted.

Use the aaa authorization global configuration command to set parameters that restrict a user’s network access. Use the no form of this command to disable authorization for a function. The basic syntax is

Rtr1(config)#aaa authorization {authorization-type} {default | list-name} method1
[method2...]Rtr1(config)#no aaa authorization {authorization-type}

The first step is to choose which of the eight authorization types AAA supports is to be validated. The actual syntax and choices include

Rtr1(config)#aaa authorization {network | exec | commands level| reverse-access |
configuration | config-commands | auth-proxy | ipmobile}
{default | list-name} method1 [method2...]

network	All network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP.
exec	Is the user allowed to run an EXEC shell?
commands level	Specific command level to be authorized (0 through 15).
reverse-access	Reverse access connections, such as reverse Telnet.
configuration	Downloads the configuration from the AAA server.
config-commands	Configuration mode commands.
auth-proxy	Authentication Proxy Services.
Ipmobile	Mobile IP services.

Once the authorization type is selected, the rest is just like the authentication process.

default	Uses the listed authorization methods that follow this argument as the default list of methods for authorization
list-name	Character string used to name the list of authorization methods
method1 [method2...]	One of the keywords listed in the following table

The actual method lists are specific to the type of authorization being requested. The six methods Cisco IOS software supports for authorization are described in the following table.

Method	Description
group tacacs+	Uses the list of all TACACS+ servers to provide authorization services. TACACS+ authorization defines specific rights for users by associating attribute-value (AV) pairs, which are stored in a database on the TACACS+ security server, with the appropriate user.
group radius	Uses the list of all RADIUS servers to provide authorization service. RADIUS authorization defines specific rights for users by associating attributes, which are stored in a database on the RADIUS server.
if-authenticated	Allows the user to access the requested function if the user is authenticated.
local	Uses the local database for authorization, as defined by the user name command, to authorize specific rights for users. Only a limited set of functions can be controlled by the local database.
krb5-instance	Uses the instance defined by the Kerberos Instance Map command.
none	The NAS doesn’t request authorization information. Authorization isn’t performed over this line/interface.

When creating a named method list, a particular list of authorization methods for the indicated authorization type is defined. Once defined, method lists must be applied to specific lines or interfaces, as with authentication, before any of the defined methods will be performed. The authorization command causes a request packet, containing a series of AV pairs, to be sent to the RADIUS or TACACS+ daemon as part of the authorization process. The daemon can do one of the following:

Accept the request as is.
Make changes to the request.
Refuse the request and refuse authorization.

Define the Authorization Method Lists

alperen