Solved: Re: Authorization question

cannonscott · ‎01-31-2005

I have been looking through some sample configurations trying to get a better grasp on Authorization. I need help understanding what the following lines do.

aaa authorization exec default group Network none

aaa authorization commands 15 default group Network none

aaa authorization commands 15 secure group Network none

Thanks in advance for any help you can give.

Richard Burts · ‎01-31-2005

Scott

aaa authorization exec default group Network none tells the router to use authorization for exec processes (basically is the user authorized to run exec processes). The is the default method for exec authorization. The primary method is to go to a group identified as Network. I would expect that the router config identified one or several servers (running TACACS or radius) in the group called Network. If there is no response from the server(s) in the group Network there is no backup method for authorization.

aaa authorization commands 15 default group Network none tells the router to use authorization for level 15 commands (the privilege mode commands). This line is defining the default authorization for these commands. The router will use the group Network to identify the server(s) who can authorize these commands. If there is no response from the server(s) there is no backup method of authorization.

aaa authorization commands 15 secure group Network none tells the router to use authorization for level 15 commands (the privilege mode commands). This line is defining an alternative to the default method. There should be something in the router config on some lines (likely the vty lines) which says authorization secure. Like the other commands this one tells the router to use the server(s) defined in group Network to do authorization and if there is no response from the server(s) there is no backup method.

One comment I would have has to do with the none parameter which says that each of the authorization commands has no backup method. I believe that this is somewhat dangerous. If there were a situation where you lost communication with the server(s) you could basically be locked out of the router since there would not be anything that could authorize your access. When I configure authorization on routers for customers I usually use the if-authenticated backup method which says that if the router can not authorize with the server to allow the access if the user has been properly authenticated (which could be via line passwords, or via definitions in a local user data base).

So to summarize, the first line tells the router to check for authorization when any user attempts to start an exec session.

The second line tells the router to check for authorization when a user attempts to use a level 15 command.

The third line is a more specific version of the second one. It is for certain specific lines on the router, where the second one is for one one with a session on the router no matter which line they are logically associated with.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎01-31-2005

Scott

aaa authorization exec default group Network none tells the router to use authorization for exec processes (basically is the user authorized to run exec processes). The is the default method for exec authorization. The primary method is to go to a group identified as Network. I would expect that the router config identified one or several servers (running TACACS or radius) in the group called Network. If there is no response from the server(s) in the group Network there is no backup method for authorization.

aaa authorization commands 15 default group Network none tells the router to use authorization for level 15 commands (the privilege mode commands). This line is defining the default authorization for these commands. The router will use the group Network to identify the server(s) who can authorize these commands. If there is no response from the server(s) there is no backup method of authorization.

aaa authorization commands 15 secure group Network none tells the router to use authorization for level 15 commands (the privilege mode commands). This line is defining an alternative to the default method. There should be something in the router config on some lines (likely the vty lines) which says authorization secure. Like the other commands this one tells the router to use the server(s) defined in group Network to do authorization and if there is no response from the server(s) there is no backup method.

One comment I would have has to do with the none parameter which says that each of the authorization commands has no backup method. I believe that this is somewhat dangerous. If there were a situation where you lost communication with the server(s) you could basically be locked out of the router since there would not be anything that could authorize your access. When I configure authorization on routers for customers I usually use the if-authenticated backup method which says that if the router can not authorize with the server to allow the access if the user has been properly authenticated (which could be via line passwords, or via definitions in a local user data base).

So to summarize, the first line tells the router to check for authorization when any user attempts to start an exec session.

The second line tells the router to check for authorization when a user attempts to use a level 15 command.

The third line is a more specific version of the second one. It is for certain specific lines on the router, where the second one is for one one with a session on the router no matter which line they are logically associated with.

HTH

Rick

HTH

Rick

cannonscott · ‎01-31-2005

Thanks. Thats a great reply!