Chapter 9 Configuring Switch-Based Authentication

Controlling Switch Access with TACACS+

Note To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip http authentication aaa global configuration command. Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods.

For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services

AAAauthorization limits the services available to a user. When AAA authorization is enabled, the switch uses information retrieved from the user’s profile, which is located either in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it.

You can use the aaa authorization global configuration command with the tacacs+ keyword to set parameters that restrict a user’s network access to privileged EXEC mode.

The aaa authorization exec tacacs+ local command sets these authorization parameters:

Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+.

Use the local database if authentication was not performed by using TACACS+.

Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured.

Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for privileged EXEC access and network services:

 

Command

Purpose

Step 1

 

 

configure terminal

Enter global configuration mode.

Step 2

 

 

aaa authorization network tacacs+

Configure the switch for user TACACS+ authorization for all

 

 

network-related service requests.

Step 3

 

 

aaa authorization exec tacacs+

Configure the switch for user TACACS+ authorization if the user has

 

 

privileged EXEC access.

 

 

The exec keyword might return user profile information (such as

 

 

autocommand information).

Step 4

 

 

end

Return to privileged EXEC mode.

Step 5

 

 

show running-config

Verify your entries.

Step 6

 

 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

 

 

To disable authorization, use the no aaa authorization {network exec} method1 global configuration command.

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

9-16

OL-9775-02

 

 

Page 218
Image 218
Cisco Systems 3750E manual Show running-config Verify your entries