Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15688
Views
41
Helpful
2
Replies

What does mean 'aaa authorization network', what does limit 'network' keyword?

Yan Merchy
Level 1
Level 1

‎07-12-2017 01:43 PM - edited ‎03-11-2019 12:50 AM

Hi,

I am studying CCNP Switch course and stuck in AAA authorization topic. I do not understand what actually is purpose of the following command chain 'aaa authorization network ....'.

Cisco books and web-pages define this like sonething:

network: The server must return permission to use network-related services.

However, do does it means 'network-related services'? Is the telnet network related service? I have been serching info about details what this command does and no success. Some network pages mean authorization for PPP, PPPoE, SLIP.... I am confused.

Let's say I entered following command on the switch:

 switch(config)#aaa authorization network default group SRV-ISE 

What can I do on this switch and what cannot? What is limited and what is not? What will be authorized and what won't be?

Labels:
0 Helpful
2 Replies 2

netsysconsultant
Level 1
Level 1

‎07-12-2017 03:05 PM

Hello Jan,

aaa authorization network can be used to allow users access to the network if dot1x authentication have been configured on the cisco switch. 

In the case that you use aaa authorization network default group SRV-ISE : this command can be used to to allow the SRV-ISE (which is an ACS or ISE server) to dynamically assign vlan to user ports and this is based on their identities (username or MAC address).

if you need more details, try to read this article

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/31sga/configuration/guide/config/dot1x.html#wp1133313

Regards

agrissimanis
Level 1
Level 1

‎07-12-2017 03:15 PM

On switches "aaa authorization network" refers to authorization of devices connected to the switch, so you would point "aaa authorization network" to a group of ISE/ACS servers, like in your example.

If you do not configure the authorization command and have only the "aaa authentication dot1x", you would run into strange dot1x issues. (basically switch would authenticate dot1x session, but would not apply the RADIUS session attributes sent by ISE)

For telnet or ssh you would use the "aaa authorization exec/commands", attach that to the vty lines, and that would then control telnet/ssh access to the switch.

Please rate if helpful

Customers Also Viewed These Support Documents