You can restrict the type of operation users can perform or the network resources they can access by using the AAA authorization service. After AAA authorization is enabled and configured, user profiles are stored on the local database or in a remote security server. From information in these profiles, users’ sessions are configured after they have been authenticated.
AAA supports five different methods of authorization:
■ TACACS+—User profile information is stored on a remote security server that has TACACS+
services running. The network access server communicates with the TACACS+ service to configure the user’s session.
■ If-authenticated—Successful authentication is required first before the user is allowed to access the requested function.
■ None—Authorization is not performed over this line or interface.
■ Local—User information is stored locally on the router or access server
■ RADIUS—User profile information is stored on a remote security server. The router or access server requests authorization information from the RADIUS security server.
AAA authorization controls the user’s activity by permitting or denying access to what type of net-work access a user can start (PPP, SLIP, ARAP), what type of commands the user can execute, and more. The seven types of AAA authorization supported on the Cisco IOS Software are as follows:
■ Auth-proxy—Applies specific security policies on a per-user basis.
■ Commands—Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration com-mands, associated with a specific privilege level.
Example 7-3 Configuration of aaa authentication ppp
Router(config)#aaa new-model
Router(config)#username meron password abc123 Router(config)#aaa authentication ppp default local
■ EXEC—Applies to a user EXEC terminal session.
■ Network—Applies to network connections. This can include a PPP, SLIP, or ARAP connection.
■ Reverse access—Applies to reverse telnet sessions.
■ Configuration—Applies to downloading configurations from the AAA server.
■ IP mobile—Applies to authorization for IP mobile services.
The syntax for the aaa authorization command is as follows:
Router(config)# aaa authorization {auth-proxy | network | exec | commands level | reverse-access | configuration | ipmobile} {default | list-name}
[method1 [method2]]
Table 7-5 shows aaa authorization command parameters.
Table 7-5 aaa authorization Command Parameters Keyword
(This table has been reproduced by Cisco Press with the permission of Cisco Systems Inc. Copyright © 2003 Cisco Systems, Inc. All Rights Reserved.)
Description
network Enables authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP.
auth-proxy Enables authorization that applies specific security policies on a per-user basis.
For detailed information on the authentication proxy feature, see Chapter 15,
“Authentication Proxy and the Cisco IOS Firewall.”
exec Enables authorization to determine whether a user is allowed to run an EXEC shell.
commands Enables authorization for specific, individual EXEC commands associated with a specific privilege level. This enables you to authorize all commands associated with a specified command level from 0 to 15.
reverse-access Enables authorization for reverse telnet functions.
configuration Downloads the configuration from the AAA server.
default Uses the listed authentication methods that follow this argument as the default list of methods for authorization.
level Specific command level that should be authorized, from 0 through 15.
list-name Character string used to name the list of authentication methods.
method Specifies at least one of the keywords that follow.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
Configuring AAA Services 127
The following steps outline the configuration procedure for AAA authorization methods:
Step 1 Create an authorization method list for a particular authorization type and enable authorization.
Router(config)# aaa authorization {auth-proxy | network | exec | commands level | reverse-access | configuration | ipmobile} {default | list-name}
[method1 [method2...]]
Step 2 Enter the line configuration mode for the lines to which you want to apply the authorization method list.
Router(config)# line [aux | console | tty | vty]line-number [ending-line-number]
Step 3 Apply the authorization list to a line or set of lines.
Router(config-line)# authorization {arap | commands level | exec | reverse-access}
{default | list-name}
Example 7-4 shows a sample configuration of a NAS (enabled for AAA and communication with a RADIUS security server) for AAA services to be provided by the RADIUS server. If the RADIUS server fails to respond, the local database is queried for authentication and authorization
information.
The lines in this sample RADIUS AAA configuration are defined as follows:
■ The aaa new-model command enables AAA network security services.
■ The aaa authentication ppp dialins group radius local command defines the authentication method list dialins, which specifies that RADIUS authentication and then (if the RADIUS server does not respond) local authentication is used on serial lines using PPP.
Example 7-4 Configuring a NAS for AAA Services Provided by the RADIUS Server
Router(config)#aaaaaaaaaaaa nnenneeeww-ww---mmmmooooddddeeleelll
■ The aaa authorization network la-users group radius local command defines the network authorization method list named la-users, which specifies that RADIUS authorization will be used on serial lines using PPP. If the RADIUS server fails to respond, local network authoriza-tion is performed.
■ The username command defines the username and password to be used for the PPP Password Authentication Protocol (PAP) caller identification.
■ The radius-server host command defines the name of the RADIUS server host.
■ The radius-server key command defines the shared secret text string between the NAS and the RADIUS server host.
■ The interface group-async command selects and defines an asynchronous interface group.
■ The ppp authentication chap dialins command selects Challenge Handshake Authentication Protocol (CHAP) as the method of PPP authentication and applies the dialins method list to the specified interfaces.
■ The ppp authorization la-users command applies the la-users network authorization method list to the specified interfaces.