aaa authorization commands default

Syntax

aaa authorization commands default {none | group <GROUP-LIST>}

no aaa authorization commands default

Description

Defines authorization as being local RBAC (with the name none). Or defines a sequence of remote AAA servers to be interrogated for authorization purposes.

The no form of this command removes any defined remote AAA server authorization sequence, returning the switch to local RBAC authorization only.

NOTE: Although only TACACS+ servers are supported for remote authorization, local RBAC authorization can be used with remote RADIUS authentication.

Command context

config

Parameters

local

Selects local RBAC authorization.

group <GROUP-LIST>

Specifies the list of remote AAA server group names. Predefined remote AAA group name tacacs is available. User-defined TACACS+ server group names may also be used.

It is recommended to always make local RBAC authorization available by including none as the last name in the group list. If none is omitted, and no remote AAA server is reachable, authorization will not be possible.

Authority

Administrators

Usage

The remote AAA servers are accessed in the order that the group names are listed in this command. The servers within the groups are accessed in the order in which they are added to the group. Authorization is attempted only on the first reachable server.

Examples

Defining an authorization sequence based on a user-defined TACACS+ server group, then the default TACACS+ server group, and finally (if needed), local RBAC authorization:

switch(config)# aaa authorization commands default group tacacs_user1 tacacs none

Enabling local RBAC authorization:

switch(config)# aaa authorization commands default none