10.3.4 Configuring RADIUS/TACACS+/local command authorization
- <Structure of this section>
(1) Sample Command-Authorization Configuration with RADIUS Servers
- Points to note
-
The example below shows how to configure command authorization using a RADIUS server.
Before performing this procedure, complete the setup for using RADIUS authentication.
Command examples
-
(config)# aaa authentication login default group radius local
(config)# radius-server host 192.168.10.1 key "RaD#001"
Configures RADIUS authentication as a prerequisite step.
-
(config)# aaa authorization commands default group radius
Performs command authorization using a RADIUS server.
- Notes
-
If command authorization has been configured as described above, but has not been set up on the RADIUS server side, all commands will be prohibited when the RADIUS-authenticated user logs in. If you are unable to execute any commands, because a setup task has been omitted, for example, log in from the console and complete the required setup. Note, however, that if the console is also subject to command authorization by the configuration command aaa authorization commands console, the command is also restricted in the console.
(2) Sample Command-Authorization Configuration with TACACS + Servers
- Points to note
-
The example below shows how to configure command authorization using a TACACS+ server.
Before performing this procedure, complete the setup for using TACACS+ authentication.
Command examples
-
(config)# aaa authentication login default group tacacs+ local
(config)# tacacs-server host 192.168.10.1 key "TaC#001"
Configures authentication by a TACACS+ server as a prerequisite step.
-
(config)# aaa authorization commands default group tacacs+
Performs command authorization using a TACACS+ server.
- Notes
-
If command authorization has been configured as described above, but has not been set up on the TACACS+ server side, all commands will be prohibited when the TACACS+-authenticated user logs in. If you are unable to execute any commands, because a setup task has been omitted, for example, log in from the console and complete the required setup. Note, however, that if the console is also subject to command authorization by the configuration command aaa authorization commands console, the command is also restricted in the console.
(3) Example of Configuring Local Command Authorization
- Points to note
-
The example below shows how to configure local command authorization.
Before performing this procedure, set the user name and the associated command class (username view-class) or command lists (username view, parser view, or commands exec command).
Also, change the settings so that local password authentication can be used.
Command examples
-
(config)# parser view Local_001
(config-view)# commands exec include all "show"
(config-view)# commands exec exclude all "reload"
Creates the command lists to be used for local authorization.
There is no need to create any command lists if you are using command classes only.
-
(config)# username user001 view Local_001
(config)# username user001 view-class noenable
Assigns a command class or command lists to the specified user.
Both a command class and command lists can be used together.
-
(config)# aaa authentication login default local
Configures local password authentication.
-
(config)# aaa authorization commands default local
Performs command authorization using local authentication.
- Notes
-
Be aware that local command authorization applies to all users who log in with local authentication. Configure local authorization carefully so that security is not compromised.
If no command class or command list has been set for a user, no commands will be permitted or executable by that user.
If you are unable to execute any commands, because a setup task has been omitted, for example, log in from the console and complete the required setup. Note, however, that if the console is also subject to command authorization by the configuration command aaa authorization commands console, the command is also restricted in the console.