Implementing Authentication, Authorization, and Accounting – AAA
Configuring AAA authorization

AAA authorization enables the limitation of the services available to a user. When AAA authorization is enabled, the multilayer switch uses information retrieved from the user profile, which is located either in the local user database on the switch or on the security server, to configure the user session. When this task is done, the user will be granted access to a requested service only if the information in the user profile allows it.

Just as with AAA authentication, authorization creates method lists to define the ways that authorization will be performed and the sequence in which these methods will be performed. Method lists are specific to the authorization type requested:

  • Auth-proxy – Applies specific security policies on a per-user basis.
  • Commands – Applies to the EXEC mode commands that a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
  • EXEC – Applies to the attributes associated with a user EXEC terminal session.
  • Network – Applies to network connections. These connections can include a PPP, Serial Line Internet Protocol (SLIP), or AppleTalk Remote Access Protocol (ARAP) connection.
  • Reverse access – Applies to reverse Telnet sessions.

When creating a named method list, define a particular list of authorization methods for the indicated authorization type.

AAA supports five different methods of authorization:

  • TACACS+ – The network access server exchanges authorization information with the TACACS+ security daemon. TACACS+ authorization defines specific rights for users by associating attribute-value pairs, which are stored in a database on the TACACS+ security server, with the appropriate user.
  • If-Authenticated – The user is allowed to access the requested function, provided that the user has been authenticated successfully.
  • None – The network access server does not request authorization information; authorization is not performed over this line or interface.
  • Local – The router or access server consults its local database, as defined by the username command, for example, to authorize specific rights for users. Only a limited set of functions can be controlled via the local database.
  • RADIUS – The network access server requests authorization information from a RADIUS security server. RADIUS authorization defines specific rights for users by associating attributes.

To configure AAA authorization using named method lists, use these commands, beginning in global configuration mode.

To have the multilayer switch request authorization information via a TACACS+ security server, use the aaa authorization command with the group tacacs+ value for the method variable.

To allow users to have access to the functions that they request as long as they have been authenticated, use the aaa authorization command with the if-authenticated method keyword. If this method is selected, all requested functions are automatically granted to authenticated users.

To select local authorization, which means that the router or access server consults its local user database to determine the functions that a user is permitted to use, use the aaa authorization command with the local method keyword. The functions associated with local authorization are defined by using the username global configuration command.

To have the network access server request authorization via a RADIUS security server, use the radius method keyword.

To have the multilayer switches request authorization information via a TACACS+ security server, use the aaa authorization command with the group tacacs+ value for the method variable.

To allow users to have access to the functions that they request as long as they have been authenticated, use the aaa authorization command with the if-authenticated method keyword. If this method is selected, all requested functions are automatically granted to authenticated users.

To select local authorization, which means that the router or access server consults its local user database to determine the functions that a user is permitted to use, use the aaa authorization command with the local method keyword. The functions associated with local authorization are defined by using the username global configuration command.

To have the network access server request authorization via a RADIUS security server, use the radius method keyword.


Lab Activity

e-Lab Activity: Optimizing and Securing Multilayer Switched Networks

In this lab, the student will configure VLAN access control lists (VACLs) and a Terminal Access Controller Access Control System + (TACACS+) server.