AAA authorization enables the limitation of the services available
to a user. When AAA authorization is enabled, the multilayer switch uses
information retrieved from the user profile, which is located either in the
local user database on the switch or on the security server, to configure the
user session. When this task is done, the user will be granted access to a
requested service only if the information in the user profile allows it.
Just as with AAA authentication, authorization creates method lists to
define the ways that authorization will be performed and the sequence in which
these methods will be performed. Method lists are specific to the authorization
type requested:
-
Auth-proxy – Applies specific security policies on a per-user
basis.
-
Commands – Applies to the EXEC mode commands that a user issues.
Command authorization attempts authorization for all EXEC mode commands,
including global configuration commands, associated with a specific privilege
level.
-
EXEC – Applies to the attributes associated with a user EXEC
terminal session.
-
Network – Applies to network connections. These connections can
include a PPP, Serial Line Internet Protocol (SLIP), or AppleTalk Remote Access
Protocol (ARAP) connection.
-
Reverse access – Applies to reverse Telnet sessions.
When creating a named method list, define a particular list of
authorization methods for the indicated authorization type.
AAA supports
five different methods of authorization:
-
TACACS+ – The network access server exchanges authorization
information with the TACACS+ security daemon. TACACS+ authorization defines
specific rights for users by associating attribute-value pairs, which are
stored in a database on the TACACS+ security server, with the appropriate
user.
-
If-Authenticated – The user is allowed to access the requested
function, provided that the user has been authenticated successfully.
-
None – The network access server does not request authorization
information; authorization is not performed over this line or interface.
-
Local – The router or access server consults its local database, as
defined by the username command, for example, to authorize
specific rights for users. Only a limited set of functions can be controlled
via the local database.
-
RADIUS – The network access server requests authorization
information from a RADIUS security server. RADIUS authorization defines
specific rights for users by associating attributes.
To configure AAA authorization using named method lists, use these
commands, beginning in global configuration mode.

To have
the multilayer switch request authorization information via a TACACS+ security
server, use the aaa authorization command with the
group tacacs+ value for the method variable.
To allow
users to have access to the functions that they request as long as they have
been authenticated, use the aaa authorization command with
the if-authenticated method keyword. If this method is
selected, all requested functions are automatically granted to authenticated
users.
To select local authorization, which means that the router or
access server consults its local user database to determine the functions that
a user is permitted to use, use the aaa authorization
command with the local method keyword. The functions
associated with local authorization are defined by using the
username global configuration command.
To have the
network access server request authorization via a RADIUS security server, use
the radius method keyword.

To
have the multilayer switches request authorization information via a TACACS+
security server, use the aaa authorization command with the
group tacacs+ value for the method variable.
To allow users to have access to the functions that they request as long as
they have been authenticated, use the aaa authorization
command with the if-authenticated method keyword. If this
method is selected, all requested functions are automatically granted to
authenticated users.
To select local authorization, which means that the
router or access server consults its local user database to determine the
functions that a user is permitted to use, use the aaa
authorization command with the local method keyword. The functions
associated with local authorization are defined by using
the username global configuration command.
To have
the network access server request authorization via a RADIUS security server,
use the radius method keyword.