Cisco Systems XR manual Aaa Read, write, SR-10

Page 10

Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

aaa authorization

Note

Note

Use the aaa authorization command to create method lists defining specific authorization methods that can be used on a per-line or per-interface basis. You can specify up to four methods in the method list.

The command authorization mentioned here applies to the one performed by an external AAA server and not for task-based authorization.

Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed. A method list is a named list describing the authorization methods to be used (such as TACACS+), in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS XR software uses the first method listed to authorize users for specific network services; if that method fails to respond, Cisco IOS XR software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method or until all methods defined have been exhausted.

Cisco IOS XR software attempts authorization with the next listed method only when there is no response (not a failure) from the previous method. If authorization fails at any point in this cycle—meaning that the security server or local username database responds by denying the user services—the authorization process stops and no other authorization methods are attempted.

The Cisco IOS XR software supports the following methods for authorization:

none—The router does not request authorization information; authorization is not performed over this line or interface.

local—Use local database for authorization.

group tacacs+—Use the list of all configured TACACS+ servers for authorization.

group radius—Use the list of all configured RADIUS servers for authorization.

group group-name—Uses a named subset of TACACS+ or RADIUS servers for authorization.

Method lists are specific to the type of authorization being requested. The Cisco IOS XR software supports three types of AAA authorization:

Commands authorization: Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands.

Note “Command” authorization is distinct from “task-based” authorization, which is based on the task profile established during authentication.

EXEC authorization: Applies authorization for starting an EXEC session.

Network authorization: Applies authorization for network services, such as IKE.

When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type. When defined, method lists must be applied to specific lines or interfaces before any of the defined methods are performed.

Task ID

Task ID

Operations

 

aaa

read, write

 

 

 

Cisco IOS XR System Security Command Reference

SR-10

Image 10
Contents SR-1 Aaa accounting SR-2Aaa Read, write Creates a method list to be used for authorizationSR-3 Aaa accounting system default SR-4Creates a method list for authorization Creates a method list for authenticationSR-5 Aaa authentication SR-6Creates a method list for accounting Radius, group named-group,local, or line optionsSR-7 Command Description SR-8Local Aaa authorizationNetwork SR-9SR-10 Which specifies that TACACS+ authorization is used SR-11Aaa default-taskgroup SR-12Aaa group server radius SR-13Comprises three member servers SR-14Aaa group server tacacs+ SR-15SR-16 Accounting Aaa accounting commandSR-17 List named listname2 on a line template named configure SR-18Authorization command AuthorizationSR-19 Listname4 on a line template named configure SR-20Deadtime minutes no deadtime Deadtime server-group configurationSR-21 Related Commands Description SR-22Description string No description Description AAASR-23 Taskgroup SR-24Group SR-25Task ID Examples SR-26Inherit taskgroup SR-27SR-28 Inherit usergroup usergroup-name Inherit usergroupSR-29 Sales user group SR-30Authentication login command Login authenticationSR-31 SR-32 Password 0 7 password No password 0 7 password Password AAASR-33 SR-34 Radius-server dead-criteria time SR-35SR-36 Radius-server dead-criteria tries SR-37Dead-criteria time SR-38Radius-server deadtime minutes No radius-server deadtime Radius-server deadtimeSR-39 SR-40 Retransmit retries Timeout secondsRadius-server host SR-41SR-42 SR-43 Radius-server key SR-44Specifies a Radius server host SR-45Radius-server retransmit SR-46Radius-server timeout seconds No radius-server timeout Radius-server timeoutSR-47 Radius source-interface SR-48Outgoing Radius packets SR-49Secret 0 5 secret no secret 0 5 secret SecretSR-50 SR-51 Server Radius SR-52SR-53 Server TACACS+ SR-54Groups different TACACS+ server hosts into distinct lists SR-55Show aaa SR-56SR-57 Aaa usergroup operatorSR-58 Displays task IDs enabled for the currently logged-in user SR-59Show radius If no radius servers are configured, no output is displayedShow radius SR-60Field Description SR-61Show radius accounting Show radius accountingSR-62 Show radius authentication SR-63Show radius authentication Show radius authenticationSR-64 Show radius accounting SR-65Show radius client Show radius clientSR-66 SR-67 Show radius dead-criteria SR-68SR-69 Show radius server-groups No default behavior or valuesShow radius server-groups SR-70Field Description SR-71Show tacacs Show tacacsSR-72 SR-73 Show tacacs server-groups Show tacacs server-groupsSR-74 SR-75 Show task supported Show task supportedSR-76 SR-77 Ouni pkg-mgmt pos-dpt pppShow user SR-78SR-79 User allSR-80 SR-81 Tacacs-server host SR-82SR-83 Tacacs-server key key-nameno tacacs-server key Tacacs-server keySR-84 Specifies a TACACS+ host SR-85Tacacs-server timeout seconds No tacacs-server timeout Tacacs-server timeoutSR-86 Tacacs source-interface SR-87Aaa group server radius SR-88Execute TaskWrite DebugSR-90 Taskgroup SR-91Adds a task ID to a task group Creates a task group description in task configuration modeSR-92 Timeout login response SR-93Enables AAA authentication for logins SR-94Usergroup SR-95Creates a description of a task group during configuration SR-96Username SR-97Adds a user to a group Defines a method list for authenticationCreates a login password for a user SR-98Users group SR-99Given operator privileges SR-100