Aaa Read, write, SR-10 | Cisco Systems XR manual

Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

aaa authorization

Note

Use the aaa authorization command to create method lists defining specific authorization methods that can be used on a per-line or per-interface basis. You can specify up to four methods in the method list.

The command authorization mentioned here applies to the one performed by an external AAA server and not for task-based authorization.

Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed. A method list is a named list describing the authorization methods to be used (such as TACACS+), in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS XR software uses the first method listed to authorize users for specific network services; if that method fails to respond, Cisco IOS XR software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method or until all methods defined have been exhausted.

Cisco IOS XR software attempts authorization with the next listed method only when there is no response (not a failure) from the previous method. If authorization fails at any point in this cycle—meaning that the security server or local username database responds by denying the user services—the authorization process stops and no other authorization methods are attempted.

The Cisco IOS XR software supports the following methods for authorization:

•none—The router does not request authorization information; authorization is not performed over this line or interface.

•local—Use local database for authorization.

•group tacacs+—Use the list of all configured TACACS+ servers for authorization.

•group radius—Use the list of all configured RADIUS servers for authorization.

•group group-name—Uses a named subset of TACACS+ or RADIUS servers for authorization.

Method lists are specific to the type of authorization being requested. The Cisco IOS XR software supports three types of AAA authorization:

•Commands authorization: Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands.

Note “Command” authorization is distinct from “task-based” authorization, which is based on the task profile established during authentication.

•EXEC authorization: Applies authorization for starting an EXEC session.

•Network authorization: Applies authorization for network services, such as IKE.

When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type. When defined, method lists must be applied to specific lines or interfaces before any of the defined methods are performed.

Task ID	Task ID	Operations
	aaa	read, write

Cisco IOS XR System Security Command Reference

Cisco Systems XR manual Aaa Read, write, SR-10

Models: XR

aaa

read, write

SR-10