topic Hello Jan, in Network Access Control

What does mean 'aaa authorization network', what does limit 'network' keyword?

Yan Merchy — Mon, 11 Mar 2019 07:50:59 GMT

Hi,

I am studying CCNP Switch course and stuck in AAA authorization topic. I do not understand what actually is purpose of the following command chain 'aaa authorization network ....'.

Cisco books and web-pages define this like sonething:

network: The server must return permission to use network-related services.

However, do does it means 'network-related services'? Is the telnet network related service? I have been serching info about details what this command does and no success. Some network pages mean authorization for PPP, PPPoE, SLIP.... I am confused.

Let's say I entered following command on the switch:

 switch(config)#aaa authorization network default group SRV-ISE

What can I do on this switch and what cannot? What is limited and what is not? What will be authorized and what won't be?

Hello Jan,

netsysconsultant — Wed, 12 Jul 2017 22:05:55 GMT

Hello Jan,

aaa authorization network can be used to allow users access to the network if dot1x authentication have been configured on the cisco switch.

In the case that you use aaa authorization network default group SRV-ISE : this command can be used to to allow the SRV-ISE (which is an ACS or ISE server) to dynamically assign vlan to user ports and this is based on their identities (username or MAC address).

if you need more details, try to read this article

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/31sga/configuration/guide/config/dot1x.html#wp1133313

Regards

On switches "aaa

agrissimanis — Wed, 12 Jul 2017 22:15:09 GMT

On switches "aaa authorization network" refers to authorization of devices connected to the switch, so you would point "aaa authorization network" to a group of ISE/ACS servers, like in your example.

If you do not configure the authorization command and have only the "aaa authentication dot1x", you would run into strange dot1x issues. (basically switch would authenticate dot1x session, but would not apply the RADIUS session attributes sent by ISE)

For telnet or ssh you would use the "aaa authorization exec/commands", attach that to the vty lines, and that would then control telnet/ssh access to the switch.

Please rate if helpful

Re: What does mean 'aaa authorization network', what does limit 'netwo

echo — Wed, 11 Jun 2025 11:51:19 GMT

Just a comment to the original question.

"Some network pages mean authorization for PPP, PPPoE, SLIP.... I am confused."

I am too. Especially because:

1. The list of mentioned "network" services in Cisco pages is not complete.

2. Without this "aaa authorization network default group SRV-ISE" type of command, the dot1x breaks (I just tested): the computer authenticates but it doesn't get the IP-address -- because the VLAN information, if this is being sent by the Radius server, is not accepted and no VLAN will be set to the authenticated computer. Maybe, if the VLAN name or number is being set by the switch, it works but I haven't tested it.

The document referred to above has this information: "Enable AAA authorization with the network keyword to allow interface configuration from the RADIUS server." The confusing part comes from the fact that I need to use "network" instead of "dot1x" for a dot1x-related configuration and as the original post has it, the term "network" is ambiguous because anything can be considered under this term because we are dealing with network devices here.