What is the difference betwen "command", "config-commands" and "configuration" in the "aaa authoriza...

Amil Akhundzada · ‎07-24-2017

Hello guys,

What is the difference betwen "command", "config-commands" and "configuration" in the "aaa authorization ..." command ?

The Cisco docs explains it in an extremely scientific language.

I found a link which explains these keywords in plain English:

https://quizlet.com/103770168/cisco-aaa-authorization-flash-cards/

When configuring authorization, when does the "command" option do when authorization is approved by the server?

--> It grants permission to use ANY switch command at ANY privilege level.

When configuring authorization, what does the "config-commands" option do when authorization is approved by the server?

--> It grants permission to use ANY switch configuration command.

When configuring authorization, what does the "configuration" option do when authorization is approved by the server?

--> It grants permission to enter the switch configuration mode.

When configuring authorization, what does the "exec" option do when authorization is approved by the server?

-->It grants permission to run a switch EXEC session.
-->It returns a privilege level for the user, so the user can enter enable mode without having to enter the "enable" command.

Based on the definition of these keywords, I don't see the difference between "command" and "exec", because both of these commands put the user in an EXEC mode.

The "configuration" keyword allows to enter "conf t", right ?

The "config-commands" keyword allows to enter any global configuration commands, right ??

Please, help me clear out the usage each of these 4 commands.

Thank you!

Reza Sharifi · ‎07-24-2017

Hi,

Looking at the commands on a switch, here are the definition of all 3 commands:

commands For exec (shell) commands. This is privilege exec mode (not enabled mode)
config-commands For configuration mode commands. This is equal to "config t"
configuration For downloading configurations from AAA server.

xxxxxx-(config)#aaa authorization ?
auth-proxy For Authentication Proxy Services
cache For AAA cache configuration
commands For exec (shell) commands.
config-commands For configuration mode commands.
configuration For downloading configurations from AAA server
console For enabling console authorization
credential-download For downloading EAP credential from Local/RADIUS/LDAP
exec For starting an exec (shell).
multicast For downloading Multicast configurations from an AAA server
network For network services. (PPP, SLIP, ARAP)
onep For ONEP authorization service
policy-if For diameter policy interface application.
prepaid For diameter prepaid services.
radius-proxy For proxying radius packets
reverse-access For reverse access connections
subscriber-service For iEdge subscriber services (VPDN etc)
template Enable template authorization

HTH

Amil Akhundzada · ‎07-24-2017

Hi,

Thanks for replying!

configuration For downloading configurations from AAA server.

"For downloading configuration from AAA server", what does it exactly mean? Could you give any example, plz?

Reza Sharifi · ‎07-24-2017

Hi,

Here is a description I found for this command:

To download static route configuration information from the authorization, authentication, and accounting (AAA) server using TACACS+ or RADIUS, use the aaa authorization configuration default command in global configuration mode. To remove static route configuration information, use the no form of this command.

Link to command reference guide:

http://www.cisco.com/c/en/us/td/docs/ios/ipv6/command/reference/ipv6_book/ipv6_01.html

HTH